test(ui): update GitHub sign-in button locator in E2E tests

- Changed the locator for the GitHub sign-in button in the sign-up page tests to use the input type and value attributes for better accuracy. - This update enhances the reliability of the E2E tests by ensuring the correct element is targeted during the GitHub OAuth flow.
test(ui): update GitHub OAuth secrets in E2E test workflow
2026-03-27 18:38:52 +00:00 · 2025-10-15 16:12:57 +02:00 · 2025-10-15 11:54:16 +02:00 · 2025-10-15 11:53:35 +02:00 · 2025-10-15 11:35:34 +02:00 · 2025-10-14 11:03:23 +02:00
1932 changed files with 364102 additions and 34297 deletions
--- a/.env
+++ b/.env
@@ -6,11 +6,17 @@
 PROWLER_UI_VERSION="stable"
 AUTH_URL=http://localhost:3000
 API_BASE_URL=http://prowler-api:8080/api/v1
+NEXT_PUBLIC_API_BASE_URL=${API_BASE_URL}
 NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs
 AUTH_TRUST_HOST=true
 UI_PORT=3000
+# Temp URL for feeds need to use actual
+RSS_FEED_URL=https://prowler.com/blog/rss
 # openssl rand -base64 32
 AUTH_SECRET="N/c6mnaS5+SWq81+819OrzQZlmx1Vxtp/orjttJSmw8="
+# Google Tag Manager ID
+NEXT_PUBLIC_GOOGLE_TAG_MANAGER_ID=""
+

 #### Prowler API Configuration ####
 PROWLER_API_VERSION="stable"
@@ -23,6 +29,12 @@ POSTGRES_ADMIN_PASSWORD=postgres
 POSTGRES_USER=prowler
 POSTGRES_PASSWORD=postgres
 POSTGRES_DB=prowler_db
+# Read replica settings (optional)
+# POSTGRES_REPLICA_HOST=postgres-db
+# POSTGRES_REPLICA_PORT=5432
+# POSTGRES_REPLICA_USER=prowler
+# POSTGRES_REPLICA_PASSWORD=postgres
+# POSTGRES_REPLICA_DB=prowler_db

 # Celery-Prowler task settings
 TASK_RETRY_DELAY_SECONDS=0.1
@@ -79,55 +91,21 @@ DJANGO_CACHE_MAX_AGE=3600
 DJANGO_STALE_WHILE_REVALIDATE=60
 DJANGO_MANAGE_DB_PARTITIONS=True
 # openssl genrsa -out private.pem 2048
-DJANGO_TOKEN_SIGNING_KEY="-----BEGIN PRIVATE KEY-----
-MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDs4e+kt7SnUJek
-6V5r9zMGzXCoU5qnChfPiqu+BgANyawz+MyVZPs6RCRfeo6tlCknPQtOziyXYM2I
-7X+qckmuzsjqp8+u+o1mw3VvUuJew5k2SQLPYwsiTzuFNVJEOgRo3hywGiGwS2iv
-/5nh2QAl7fq2qLqZEXQa5+/xJlQggS1CYxOJgggvLyra50QZlBvPve/AxKJ/EV/Q
-irWTZU5lLNI8sH2iZR05vQeBsxZ0dCnGMT+vGl+cGkqrvzQzKsYbDmabMcfTYhYi
-78fpv6A4uharJFHayypYBjE39PwhMyyeycrNXlpm1jpq+03HgmDuDMHydk1tNwuT
-nEC7m7iNAgMBAAECggEAA2m48nJcJbn9SVi8bclMwKkWmbJErOnyEGEy2sTK3Of+
-NWx9BB0FmqAPNxn0ss8K7cANKOhDD7ZLF9E2MO4/HgfoMKtUzHRbM7MWvtEepldi
-nnvcUMEgULD8Dk4HnqiIVjt3BdmGiTv46OpBnRWrkSBV56pUL+7msZmMZTjUZvh2
-ZWv0+I3gtDIjo2Zo/FiwDV7CfwRjJarRpYUj/0YyuSA4FuOUYl41WAX1I301FKMH
-xo3jiAYi1s7IneJ16OtPpOA34Wg5F6ebm/UO0uNe+iD4kCXKaZmxYQPh5tfB0Qa3
-qj1T7GNpFNyvtG7VVdauhkb8iu8X/wl6PCwbg0RCKQKBgQD9HfpnpH0lDlHMRw9K
-X7Vby/1fSYy1BQtlXFEIPTN/btJ/asGxLmAVwJ2HAPXWlrfSjVAH7CtVmzN7v8oj
-HeIHfeSgoWEu1syvnv2AMaYSo03UjFFlfc/GUxF7DUScRIhcJUPCP8jkAROz9nFv
-DByNjUL17Q9r43DmDiRsy0IFqQKBgQDvlJ9Uhl+Sp7gRgKYwa/IG0+I4AduAM+Gz
-Dxbm52QrMGMTjaJFLmLHBUZ/ot+pge7tZZGws8YR8ufpyMJbMqPjxhIvRRa/p1Tf
-E3TQPW93FMsHUvxAgY3MV5MzXFPhlNAKb+akP/RcXUhetGAuZKLubtDCWa55ZQuL
-wj2OS+niRQKBgE7K8zUqNi6/22S8xhy/2GPgB1qPObbsABUofK0U6CAGLo6te+gc
-6Jo84IyzFtQbDNQFW2Fr+j1m18rw9AqkdcUhQndiZS9AfG07D+zFB86LeWHt4DS4
-ymIRX8Kvaak/iDcu/n3Mf0vCrhB6aetImObTj4GgrwlFvtJOmrYnO8EpAoGAIXXP
-Xt25gWD9OyyNiVu6HKwA/zN7NYeJcRmdaDhO7B1A6R0x2Zml4AfjlbXoqOLlvLAf
-zd79vcoAC82nH1eOPiSOq51plPDI0LMF8IN0CtyTkn1Lj7LIXA6rF1RAvtOqzppc
-SvpHpZK9pcRpXnFdtBE0BMDDtl6fYzCIqlP94UUCgYEAnhXbAQMF7LQifEm34Dx8
-BizRMOKcqJGPvbO2+Iyt50O5X6onU2ITzSV1QHtOvAazu+B1aG9pEuBFDQ+ASxEu
-L9ruJElkOkb/o45TSF6KCsHd55ReTZ8AqnRjf5R+lyzPqTZCXXb8KTcRvWT4zQa3
-VxyT2PnaSqEcexWUy4+UXoQ=
-----END PRIVATE KEY-----"
+DJANGO_TOKEN_SIGNING_KEY=""
 # openssl rsa -in private.pem -pubout -out public.pem
-DJANGO_TOKEN_VERIFYING_KEY="-----BEGIN PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7OHvpLe0p1CXpOlea/cz
-Bs1wqFOapwoXz4qrvgYADcmsM/jMlWT7OkQkX3qOrZQpJz0LTs4sl2DNiO1/qnJJ
-rs7I6qfPrvqNZsN1b1LiXsOZNkkCz2MLIk87hTVSRDoEaN4csBohsEtor/+Z4dkA
-Je36tqi6mRF0Gufv8SZUIIEtQmMTiYIILy8q2udEGZQbz73vwMSifxFf0Iq1k2VO
-ZSzSPLB9omUdOb0HgbMWdHQpxjE/rxpfnBpKq780MyrGGw5mmzHH02IWIu/H6b+g
-OLoWqyRR2ssqWAYxN/T8ITMsnsnKzV5aZtY6avtNx4Jg7gzB8nZNbTcLk5xAu5u4
-jQIDAQAB
-----END PUBLIC KEY-----"
+DJANGO_TOKEN_VERIFYING_KEY=""
 # openssl rand -base64 32
 DJANGO_SECRETS_ENCRYPTION_KEY="oE/ltOhp/n1TdbHjVmzcjDPLcLA41CVI/4Rk+UB5ESc="
 DJANGO_BROKER_VISIBILITY_TIMEOUT=86400
 DJANGO_SENTRY_DSN=
+DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute

 # Sentry settings
 SENTRY_ENVIRONMENT=local
 SENTRY_RELEASE=local

 #### Prowler release version ####
-NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.5.1
+NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v5.12.2

 # Social login credentials
 SOCIAL_GOOGLE_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/google"
@@ -137,3 +115,12 @@ SOCIAL_GOOGLE_OAUTH_CLIENT_SECRET=""
 SOCIAL_GITHUB_OAUTH_CALLBACK_URL="${AUTH_URL}/api/auth/callback/github"
 SOCIAL_GITHUB_OAUTH_CLIENT_ID=""
 SOCIAL_GITHUB_OAUTH_CLIENT_SECRET=""
+
+# Single Sign-On (SSO)
+SAML_SSO_CALLBACK_URL="${AUTH_URL}/api/auth/callback/saml"
+
+# Lighthouse tracing
+LANGSMITH_TRACING=false
+LANGSMITH_ENDPOINT="https://api.smith.langchain.com"
+LANGSMITH_API_KEY=""
+LANGCHAIN_PROJECT=""
--- a/.github/labeler.yml
+++ b/.github/labeler.yml
@@ -22,11 +22,26 @@ provider/kubernetes:
      - any-glob-to-any-file: "prowler/providers/kubernetes/**"
      - any-glob-to-any-file: "tests/providers/kubernetes/**"

+provider/m365:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/m365/**"
+      - any-glob-to-any-file: "tests/providers/m365/**"
+
 provider/github:
  - changed-files:
      - any-glob-to-any-file: "prowler/providers/github/**"
      - any-glob-to-any-file: "tests/providers/github/**"

+provider/iac:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/iac/**"
+      - any-glob-to-any-file: "tests/providers/iac/**"
+
+provider/mongodbatlas:
+  - changed-files:
+      - any-glob-to-any-file: "prowler/providers/mongodbatlas/**"
+      - any-glob-to-any-file: "tests/providers/mongodbatlas/**"
+
 github_actions:
  - changed-files:
      - any-glob-to-any-file: ".github/workflows/*"
@@ -42,11 +57,13 @@ mutelist:
      - any-glob-to-any-file: "prowler/providers/azure/lib/mutelist/**"
      - any-glob-to-any-file: "prowler/providers/gcp/lib/mutelist/**"
      - any-glob-to-any-file: "prowler/providers/kubernetes/lib/mutelist/**"
+      - any-glob-to-any-file: "prowler/providers/mongodbatlas/lib/mutelist/**"
      - any-glob-to-any-file: "tests/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/aws/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/azure/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/gcp/lib/mutelist/**"
      - any-glob-to-any-file: "tests/providers/kubernetes/lib/mutelist/**"
+      - any-glob-to-any-file: "tests/providers/mongodbatlas/lib/mutelist/**"

 integration/s3:
  - changed-files:
@@ -93,6 +110,10 @@ component/ui:
  - changed-files:
      - any-glob-to-any-file: "ui/**"

+component/mcp-server:
+  - changed-files:
+      - any-glob-to-any-file: "mcp_server/**"
+
 compliance:
  - changed-files:
      - any-glob-to-any-file: "prowler/compliance/**"
@@ -102,3 +123,7 @@ compliance:
 review-django-migrations:
  - changed-files:
      - any-glob-to-any-file: "api/src/backend/api/migrations/**"
+
+metadata-review:
+  - changed-files:
+      - any-glob-to-any-file: "**/*.metadata.json"
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -8,6 +8,10 @@ If fixes an issue please add it with `Fix #XXXX`

 Please include a summary of the change and which issue is fixed. List any dependencies that are required for this change.

+### Steps to review
+
+Please add a detailed description of how to review this PR.
+
 ### Checklist

 - Are there new checks included in this PR? Yes / No
@@ -16,6 +20,7 @@ Please include a summary of the change and which issue is fixed. List any depend
 - [ ] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
 - [ ] Review if backport is needed.
 - [ ] Review if is needed to change the [Readme.md](https://github.com/prowler-cloud/prowler/blob/master/README.md)
+- [ ] Ensure new entries are added to [CHANGELOG.md](https://github.com/prowler-cloud/prowler/blob/master/prowler/CHANGELOG.md), if applicable.

 #### API
 - [ ] Verify if API specs need to be regenerated.
--- a/.github/workflows/api-build-lint-push-containers.yml
+++ b/.github/workflows/api-build-lint-push-containers.yml
@@ -6,6 +6,7 @@ on:
      - "master"
    paths:
      - "api/**"
+      - "prowler/**"
      - ".github/workflows/api-build-lint-push-containers.yml"

  # Uncomment the code below to test this action on PRs
@@ -61,7 +62,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set short git commit SHA
        id: vars
@@ -70,18 +71,18 @@ jobs:
          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV

      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push container image (latest)
        # Comment the following line for testing
        if: github.event_name == 'push'
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          # Set push: false for testing
@@ -94,7 +95,7 @@ jobs:

      - name: Build and push container image (release)
        if: github.event_name == 'release'
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          push: true
@@ -106,7 +107,7 @@ jobs:

      - name: Trigger deployment
        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
--- a/.github/workflows/api-codeql.yml
+++ b/.github/workflows/api-codeql.yml
@@ -44,16 +44,16 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql/api-codeql-config.yml

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/api-pull-request.yml
+++ b/.github/workflows/api-pull-request.yml
@@ -13,6 +13,7 @@ on:
      - "master"
      - "v5.*"
    paths:
+      - ".github/workflows/api-pull-request.yml"
      - "api/**"

 env:
@@ -28,6 +29,10 @@ env:
  VALKEY_DB: 0
  API_WORKING_DIR: ./api
  IMAGE_NAME: prowler-api
+  IGNORE_FILES: |
+    api/docs/**
+    api/README.md
+    api/CHANGELOG.md

 jobs:
  test:
@@ -71,23 +76,20 @@ jobs:
          --health-retries 5

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Test if changes are in not ignored paths
        id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
-          files: api/**
-          files_ignore: |
-            api/.github/**
-            api/docs/**
-            api/permissions/**
-            api/README.md
-            api/mkdocs.yml
+          files: |
+            api/**
+            .github/workflows/api-pull-request.yml
+          files_ignore: ${{ env.IGNORE_FILES }}

-      - name: Replace @master with current branch in pyproject.toml
+      - name: Replace @master with current branch in pyproject.toml - Only for pull requests to `master`
        working-directory: ./api
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' && github.event_name == 'pull_request' && github.base_ref == 'master'
        run: |
          BRANCH_NAME="${GITHUB_HEAD_REF:-${GITHUB_REF_NAME}}"
          echo "Using branch: $BRANCH_NAME"
@@ -100,7 +102,24 @@ jobs:
          python -m pip install --upgrade pip
          pipx install poetry==2.1.1

-      - name: Update poetry.lock after the branch name change
+      - name: Update SDK's poetry.lock resolved_reference to latest commit - Only for push events to `master`
+        working-directory: ./api
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true' && github.event_name == 'push' && github.ref == 'refs/heads/master'
+        run: |
+          # Get the latest commit hash from the prowler-cloud/prowler repository
+          LATEST_COMMIT=$(curl -s "https://api.github.com/repos/prowler-cloud/prowler/commits/master" | jq -r '.sha')
+          echo "Latest commit hash: $LATEST_COMMIT"
+
+          # Update the resolved_reference specifically for prowler-cloud/prowler repository
+          sed -i '/url = "https:\/\/github\.com\/prowler-cloud\/prowler\.git"/,/resolved_reference = / {
+            s/resolved_reference = "[a-f0-9]\{40\}"/resolved_reference = "'"$LATEST_COMMIT"'"/
+          }' poetry.lock
+
+          # Verify the change was made
+          echo "Updated resolved_reference:"
+          grep -A2 -B2 "resolved_reference" poetry.lock
+
+      - name: Update poetry.lock
        working-directory: ./api
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
        run: |
@@ -108,7 +127,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: "poetry"
@@ -158,8 +177,10 @@ jobs:
      - name: Safety
        working-directory: ./api
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        # 76352, 76353, 77323 come from SDK, but they cannot upgrade it yet. It does not affect API
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
        run: |
-          poetry run safety check --ignore 70612,66963,74429,77119
+          poetry run safety check --ignore 70612,66963,74429,76352,76353,77323,77744,77745

      - name: Vulture
        working-directory: ./api
@@ -181,7 +202,7 @@ jobs:

      - name: Upload coverage reports to Codecov
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
@@ -189,11 +210,20 @@ jobs:
  test-container-build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Test if changes are in not ignored paths
+        id: are-non-ignored-files-changed
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: api/**
+          files_ignore: ${{ env.IGNORE_FILES }}
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Build Container
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.API_WORKING_DIR }}
          push: false
--- a/.github/workflows/build-documentation-on-pr.yml
+++ b/.github/workflows/build-documentation-on-pr.yml
@@ -7,6 +7,7 @@ on:
      - 'v3'
    paths:
      - 'docs/**'
+      - '.github/workflows/build-documentation-on-pr.yml'

 env:
  PR_NUMBER: ${{ github.event.pull_request.number }}
@@ -16,9 +17,20 @@ jobs:
    name: Documentation Link
    runs-on: ubuntu-latest
    steps:
-      - name: Leave PR comment with the Prowler Documentation URI
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      - name: Find existing documentation comment
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+        id: find-comment
        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          comment-author: 'github-actions[bot]'
+          body-includes: '<!-- prowler-docs-link -->'
+
+      - name: Create or update PR comment with the Prowler Documentation URI
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
          issue-number: ${{ env.PR_NUMBER }}
          body: |
+            <!-- prowler-docs-link -->
            You can check the documentation for this PR here -> [Prowler Documentation](https://prowler-prowler-docs--${{ env.PR_NUMBER }}.com.readthedocs.build/projects/prowler-open-source/en/${{ env.PR_NUMBER }}/)
+          edit-mode: replace
--- a/.github/workflows/conventional-commit.yml
+++ b/.github/workflows/conventional-commit.yml
@@ -20,4 +20,5 @@ jobs:
        id: conventional-commit-check
        uses: agenthunt/conventional-commit-checker-action@9e552d650d0e205553ec7792d447929fc78e012b # v2.0.0
        with:
-            pr-title-regex: '^([^\s(]+)(?:\(([^)]+)\))?: (.+)'
+            pr-title-regex: '^(feat|fix|docs|style|refactor|perf|test|chore|build|ci|revert)(\([^)]+\))?!?: .+'
+                             
--- a/.github/workflows/create-backport-label.yml
+++ b/.github/workflows/create-backport-label.yml
@@ -0,0 +1,67 @@
+name: Prowler - Create Backport Label
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  create_label:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+    steps:
+      - name: Create backport label
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
+          OWNER_REPO: ${{ github.repository }}
+        run: |
+          VERSION_ONLY=${RELEASE_TAG#v} # Remove 'v' prefix if present (e.g., v3.2.0 -> 3.2.0)
+
+          # Check if it's a minor version (X.Y.0)
+          if [[ "$VERSION_ONLY" =~ ^[0-9]+\.[0-9]+\.0$ ]]; then
+            echo "Release ${RELEASE_TAG} (version ${VERSION_ONLY}) is a minor version. Proceeding to create backport label."
+
+            TWO_DIGIT_VERSION=${VERSION_ONLY%.0} # Extract X.Y from X.Y.0 (e.g., 5.6 from 5.6.0)
+
+            FINAL_LABEL_NAME="backport-to-v${TWO_DIGIT_VERSION}"
+            FINAL_DESCRIPTION="Backport PR to the v${TWO_DIGIT_VERSION} branch"
+
+            echo "Effective label name will be: ${FINAL_LABEL_NAME}"
+            echo "Effective description will be: ${FINAL_DESCRIPTION}"
+
+            # Check if the label already exists
+            STATUS_CODE=$(curl -s -o /dev/null -w "%{http_code}" -H "Authorization: token ${GITHUB_TOKEN}" "https://api.github.com/repos/${OWNER_REPO}/labels/${FINAL_LABEL_NAME}")
+
+            if [ "${STATUS_CODE}" -eq 200 ]; then
+              echo "Label '${FINAL_LABEL_NAME}' already exists."
+            elif [ "${STATUS_CODE}" -eq 404 ]; then
+              echo "Label '${FINAL_LABEL_NAME}' does not exist. Creating it..."
+              # Prepare JSON data payload
+              JSON_DATA=$(printf '{"name":"%s","description":"%s","color":"B60205"}' "${FINAL_LABEL_NAME}" "${FINAL_DESCRIPTION}")
+
+              CREATE_STATUS_CODE=$(curl -s -o /tmp/curl_create_response.json -w "%{http_code}" -X POST \
+              -H "Accept: application/vnd.github.v3+json" \
+              -H "Authorization: token ${GITHUB_TOKEN}" \
+              --data "${JSON_DATA}" \
+              "https://api.github.com/repos/${OWNER_REPO}/labels")
+
+              CREATE_RESPONSE_BODY=$(cat /tmp/curl_create_response.json)
+              rm -f /tmp/curl_create_response.json
+
+              if [ "$CREATE_STATUS_CODE" -eq 201 ]; then
+                echo "Label '${FINAL_LABEL_NAME}' created successfully."
+              else
+                echo "Error creating label '${FINAL_LABEL_NAME}'. Status: $CREATE_STATUS_CODE"
+                echo "Response: $CREATE_RESPONSE_BODY"
+                exit 1
+              fi
+            else
+              echo "Error checking for label '${FINAL_LABEL_NAME}'. HTTP Status: ${STATUS_CODE}"
+              exit 1
+            fi
+          else
+            echo "Release ${RELEASE_TAG} (version ${VERSION_ONLY}) is not a minor version. Skipping backport label creation."
+            exit 0
+          fi
--- a/.github/workflows/find-secrets.yml
+++ b/.github/workflows/find-secrets.yml
@@ -7,11 +7,11 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0
      - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@b06f6d72a3791308bb7ba59c2b8cb7a083bd17e4 # v3.88.26
+        uses: trufflesecurity/trufflehog@466da5b0bb161144f6afca9afe5d57975828c410 # v3.90.8
        with:
          path: ./
          base: ${{ github.event.repository.default_branch }}
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -14,4 +14,4 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
+    - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
--- a/.github/workflows/mcp-server-build-push-containers.yml
+++ b/.github/workflows/mcp-server-build-push-containers.yml
@@ -0,0 +1,90 @@
+name: MCP Server - Build and Push containers
+
+on:
+  push:
+    branches:
+      - "master"
+    paths:
+      - "mcp_server/**"
+      - ".github/workflows/mcp-server-build-push-containers.yml"
+
+  # Uncomment the below code to test this action on PRs
+  # pull_request:
+  #   branches:
+  #     - "master"
+  #   paths:
+  #     - "mcp_server/**"
+  #     - ".github/workflows/mcp-server-build-push-containers.yml"
+
+  release:
+    types: [published]
+
+env:
+  # Tags
+  LATEST_TAG: latest
+
+  WORKING_DIRECTORY: ./mcp_server
+
+  # Container Registries
+  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
+  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-mcp
+
+jobs:
+  repository-check:
+    name: Repository check
+    runs-on: ubuntu-latest
+    outputs:
+      is_repo: ${{ steps.repository_check.outputs.is_repo }}
+    steps:
+      - name: Repository check
+        id: repository_check
+        working-directory: /tmp
+        run: |
+          if [[ ${{ github.repository }} == "prowler-cloud/prowler" ]]
+          then
+            echo "is_repo=true" >> "${GITHUB_OUTPUT}"
+          else
+            echo "This action only runs for prowler-cloud/prowler"
+            echo "is_repo=false" >> "${GITHUB_OUTPUT}"
+          fi
+
+  container-build-push:
+    needs: repository-check
+    if: needs.repository-check.outputs.is_repo == 'true'
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ${{ env.WORKING_DIRECTORY }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Set short git commit SHA
+        id: vars
+        run: |
+          shortSha=$(git rev-parse --short ${{ github.sha }})
+          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV
+
+      - name: Login to DockerHub
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
+      - name: Build and push container image (latest)
+        # Comment the following line for testing
+        if: github.event_name == 'push'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: ${{ env.WORKING_DIRECTORY }}
+          # Set push: false for testing
+          push: true
+          tags: |
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.LATEST_TAG }}
+            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.SHORT_SHA }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/.github/workflows/pr-conflict-checker.yml
+++ b/.github/workflows/pr-conflict-checker.yml
@@ -0,0 +1,175 @@
+name: Prowler - PR Conflict Checker
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+    branches:
+      - "master"
+      - "v5.*"
+  # Leaving this commented until we find a way to run it for forks but in Prowler's context
+  # pull_request_target:
+  #   types:
+  #     - opened
+  #     - synchronize
+  #     - reopened
+  #   branches:
+  #     - "master"
+  #     - "v5.*"
+
+jobs:
+  conflict-checker:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Get changed files
+        id: changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            **
+
+      - name: Check for conflict markers
+        id: conflict-check
+        run: |
+          echo "Checking for conflict markers in changed files..."
+
+          CONFLICT_FILES=""
+          HAS_CONFLICTS=false
+
+          # Check each changed file for conflict markers
+          for file in ${{ steps.changed-files.outputs.all_changed_files }}; do
+            if [ -f "$file" ]; then
+              echo "Checking file: $file"
+
+              # Look for conflict markers
+              if grep -l "^<<<<<<<\|^=======\|^>>>>>>>" "$file" 2>/dev/null; then
+                echo "Conflict markers found in: $file"
+                CONFLICT_FILES="$CONFLICT_FILES$file "
+                HAS_CONFLICTS=true
+              fi
+            fi
+          done
+
+          if [ "$HAS_CONFLICTS" = true ]; then
+            echo "has_conflicts=true" >> $GITHUB_OUTPUT
+            echo "conflict_files=$CONFLICT_FILES" >> $GITHUB_OUTPUT
+            echo "Conflict markers detected in files: $CONFLICT_FILES"
+          else
+            echo "has_conflicts=false" >> $GITHUB_OUTPUT
+            echo "No conflict markers found in changed files"
+          fi
+
+      - name: Add conflict label
+        if: steps.conflict-check.outputs.has_conflicts == 'true'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          script: |
+            const { data: labels } = await github.rest.issues.listLabelsOnIssue({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+            });
+
+            const hasConflictLabel = labels.some(label => label.name === 'has-conflicts');
+
+            if (!hasConflictLabel) {
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                labels: ['has-conflicts']
+              });
+              console.log('Added has-conflicts label');
+            } else {
+              console.log('has-conflicts label already exists');
+            }
+
+      - name: Remove conflict label
+        if: steps.conflict-check.outputs.has_conflicts == 'false'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        with:
+          github-token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+          script: |
+            try {
+              await github.rest.issues.removeLabel({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.issue.number,
+                name: 'has-conflicts'
+              });
+              console.log('Removed has-conflicts label');
+            } catch (error) {
+              if (error.status === 404) {
+                console.log('has-conflicts label was not present');
+              } else {
+                throw error;
+              }
+            }
+
+      - name: Find existing conflict comment
+        if: steps.conflict-check.outputs.has_conflicts == 'true'
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+        id: find-comment
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-regex: '(⚠️ \*\*Conflict Markers Detected\*\*|✅ \*\*Conflict Markers Resolved\*\*)'
+
+      - name: Create or update conflict comment
+        if: steps.conflict-check.outputs.has_conflicts == 'true'
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        with:
+          comment-id: ${{ steps.find-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            ⚠️ **Conflict Markers Detected**
+
+            This pull request contains unresolved conflict markers in the following files:
+            ```
+            ${{ steps.conflict-check.outputs.conflict_files }}
+            ```
+
+            Please resolve these conflicts by:
+            1. Locating the conflict markers: `<<<<<<<`, `=======`, and `>>>>>>>`
+            2. Manually editing the files to resolve the conflicts
+            3. Removing all conflict markers
+            4. Committing and pushing the changes
+
+      - name: Find existing conflict comment when resolved
+        if: steps.conflict-check.outputs.has_conflicts == 'false'
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad # v4.0.0
+        id: find-resolved-comment
+        with:
+          issue-number: ${{ github.event.pull_request.number }}
+          comment-author: 'github-actions[bot]'
+          body-regex: '(⚠️ \*\*Conflict Markers Detected\*\*|✅ \*\*Conflict Markers Resolved\*\*)'
+
+      - name: Update comment when conflicts resolved
+        if: steps.conflict-check.outputs.has_conflicts == 'false' && steps.find-resolved-comment.outputs.comment-id != ''
+        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+        with:
+          comment-id: ${{ steps.find-resolved-comment.outputs.comment-id }}
+          issue-number: ${{ github.event.pull_request.number }}
+          edit-mode: replace
+          body: |
+            ✅ **Conflict Markers Resolved**
+
+            All conflict markers have been successfully resolved in this pull request.
+
+      - name: Fail workflow if conflicts detected
+        if: steps.conflict-check.outputs.has_conflicts == 'true'
+        run: |
+          echo "::error::Workflow failed due to conflict markers in files: ${{ steps.conflict-check.outputs.conflict_files }}"
+          exit 1
--- a/.github/workflows/prowler-release-preparation.yml
+++ b/.github/workflows/prowler-release-preparation.yml
@@ -0,0 +1,370 @@
+name: Prowler - Release Preparation
+
+run-name: Prowler Release Preparation for ${{ inputs.prowler_version }}
+
+on:
+  workflow_dispatch:
+    inputs:
+      prowler_version:
+        description: 'Prowler version to release (e.g., 5.9.0)'
+        required: true
+        type: string
+
+env:
+  PROWLER_VERSION: ${{ github.event.inputs.prowler_version }}
+
+jobs:
+  prepare-release:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        fetch-depth: 0
+        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+
+    - name: Set up Python
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+      with:
+        python-version: '3.12'
+
+    - name: Install Poetry
+      run: |
+        python3 -m pip install --user poetry
+        echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+    - name: Configure Git
+      run: |
+        git config --global user.name "prowler-bot"
+        git config --global user.email "179230569+prowler-bot@users.noreply.github.com"
+
+    - name: Parse version and determine branch
+      run: |
+        # Validate version format (reusing pattern from sdk-bump-version.yml)
+        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          MAJOR_VERSION=${BASH_REMATCH[1]}
+          MINOR_VERSION=${BASH_REMATCH[2]}
+          PATCH_VERSION=${BASH_REMATCH[3]}
+
+          # Export version components to environment
+          echo "MAJOR_VERSION=${MAJOR_VERSION}" >> "${GITHUB_ENV}"
+          echo "MINOR_VERSION=${MINOR_VERSION}" >> "${GITHUB_ENV}"
+          echo "PATCH_VERSION=${PATCH_VERSION}" >> "${GITHUB_ENV}"
+
+          # Determine branch name (format: v5.9)
+          BRANCH_NAME="v${MAJOR_VERSION}.${MINOR_VERSION}"
+          echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_ENV}"
+
+          # Function to extract the latest version from changelog
+          extract_latest_version() {
+            local changelog_file="$1"
+            if [ -f "$changelog_file" ]; then
+              # Extract the first version entry (most recent) from changelog
+              # Format: ## [version] (1.2.3) or ## [vversion] (v1.2.3)
+              local version=$(grep -m 1 '^## \[' "$changelog_file" | sed 's/^## \[\(.*\)\].*/\1/' | sed 's/^v//' | tr -d '[:space:]')
+              echo "$version"
+            else
+              echo ""
+            fi
+          }
+
+          # Read actual versions from changelogs (source of truth)
+          UI_VERSION=$(extract_latest_version "ui/CHANGELOG.md")
+          API_VERSION=$(extract_latest_version "api/CHANGELOG.md")
+          SDK_VERSION=$(extract_latest_version "prowler/CHANGELOG.md")
+
+          echo "UI_VERSION=${UI_VERSION}" >> "${GITHUB_ENV}"
+          echo "API_VERSION=${API_VERSION}" >> "${GITHUB_ENV}"
+          echo "SDK_VERSION=${SDK_VERSION}" >> "${GITHUB_ENV}"
+
+          if [ -n "$UI_VERSION" ]; then
+            echo "Read UI version from changelog: $UI_VERSION"
+          else
+            echo "Warning: No UI version found in ui/CHANGELOG.md"
+          fi
+
+          if [ -n "$API_VERSION" ]; then
+            echo "Read API version from changelog: $API_VERSION"
+          else
+            echo "Warning: No API version found in api/CHANGELOG.md"
+          fi
+
+          if [ -n "$SDK_VERSION" ]; then
+            echo "Read SDK version from changelog: $SDK_VERSION"
+          else
+            echo "Warning: No SDK version found in prowler/CHANGELOG.md"
+          fi
+
+          echo "Prowler version: $PROWLER_VERSION"
+          echo "Branch name: $BRANCH_NAME"
+          echo "UI version: $UI_VERSION"
+          echo "API version: $API_VERSION"
+          echo "SDK version: $SDK_VERSION"
+          echo "Is minor release: $([ $PATCH_VERSION -eq 0 ] && echo 'true' || echo 'false')"
+        else
+          echo "Invalid version syntax: '$PROWLER_VERSION' (must be N.N.N)" >&2
+          exit 1
+        fi
+
+    - name: Extract changelog entries
+      run: |
+        set -e
+
+        # Function to extract changelog for a specific version
+        extract_changelog() {
+          local file="$1"
+          local version="$2"
+          local output_file="$3"
+
+          if [ ! -f "$file" ]; then
+            echo "Warning: $file not found, skipping..."
+            touch "$output_file"
+            return
+          fi
+
+          # Extract changelog section for this version
+          awk -v version="$version" '
+            /^## \[v?'"$version"'\]/ { found=1; next }
+            found && /^## \[v?[0-9]+\.[0-9]+\.[0-9]+\]/ { found=0 }
+            found && !/^## \[v?'"$version"'\]/ { print }
+          ' "$file" > "$output_file"
+
+          # Remove --- separators
+          sed -i '/^---$/d' "$output_file"
+
+          # Remove trailing empty lines
+          sed -i '/^$/d' "$output_file"
+        }
+
+        # Calculate expected versions for this release
+        if [[ $PROWLER_VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+)$ ]]; then
+          EXPECTED_UI_VERSION="1.${BASH_REMATCH[2]}.${BASH_REMATCH[3]}"
+          EXPECTED_API_VERSION="1.$((${BASH_REMATCH[2]} + 1)).${BASH_REMATCH[3]}"
+
+          echo "Expected UI version for this release: $EXPECTED_UI_VERSION"
+          echo "Expected API version for this release: $EXPECTED_API_VERSION"
+        fi
+
+        # Determine if components have changes for this specific release
+        # UI has changes if its current version matches what we expect for this release
+        if [ -n "$UI_VERSION" ] && [ "$UI_VERSION" = "$EXPECTED_UI_VERSION" ]; then
+          echo "HAS_UI_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ UI changes detected - version matches expected: $UI_VERSION"
+          extract_changelog "ui/CHANGELOG.md" "$UI_VERSION" "ui_changelog.md"
+        else
+          echo "HAS_UI_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No UI changes for this release (current: $UI_VERSION, expected: $EXPECTED_UI_VERSION)"
+          touch "ui_changelog.md"
+        fi
+
+        # API has changes if its current version matches what we expect for this release
+        if [ -n "$API_VERSION" ] && [ "$API_VERSION" = "$EXPECTED_API_VERSION" ]; then
+          echo "HAS_API_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ API changes detected - version matches expected: $API_VERSION"
+          extract_changelog "api/CHANGELOG.md" "$API_VERSION" "api_changelog.md"
+        else
+          echo "HAS_API_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No API changes for this release (current: $API_VERSION, expected: $EXPECTED_API_VERSION)"
+          touch "api_changelog.md"
+        fi
+
+        # SDK has changes if its current version matches the input version
+        if [ -n "$SDK_VERSION" ] && [ "$SDK_VERSION" = "$PROWLER_VERSION" ]; then
+          echo "HAS_SDK_CHANGES=true" >> $GITHUB_ENV
+          echo "✓ SDK changes detected - version matches input: $SDK_VERSION"
+          extract_changelog "prowler/CHANGELOG.md" "$PROWLER_VERSION" "prowler_changelog.md"
+        else
+          echo "HAS_SDK_CHANGES=false" >> $GITHUB_ENV
+          echo "ℹ No SDK changes for this release (current: $SDK_VERSION, input: $PROWLER_VERSION)"
+          touch "prowler_changelog.md"
+        fi
+
+        # Combine changelogs in order: UI, API, SDK
+        > combined_changelog.md
+
+        if [ "$HAS_UI_CHANGES" = "true" ] && [ -s "ui_changelog.md" ]; then
+          echo "## UI" >> combined_changelog.md
+          echo "" >> combined_changelog.md
+          cat ui_changelog.md >> combined_changelog.md
+          echo "" >> combined_changelog.md
+        fi
+
+        if [ "$HAS_API_CHANGES" = "true" ] && [ -s "api_changelog.md" ]; then
+          echo "## API" >> combined_changelog.md
+          echo "" >> combined_changelog.md
+          cat api_changelog.md >> combined_changelog.md
+          echo "" >> combined_changelog.md
+        fi
+
+        if [ "$HAS_SDK_CHANGES" = "true" ] && [ -s "prowler_changelog.md" ]; then
+          echo "## SDK" >> combined_changelog.md
+          echo "" >> combined_changelog.md
+          cat prowler_changelog.md >> combined_changelog.md
+          echo "" >> combined_changelog.md
+        fi
+
+        echo "Combined changelog preview:"
+        cat combined_changelog.md
+
+    - name: Checkout existing branch for patch release
+      if: ${{ env.PATCH_VERSION != '0' }}
+      run: |
+        echo "Patch release detected, checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/heads/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists locally, checking out..."
+          git checkout "$BRANCH_NAME"
+        elif git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for patch release $PROWLER_VERSION"
+          exit 1
+        fi
+
+    - name: Verify version in pyproject.toml
+      run: |
+        CURRENT_VERSION=$(grep '^version = ' pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
+        PROWLER_VERSION_TRIMMED=$(echo "$PROWLER_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_VERSION" != "$PROWLER_VERSION_TRIMMED" ]; then
+          echo "ERROR: Version mismatch in pyproject.toml (expected: '$PROWLER_VERSION_TRIMMED', found: '$CURRENT_VERSION')"
+          exit 1
+        fi
+        echo "✓ pyproject.toml version: $CURRENT_VERSION"
+
+    - name: Verify version in prowler/config/config.py
+      run: |
+        CURRENT_VERSION=$(grep '^prowler_version = ' prowler/config/config.py | sed -E 's/prowler_version = "([^"]+)"/\1/' | tr -d '[:space:]')
+        PROWLER_VERSION_TRIMMED=$(echo "$PROWLER_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_VERSION" != "$PROWLER_VERSION_TRIMMED" ]; then
+          echo "ERROR: Version mismatch in prowler/config/config.py (expected: '$PROWLER_VERSION_TRIMMED', found: '$CURRENT_VERSION')"
+          exit 1
+        fi
+        echo "✓ prowler/config/config.py version: $CURRENT_VERSION"
+
+    - name: Verify version in api/pyproject.toml
+      if: ${{ env.HAS_API_CHANGES == 'true' }}
+      run: |
+        CURRENT_API_VERSION=$(grep '^version = ' api/pyproject.toml | sed -E 's/version = "([^"]+)"/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in api/pyproject.toml (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/pyproject.toml version: $CURRENT_API_VERSION"
+
+    - name: Verify prowler dependency in api/pyproject.toml
+      if: ${{ env.PATCH_VERSION != '0' && env.HAS_API_CHANGES == 'true' }}
+      run: |
+        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
+        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')
+        if [ "$CURRENT_PROWLER_REF" != "$BRANCH_NAME_TRIMMED" ]; then
+          echo "ERROR: Prowler dependency mismatch in api/pyproject.toml (expected: '$BRANCH_NAME_TRIMMED', found: '$CURRENT_PROWLER_REF')"
+          exit 1
+        fi
+        echo "✓ api/pyproject.toml prowler dependency: $CURRENT_PROWLER_REF"
+
+    - name: Verify version in api/src/backend/api/v1/views.py
+      if: ${{ env.HAS_API_CHANGES == 'true' }}
+      run: |
+        CURRENT_API_VERSION=$(grep 'spectacular_settings.VERSION = ' api/src/backend/api/v1/views.py | sed -E 's/.*spectacular_settings.VERSION = "([^"]+)".*/\1/' | tr -d '[:space:]')
+        API_VERSION_TRIMMED=$(echo "$API_VERSION" | tr -d '[:space:]')
+        if [ "$CURRENT_API_VERSION" != "$API_VERSION_TRIMMED" ]; then
+          echo "ERROR: API version mismatch in views.py (expected: '$API_VERSION_TRIMMED', found: '$CURRENT_API_VERSION')"
+          exit 1
+        fi
+        echo "✓ api/src/backend/api/v1/views.py version: $CURRENT_API_VERSION"
+
+    - name: Checkout existing release branch for minor release
+      if: ${{ env.PATCH_VERSION == '0' }}
+      run: |
+        echo "Minor release detected (patch = 0), checking out existing branch $BRANCH_NAME..."
+        if git show-ref --verify --quiet "refs/remotes/origin/$BRANCH_NAME"; then
+          echo "Branch $BRANCH_NAME exists remotely, checking out..."
+          git checkout -b "$BRANCH_NAME" "origin/$BRANCH_NAME"
+        else
+          echo "ERROR: Branch $BRANCH_NAME should exist for minor release $PROWLER_VERSION. Please create it manually first."
+          exit 1
+        fi
+
+    - name: Prepare prowler dependency update for minor release
+      if: ${{ env.PATCH_VERSION == '0' }}
+      run: |
+        CURRENT_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
+        BRANCH_NAME_TRIMMED=$(echo "$BRANCH_NAME" | tr -d '[:space:]')
+
+        # Create a temporary branch for the PR from the minor version branch
+        TEMP_BRANCH="update-api-dependency-$BRANCH_NAME_TRIMMED-$(date +%s)"
+        echo "TEMP_BRANCH=$TEMP_BRANCH" >> $GITHUB_ENV
+
+        # Create temp branch from the current minor version branch
+        git checkout -b "$TEMP_BRANCH"
+
+        # Minor release: update the dependency to use the release branch
+        echo "Updating prowler dependency from '$CURRENT_PROWLER_REF' to '$BRANCH_NAME_TRIMMED'"
+        sed -i "s|prowler @ git+https://github.com/prowler-cloud/prowler.git@[^\"]*\"|prowler @ git+https://github.com/prowler-cloud/prowler.git@$BRANCH_NAME_TRIMMED\"|" api/pyproject.toml
+
+        # Verify the change was made
+        UPDATED_PROWLER_REF=$(grep 'prowler @ git+https://github.com/prowler-cloud/prowler.git@' api/pyproject.toml | sed -E 's/.*@([^"]+)".*/\1/' | tr -d '[:space:]')
+        if [ "$UPDATED_PROWLER_REF" != "$BRANCH_NAME_TRIMMED" ]; then
+          echo "ERROR: Failed to update prowler dependency in api/pyproject.toml"
+          exit 1
+        fi
+
+        # Update poetry lock file
+        echo "Updating poetry.lock file..."
+        cd api
+        poetry lock
+        cd ..
+
+        # Commit and push the temporary branch
+        git add api/pyproject.toml api/poetry.lock
+        git commit -m "chore(api): update prowler dependency to $BRANCH_NAME_TRIMMED for release $PROWLER_VERSION"
+        git push origin "$TEMP_BRANCH"
+
+        echo "✓ Prepared prowler dependency update to: $UPDATED_PROWLER_REF"
+
+    - name: Create Pull Request against release branch
+      if: ${{ env.PATCH_VERSION == '0' }}
+      uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+      with:
+        token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
+        branch: ${{ env.TEMP_BRANCH }}
+        base: ${{ env.BRANCH_NAME }}
+        title: "chore(api): Update prowler dependency to ${{ env.BRANCH_NAME }} for release ${{ env.PROWLER_VERSION }}"
+        body: |
+          ### Description
+
+          Updates the API prowler dependency for release ${{ env.PROWLER_VERSION }}.
+
+          **Changes:**
+          - Updates `api/pyproject.toml` prowler dependency from `@master` to `@${{ env.BRANCH_NAME }}`
+          - Updates `api/poetry.lock` file with resolved dependencies
+
+          This PR should be merged into the `${{ env.BRANCH_NAME }}` release branch.
+
+          ### License
+
+          By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
+        author: prowler-bot <179230569+prowler-bot@users.noreply.github.com>
+        labels: |
+          component/api
+          no-changelog
+
+    - name: Create draft release
+      uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3
+      with:
+        tag_name: ${{ env.PROWLER_VERSION }}
+        name: Prowler ${{ env.PROWLER_VERSION }}
+        body_path: combined_changelog.md
+        draft: true
+        target_commitish: ${{ env.BRANCH_NAME }}
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Clean up temporary files
+      run: |
+        rm -f prowler_changelog.md api_changelog.md ui_changelog.md combined_changelog.md
--- a/.github/workflows/pull-request-check-changelog.yml
+++ b/.github/workflows/pull-request-check-changelog.yml
@@ -1,4 +1,4 @@
-name: Check Changelog
+name: Prowler - Check Changelog

 on:
  pull_request:
@@ -13,10 +13,10 @@ jobs:
      contents: read
      pull-requests: write
    env:
-      MONITORED_FOLDERS: "api ui prowler"
+      MONITORED_FOLDERS: "api ui prowler dashboard"

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          fetch-depth: 0

@@ -49,35 +49,26 @@ jobs:
      - name: Find existing changelog comment
        if: github.event.pull_request.head.repo.full_name == github.repository
        id: find_comment
-        uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e #v3.1.0
+        uses: peter-evans/find-comment@b30e6a3c0ed37e7c023ccd3f1db5c6c0b0c23aad #v4.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-author: 'github-actions[bot]'
          body-includes: '<!-- changelog-check -->'

-      - name: Comment on PR if changelog is missing
-        if: github.event.pull_request.head.repo.full_name == github.repository && steps.check_folders.outputs.missing_changelogs != ''
+      - name: Update PR comment with changelog status
+        if: github.event.pull_request.head.repo.full_name == github.repository
        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
        with:
          issue-number: ${{ github.event.pull_request.number }}
          comment-id: ${{ steps.find_comment.outputs.comment-id }}
+          edit-mode: replace
          body: |
            <!-- changelog-check -->
-            ⚠️ **Changes detected in the following folders without a corresponding update to the `CHANGELOG.md`:**
+            ${{ steps.check_folders.outputs.missing_changelogs != '' && format('⚠️ **Changes detected in the following folders without a corresponding update to the `CHANGELOG.md`:**

-            ${{ steps.check_folders.outputs.missing_changelogs }}
+            {0}

-            Please add an entry to the corresponding `CHANGELOG.md` file to maintain a clear history of changes.
-
-      - name: Comment on PR if all changelogs are present
-        if: github.event.pull_request.head.repo.full_name == github.repository && steps.check_folders.outputs.missing_changelogs == ''
-        uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-        with:
-          issue-number: ${{ github.event.pull_request.number }}
-          comment-id: ${{ steps.find_comment.outputs.comment-id }}
-          body: |
-            <!-- changelog-check -->
-            ✅ All necessary `CHANGELOG.md` files have been updated. Great job! 🎉
+            Please add an entry to the corresponding `CHANGELOG.md` file to maintain a clear history of changes.', steps.check_folders.outputs.missing_changelogs) || '✅ All necessary `CHANGELOG.md` files have been updated. Great job! 🎉' }}

      - name: Fail if changelog is missing
        if: steps.check_folders.outputs.missing_changelogs != ''
--- a/.github/workflows/pull-request-merged.yml
+++ b/.github/workflows/pull-request-merged.yml
@@ -11,27 +11,28 @@ jobs:
    if: github.event.pull_request.merged == true && github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ github.event.pull_request.merge_commit_sha }}

      - name: Set short git commit SHA
        id: vars
        run: |
-          shortSha=$(git rev-parse --short ${{ github.sha }})
+          shortSha=$(git rev-parse --short ${{ github.event.pull_request.merge_commit_sha }})
          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV

      - name: Trigger pull request
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
          event-type: prowler-pull-request-merged
-          client-payload: '{
-            "PROWLER_COMMIT_SHA": "${{ github.sha }}",
-            "PROWLER_COMMIT_SHORT_SHA": "${{ env.SHORT_SHA }}",
-            "PROWLER_PR_TITLE": "${{ github.event.pull_request.title }}",
-            "PROWLER_PR_LABELS": ${{ toJson(github.event.pull_request.labels.*.name) }},
-            "PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }},
-            "PROWLER_PR_URL":${{ toJson(github.event.pull_request.html_url) }}
-          }'
+          client-payload: |
+            {
+              "PROWLER_COMMIT_SHA": "${{ github.event.pull_request.merge_commit_sha }}",
+              "PROWLER_COMMIT_SHORT_SHA": "${{ env.SHORT_SHA }}",
+              "PROWLER_PR_TITLE": ${{ toJson(github.event.pull_request.title) }},
+              "PROWLER_PR_LABELS": ${{ toJson(github.event.pull_request.labels.*.name) }},
+              "PROWLER_PR_BODY": ${{ toJson(github.event.pull_request.body) }},
+              "PROWLER_PR_URL": ${{ toJson(github.event.pull_request.html_url) }}
+            }
--- a/.github/workflows/sdk-build-lint-push-containers.yml
+++ b/.github/workflows/sdk-build-lint-push-containers.yml
@@ -59,10 +59,10 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}

@@ -108,13 +108,13 @@ jobs:
          esac

      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to Public ECR
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: public.ecr.aws
          username: ${{ secrets.PUBLIC_ECR_AWS_ACCESS_KEY_ID }}
@@ -123,11 +123,11 @@ jobs:
          AWS_REGION: ${{ env.AWS_REGION }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push container image (latest)
        if: github.event_name == 'push'
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          push: true
          tags: |
@@ -140,7 +140,7 @@ jobs:

      - name: Build and push container image (release)
        if: github.event_name == 'release'
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          # Use local context to get changes
          # https://github.com/docker/build-push-action#path-context
@@ -157,6 +157,22 @@ jobs:
          cache-from: type=gha
          cache-to: type=gha,mode=max

+#      - name: Push README to Docker Hub (toniblyx)
+#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#          repository: ${{ env.DOCKER_HUB_REPOSITORY }}/${{ env.IMAGE_NAME }}
+#          readme-filepath: ./README.md
+#
+#      - name: Push README to Docker Hub (prowlercloud)
+#        uses: peter-evans/dockerhub-description@432a30c9e07499fd01da9f8a49f0faf9e0ca5b77 # v4.0.2
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#          repository: ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}
+#          readme-filepath: ./README.md
+
  dispatch-action:
    needs: container-build-push
    runs-on: ubuntu-latest
--- a/.github/workflows/sdk-bump-version.yml
+++ b/.github/workflows/sdk-bump-version.yml
@@ -12,10 +12,9 @@ env:
 jobs:
  bump-version:
    name: Bump Version
-    if: github.repository == 'prowler-cloud/prowler'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Get Prowler version
        shell: bash
@@ -97,6 +96,7 @@ jobs:
            commit-message: "chore(release): Bump version to v${{ env.BUMP_VERSION_TO }}"
            branch: "version-bump-to-v${{ env.BUMP_VERSION_TO }}"
            title: "chore(release): Bump version to v${{ env.BUMP_VERSION_TO }}"
+            labels: no-changelog
            body: |
              ### Description

@@ -135,6 +135,7 @@ jobs:
            commit-message: "chore(release): Bump version to v${{ env.PATCH_VERSION_TO }}"
            branch: "version-bump-to-v${{ env.PATCH_VERSION_TO }}"
            title: "chore(release): Bump version to v${{ env.PATCH_VERSION_TO }}"
+            labels: no-changelog
            body: |
              ### Description

--- a/.github/workflows/sdk-codeql.yml
+++ b/.github/workflows/sdk-codeql.yml
@@ -52,16 +52,16 @@ jobs:

    steps:
    - name: Checkout repository
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
      with:
        languages: ${{ matrix.language }}
        config-file: ./.github/codeql/sdk-codeql-config.yml

    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
      with:
        category: "/language:${{matrix.language}}"
--- a/.github/workflows/sdk-pull-request.yml
+++ b/.github/workflows/sdk-pull-request.yml
@@ -21,11 +21,11 @@ jobs:
        python-version: ["3.9", "3.10", "3.11", "3.12"]

    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Test if changes are in not ignored paths
        id: are-non-ignored-files-changed
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: ./**
          files_ignore: |
@@ -51,7 +51,7 @@ jobs:

      - name: Set up Python ${{ matrix.python-version }}
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ matrix.python-version }}
          cache: "poetry"
@@ -102,20 +102,27 @@ jobs:
        run: |
          poetry run vulture --exclude "contrib,api,ui" --min-confidence 100 .

+      - name: Dockerfile - Check if Dockerfile has changed
+        id: dockerfile-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            Dockerfile
+
      - name: Hadolint
-        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
+        if: steps.dockerfile-changed-files.outputs.any_changed == 'true'
        run: |
          /tmp/hadolint Dockerfile --ignore=DL3013

      # Test AWS
      - name: AWS - Check if any file has changed
        id: aws-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/aws/**
            ./tests/providers/aws/**
-            .poetry.lock
+            ./poetry.lock

      - name: AWS - Test
        if: steps.aws-changed-files.outputs.any_changed == 'true'
@@ -125,12 +132,12 @@ jobs:
      # Test Azure
      - name: Azure - Check if any file has changed
        id: azure-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/azure/**
            ./tests/providers/azure/**
-            .poetry.lock
+            ./poetry.lock

      - name: Azure - Test
        if: steps.azure-changed-files.outputs.any_changed == 'true'
@@ -140,12 +147,12 @@ jobs:
      # Test GCP
      - name: GCP - Check if any file has changed
        id: gcp-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/gcp/**
            ./tests/providers/gcp/**
-            .poetry.lock
+            ./poetry.lock

      - name: GCP - Test
        if: steps.gcp-changed-files.outputs.any_changed == 'true'
@@ -155,12 +162,12 @@ jobs:
      # Test Kubernetes
      - name: Kubernetes - Check if any file has changed
        id: kubernetes-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/kubernetes/**
            ./tests/providers/kubernetes/**
-            .poetry.lock
+            ./poetry.lock

      - name: Kubernetes - Test
        if: steps.kubernetes-changed-files.outputs.any_changed == 'true'
@@ -170,12 +177,12 @@ jobs:
      # Test GitHub
      - name: GitHub - Check if any file has changed
        id: github-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/github/**
            ./tests/providers/github/**
-            .poetry.lock
+            ./poetry.lock

      - name: GitHub - Test
        if: steps.github-changed-files.outputs.any_changed == 'true'
@@ -185,12 +192,12 @@ jobs:
      # Test NHN
      - name: NHN - Check if any file has changed
        id: nhn-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/nhn/**
            ./tests/providers/nhn/**
-            .poetry.lock
+            ./poetry.lock

      - name: NHN - Test
        if: steps.nhn-changed-files.outputs.any_changed == 'true'
@@ -200,18 +207,48 @@ jobs:
      # Test M365
      - name: M365 - Check if any file has changed
        id: m365-changed-files
-        uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c # v46.0.5
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
        with:
          files: |
            ./prowler/providers/m365/**
            ./tests/providers/m365/**
-            .poetry.lock
+            ./poetry.lock

      - name: M365 - Test
        if: steps.m365-changed-files.outputs.any_changed == 'true'
        run: |
          poetry run pytest -n auto --cov=./prowler/providers/m365 --cov-report=xml:m365_coverage.xml tests/providers/m365

+      # Test IaC
+      - name: IaC - Check if any file has changed
+        id: iac-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/iac/**
+            ./tests/providers/iac/**
+            ./poetry.lock
+
+      - name: IaC - Test
+        if: steps.iac-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/iac --cov-report=xml:iac_coverage.xml tests/providers/iac
+
+      # Test MongoDB Atlas
+      - name: MongoDB Atlas - Check if any file has changed
+        id: mongodb-atlas-changed-files
+        uses: tj-actions/changed-files@24d32ffd492484c1d75e0c0b894501ddb9d30d62 # v47.0.0
+        with:
+          files: |
+            ./prowler/providers/mongodbatlas/**
+            ./tests/providers/mongodbatlas/**
+            .poetry.lock
+
+      - name: MongoDB Atlas - Test
+        if: steps.mongodb-atlas-changed-files.outputs.any_changed == 'true'
+        run: |
+          poetry run pytest -n auto --cov=./prowler/providers/mongodbatlas --cov-report=xml:mongodb_atlas_coverage.xml tests/providers/mongodbatlas
+
      # Common Tests
      - name: Lib - Test
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
@@ -226,7 +263,7 @@ jobs:
      # Codecov
      - name: Upload coverage reports to Codecov
        if: steps.are-non-ignored-files-changed.outputs.any_changed == 'true'
-        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
        env:
          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        with:
--- a/.github/workflows/sdk-pypi-release.yml
+++ b/.github/workflows/sdk-pypi-release.yml
@@ -64,14 +64,14 @@ jobs:
              ;;
          esac

-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Install dependencies
        run: |
          pipx install poetry==2.1.1

      - name: Setup Python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: ${{ env.PYTHON_VERSION }}
          # cache: ${{ env.CACHE }}
--- a/.github/workflows/sdk-refresh-aws-services-regions.yml
+++ b/.github/workflows/sdk-refresh-aws-services-regions.yml
@@ -23,12 +23,12 @@ jobs:
    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          ref: ${{ env.GITHUB_BRANCH }}

      - name: setup python
-        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
        with:
          python-version: 3.9 #install the python needed

@@ -38,7 +38,7 @@ jobs:
          pip install boto3

      - name: Configure AWS Credentials -- DEV
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
        with:
          aws-region: ${{ env.AWS_REGION_DEV }}
          role-to-assume: ${{ secrets.DEV_IAM_ROLE_ARN }}
@@ -56,7 +56,7 @@ jobs:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          commit-message: "feat(regions_update): Update regions for AWS services"
          branch: "aws-services-regions-updated-${{ github.sha }}"
-          labels: "status/waiting-for-revision, severity/low, provider/aws"
+          labels: "status/waiting-for-revision, severity/low, provider/aws, no-changelog"
          title: "chore(regions_update): Changes in regions for AWS services"
          body: |
            ### Description
--- a/.github/workflows/ui-build-lint-push-containers.yml
+++ b/.github/workflows/ui-build-lint-push-containers.yml
@@ -30,6 +30,7 @@ env:
  # Container Registries
  PROWLERCLOUD_DOCKERHUB_REPOSITORY: prowlercloud
  PROWLERCLOUD_DOCKERHUB_IMAGE: prowler-ui
+  NEXT_PUBLIC_API_BASE_URL: http://prowler-api:8080/api/v1

 jobs:
  repository-check:
@@ -61,7 +62,7 @@ jobs:

    steps:
      - name: Checkout
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      - name: Set short git commit SHA
        id: vars
@@ -70,22 +71,23 @@ jobs:
          echo "SHORT_SHA=${shortSha}" >> $GITHUB_ENV

      - name: Login to DockerHub
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1

      - name: Build and push container image (latest)
        # Comment the following line for testing
        if: github.event_name == 'push'
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=${{ env.SHORT_SHA }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
          # Set push: false for testing
          push: true
          tags: |
@@ -96,11 +98,12 @@ jobs:

      - name: Build and push container image (release)
        if: github.event_name == 'release'
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.WORKING_DIRECTORY }}
          build-args: |
            NEXT_PUBLIC_PROWLER_RELEASE_VERSION=v${{ env.RELEASE_TAG }}
+            NEXT_PUBLIC_API_BASE_URL=${{ env.NEXT_PUBLIC_API_BASE_URL }}
          push: true
          tags: |
            ${{ env.PROWLERCLOUD_DOCKERHUB_REPOSITORY }}/${{ env.PROWLERCLOUD_DOCKERHUB_IMAGE }}:${{ env.RELEASE_TAG }}
@@ -110,7 +113,7 @@ jobs:

      - name: Trigger deployment
        if: github.event_name == 'push'
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4.0.0
        with:
          token: ${{ secrets.PROWLER_BOT_ACCESS_TOKEN }}
          repository: ${{ secrets.CLOUD_DISPATCH }}
--- a/.github/workflows/ui-codeql.yml
+++ b/.github/workflows/ui-codeql.yml
@@ -44,16 +44,16 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/ui-codeql-config.yml

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@28deaeda66b76a05916b6923827895f2b14ab387 # v3.28.16
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          category: "/language:${{matrix.language}}"
--- a/.github/workflows/ui-e2e-tests.yml
+++ b/.github/workflows/ui-e2e-tests.yml
@@ -0,0 +1,105 @@
+name: UI - E2E Tests
+
+on:
+  pull_request:
+    branches:
+      - master
+      - "v5.*"
+    paths:
+      - '.github/workflows/ui-e2e-tests.yml'
+      - 'ui/**'
+
+jobs:
+  e2e-tests:
+    if: github.repository == 'prowler-cloud/prowler'
+    runs-on: ubuntu-latest
+    env:
+      AUTH_SECRET: 'fallback-ci-secret-for-testing'
+      AUTH_TRUST_HOST: true
+      NEXTAUTH_URL: 'http://localhost:3000'
+      NEXT_PUBLIC_API_BASE_URL: 'http://localhost:8080/api/v1'
+      E2E_GITHUB_USER: ${{ secrets.E2E_GITHUB_USER }}
+      E2E_GITHUB_PASSWORD: ${{ secrets.E2E_GITHUB_PASSWORD }}
+      SOCIAL_GITHUB_OAUTH_CLIENT_ID: ${{ secrets.E2E_SOCIAL_GITHUB_OAUTH_CLIENT_ID }}
+      SOCIAL_GITHUB_OAUTH_CLIENT_SECRET: ${{ secrets.E2E_SOCIAL_GITHUB_OAUTH_CLIENT_SECRET }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: Fix API data directory permissions
+        run: docker run --rm -v $(pwd)/_data/api:/data alpine chown -R 1000:1000 /data
+      - name: Start API services
+        run: |
+          # Override docker-compose image tag to use latest instead of stable
+          # This overrides any PROWLER_API_VERSION set in .env file
+          export PROWLER_API_VERSION=latest
+          echo "Using PROWLER_API_VERSION=${PROWLER_API_VERSION}"
+          docker compose up -d api worker worker-beat
+      - name: Wait for API to be ready
+        run: |
+          echo "Waiting for prowler-api..."
+          timeout=150  # 5 minutes max
+          elapsed=0
+          while [ $elapsed -lt $timeout ]; do
+            if curl -s ${NEXT_PUBLIC_API_BASE_URL}/docs >/dev/null 2>&1; then
+              echo "Prowler API is ready!"
+              exit 0
+            fi
+            echo "Waiting for prowler-api... (${elapsed}s elapsed)"
+            sleep 5
+            elapsed=$((elapsed + 5))
+          done
+          echo "Timeout waiting for prowler-api to start"
+          exit 1
+      - name: Load database fixtures for E2E tests
+        run: |
+          docker compose exec -T api sh -c '
+            echo "Loading all fixtures from api/fixtures/dev/..."
+            for fixture in api/fixtures/dev/*.json; do
+              if [ -f "$fixture" ]; then
+                echo "Loading $fixture"
+                poetry run python manage.py loaddata "$fixture" --database admin
+              fi
+            done
+            echo "All database fixtures loaded successfully!"
+          '
+      - name: Setup Node.js environment
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+        with:
+          node-version: '20.x'
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
+      - name: Install UI dependencies
+        working-directory: ./ui
+        run: npm ci
+      - name: Build UI application
+        working-directory: ./ui
+        run: npm run build
+      - name: Cache Playwright browsers
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        id: playwright-cache
+        with:
+          path: ~/.cache/ms-playwright
+          key: ${{ runner.os }}-playwright-${{ hashFiles('ui/package-lock.json') }}
+          restore-keys: |
+            ${{ runner.os }}-playwright-
+      - name: Install Playwright browsers
+        working-directory: ./ui
+        if: steps.playwright-cache.outputs.cache-hit != 'true'
+        run: npm run test:e2e:install
+      - name: Run E2E tests
+        working-directory: ./ui
+        run: npm run test:e2e
+      - name: Upload test reports
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: failure()
+        with:
+          name: playwright-report
+          path: ui/playwright-report/
+          retention-days: 30
+      - name: Cleanup services
+        if: always()
+        run: |
+          echo "Shutting down services..."
+          docker compose down -v || true
+          echo "Cleanup completed"
--- a/.github/workflows/ui-pull-request.yml
+++ b/.github/workflows/ui-pull-request.yml
@@ -27,30 +27,33 @@ jobs:
        node-version: [20.x]
    steps:
      - name: Checkout repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          persist-credentials: false
      - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
        with:
          node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: './ui/package-lock.json'
      - name: Install dependencies
        working-directory: ./ui
-        run: npm install
+        run: npm ci
      - name: Run Healthcheck
        working-directory: ./ui
        run: npm run healthcheck
      - name: Build the application
        working-directory: ./ui
        run: npm run build
+
  test-container-build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
      - name: Build Container
-        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: ${{ env.UI_WORKING_DIR }}
          # Always build using `prod` target
--- a/.gitignore
+++ b/.gitignore
@@ -44,6 +44,16 @@ junit-reports/

 # Cursor files
 .cursorignore
+.cursor/
+
+# RooCode files
+.roo/
+.rooignore
+.roomodes
+
+# Cline files
+.cline/
+.clineignore

 # Terraform
 .terraform*
@@ -53,6 +63,7 @@ junit-reports/
 # .env
 ui/.env*
 api/.env*
+mcp_server/.env*
 .env.local

 # Coverage
@@ -65,3 +76,10 @@ node_modules

 # Persistent data
 _data/
+
+# Claude
+CLAUDE.md
+
+# MCP Server
+mcp_server/prowler_mcp_server/prowler_app/server.py
+mcp_server/prowler_mcp_server/prowler_app/utils/schema.yaml
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -6,6 +6,7 @@ repos:
      - id: check-merge-conflict
      - id: check-yaml
        args: ["--unsafe"]
+        exclude: prowler/config/llm_config.yaml
      - id: check-json
      - id: end-of-file-fixer
      - id: trailing-whitespace
@@ -115,7 +116,8 @@ repos:
      - id: safety
        name: safety
        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        entry: bash -c 'safety check --ignore 70612,66963,74429'
+        # TODO: Botocore needs urllib3 1.X so we need to ignore these vulnerabilities 77744,77745. Remove this once we upgrade to urllib3 2.X
+        entry: bash -c 'safety check --ignore 70612,66963,74429,76352,76353,77744,77745'
        language: system

      - id: vulture
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -0,0 +1,110 @@
+# Repository Guidelines
+
+## How to Use This Guide
+
+- Start here for cross-project norms, Prowler is a monorepo with several components. Every component should have an `AGENTS.md` file that contains the guidelines for the agents in that component. The file is located beside the code you are touching (e.g. `api/AGENTS.md`, `ui/AGENTS.md`, `prowler/AGENTS.md`).
+- Follow the stricter rule when guidance conflicts; component docs override this file for their scope.
+- Keep instructions synchronized. When you add new workflows or scripts, update both, the relevant component `AGENTS.md` and this file if they apply broadly.
+
+## Project Overview
+
+Prowler is an open-source cloud security assessment tool that supports multiple cloud providers (AWS, Azure, GCP, Kubernetes, GitHub, M365, etc.). The project consists in a monorepo with the following main components:
+
+- **Prowler SDK**: Python SDK, includes the Prowler CLI, providers, services, checks, compliances, config, etc. (`prowler/`)
+- **Prowler API**: Django-based REST API backend (`api/`)
+- **Prowler UI**: Next.js frontend application (`ui/`)
+- **Prowler MCP Server**: Model Context Protocol server that gives access to the entire Prowler ecosystem for LLMs (`mcp_server/`)
+- **Prowler Dashboard**: Prowler CLI feature that allows to visualize the results of the scans in a simple dashboard (`dashboard/`)
+
+### Project Structure (Key Folders & Files)
+
+- `prowler/`: Main source code for Prowler SDK (CLI, providers, services, checks, compliances, config, etc.)
+- `api/`: Django-based REST API backend components
+- `ui/`: Next.js frontend application
+- `mcp_server/`: Model Context Protocol server that gives access to the entire Prowler ecosystem for LLMs
+- `dashboard/`: Prowler CLI feature that allows to visualize the results of the scans in a simple dashboard
+- `docs/`: Documentation
+- `examples/`: Example output formats for providers and scripts
+- `permissions/`: Permission-related files and policies
+- `contrib/`: Community-contributed scripts or modules
+- `tests/`: Prowler SDK test suite
+- `docker-compose.yml`: Docker compose file to run the Prowler App (API + UI) production environment
+- `docker-compose-dev.yml`: Docker compose file to run the Prowler App (API + UI) development environment
+- `pyproject.toml`: Poetry Prowler SDK project file
+- `.pre-commit-config.yaml`: Pre-commit hooks configuration
+- `Makefile`: Makefile to run the project
+- `LICENSE`: License file
+- `README.md`: README file
+- `CONTRIBUTING.md`: Contributing guide
+
+## Python Development
+
+Most of the code is written in Python, so the main files in the root are focused on Python code.
+
+### Poetry Dev Environment
+
+For developing in Python we recommend using `poetry` to manage the dependencies. The minimal version is `2.1.1`. So it is recommended to run all commands using `poetry run ...`.
+
+To install the core dependencies to develop it is needed to run `poetry install --with dev`.
+
+### Pre-commit hooks
+
+The project has pre-commit hooks to lint and format the code. They are installed by running `poetry run pre-commit install`.
+
+When commiting a change, the hooks will be run automatically. Some of them are:
+
+- Code formatting (black, isort)
+- Linting (flake8, pylint)
+- Security checks (bandit, safety, trufflehog)
+- YAML/JSON validation
+- Poetry lock file validation
+
+
+### Linting and Formatting
+
+We use the following tools to lint and format the code:
+
+- `flake8`: for linting the code
+- `black`: for formatting the code
+- `pylint`: for linting the code
+
+You can run all using the `make` command:
+```bash
+poetry run make lint
+poetry run make format
+```
+
+Or they will be run automatically when you commit your changes using pre-commit hooks.
+
+## Commit & Pull Request Guidelines
+
+For the commit messages and pull requests name follow the conventional-commit style.
+
+Befire creating a pull request, complete the checklist in `.github/pull_request_template.md`. Summaries should explain deployment impact, highlight review steps, and note changelog or permission updates. Run all relevant tests and linters before requesting review and link screenshots for UI or dashboard changes.
+
+### Conventional Commit Style
+
+The Conventional Commits specification is a lightweight convention on top of commit messages. It provides an easy set of rules for creating an explicit commit history; which makes it easier to write automated tools on top of.
+
+The commit message should be structured as follows:
+
+```
+<type>[optional scope]: <description>
+<BLANK LINE>
+[optional body]
+<BLANK LINE>
+[optional footer(s)]
+```
+
+Any line of the commit message cannot be longer 100 characters! This allows the message to be easier to read on GitHub as well as in various git tools
+
+#### Commit Types
+
+- **feat**: code change introuce new functionality to the application
+- **fix**: code change that solve a bug in the codebase
+- **docs**: documentation only changes
+- **chore**: changes related to the build process or auxiliary tools and libraries, that do not affect the application's functionality
+- **perf**: code change that improves performance
+- **refactor**: code change that neither fixes a bug nor adds a feature
+- **style**: changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
+- **test**: adding missing tests or correcting existing tests
--- a/9
+++ b/9
@@ -1,4 +1,4 @@
-FROM python:3.12.10-slim-bookworm AS build
+FROM python:3.12.11-slim-bookworm AS build

 LABEL maintainer="https://github.com/prowler-cloud/prowler"
 LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
@@ -6,7 +6,8 @@ LABEL org.opencontainers.image.source="https://github.com/prowler-cloud/prowler"
 ARG POWERSHELL_VERSION=7.5.0

 # hadolint ignore=DL3008
-RUN apt-get update && apt-get install -y --no-install-recommends wget libicu72 \
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    wget libicu72 libunwind8 libssl3 libcurl4 ca-certificates apt-transport-https gnupg \
    && rm -rf /var/lib/apt/lists/*

 # Install PowerShell
@@ -46,10 +47,6 @@ ENV PATH="${HOME}/.local/bin:${PATH}"
 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir poetry

-# By default poetry does not compile Python source files to bytecode during installation.
-# This speeds up the installation process, but the first execution may take a little more
-# time because Python then compiles source files to bytecode automatically. If you want to
-# compile source files to bytecode during installation, you can use the --compile option
 RUN poetry install --compile && \
    rm -rf ~/.cache/pip

--- a/4
+++ b/4
@@ -45,3 +45,7 @@ pypi-upload: ## Upload package
 help:     ## Show this help.
 	@echo "Prowler Makefile"
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Development Environment
+run-api-dev: ## Start development environment with API, PostgreSQL, Valkey, and workers 
+	docker compose -f docker-compose-dev.yml up api-dev postgres valkey worker-dev worker-beat --build
--- a/README.md
+++ b/README.md
@@ -3,7 +3,7 @@
  <img align="center" src="https://github.com/prowler-cloud/prowler/blob/master/docs/img/prowler-logo-white.png#gh-dark-mode-only" width="50%" height="50%">
 </p>
 <p align="center">
-  <b><i>Prowler Open Source</b> is as dynamic and adaptable as the environment it secures. It is trusted by the industry leaders to uphold the highest standards in security.
+  <b><i>Prowler</b> is the Open Cloud Security platform trusted by thousands to automate security and compliance in any cloud environment. With hundreds of ready-to-use checks and compliance frameworks, Prowler delivers real-time, customizable monitoring and seamless integrations, making cloud security simple, scalable, and cost-effective for organizations of any size.
 </p>
 <p align="center">
 <b>Learn more at <a href="https://prowler.com">prowler.com</i></b>
@@ -19,19 +19,16 @@
  <a href="https://goto.prowler.com/slack"><img alt="Slack Shield" src="https://img.shields.io/badge/slack-prowler-brightgreen.svg?logo=slack"></a>
  <a href="https://pypi.org/project/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/v/prowler.svg"></a>
  <a href="https://pypi.python.org/pypi/prowler/"><img alt="Python Version" src="https://img.shields.io/pypi/pyversions/prowler.svg"></a>
-  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Prowler Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=prowler%20downloads"></a>
+  <a href="https://pypistats.org/packages/prowler"><img alt="PyPI Downloads" src="https://img.shields.io/pypi/dw/prowler.svg?label=downloads"></a>
  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker Pulls" src="https://img.shields.io/docker/pulls/toniblyx/prowler"></a>
-  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/cloud/build/toniblyx/prowler"></a>
-  <a href="https://hub.docker.com/r/toniblyx/prowler"><img alt="Docker" src="https://img.shields.io/docker/image-size/toniblyx/prowler"></a>
  <a href="https://gallery.ecr.aws/prowler-cloud/prowler"><img width="120" height=19" alt="AWS ECR Gallery" src="https://user-images.githubusercontent.com/3985464/151531396-b6535a68-c907-44eb-95a1-a09508178616.png"></a>
  <a href="https://codecov.io/gh/prowler-cloud/prowler"><img src="https://codecov.io/gh/prowler-cloud/prowler/graph/badge.svg?token=OflBGsdpDl"/></a>
 </p>
 <p align="center">
-  <a href="https://github.com/prowler-cloud/prowler"><img alt="Repo size" src="https://img.shields.io/github/repo-size/prowler-cloud/prowler"></a>
-  <a href="https://github.com/prowler-cloud/prowler/issues"><img alt="Issues" src="https://img.shields.io/github/issues/prowler-cloud/prowler"></a>
-  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
+    <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/v/release/prowler-cloud/prowler"></a>
  <a href="https://github.com/prowler-cloud/prowler/releases"><img alt="Version" src="https://img.shields.io/github/release-date/prowler-cloud/prowler"></a>
  <a href="https://github.com/prowler-cloud/prowler"><img alt="Contributors" src="https://img.shields.io/github/contributors-anon/prowler-cloud/prowler"></a>
+  <a href="https://github.com/prowler-cloud/prowler/issues"><img alt="Issues" src="https://img.shields.io/github/issues/prowler-cloud/prowler"></a>
  <a href="https://github.com/prowler-cloud/prowler"><img alt="License" src="https://img.shields.io/github/license/prowler-cloud/prowler"></a>
  <a href="https://twitter.com/ToniBlyx"><img alt="Twitter" src="https://img.shields.io/twitter/follow/toniblyx?style=social"></a>
  <a href="https://twitter.com/prowlercloud"><img alt="Twitter" src="https://img.shields.io/twitter/follow/prowlercloud?style=social"></a>
@@ -55,15 +52,11 @@ Prowler includes hundreds of built-in controls to ensure compliance with standar
 - **National Security Standards:** ENS (Spanish National Security Scheme)
 - **Custom Security Frameworks:** Tailored to your needs

-## Prowler CLI and Prowler Cloud
-
-Prowler offers a Command Line Interface (CLI), known as Prowler Open Source, and an additional service built on top of it, called <a href="https://prowler.com">Prowler Cloud</a>.
-
 ## Prowler App

 Prowler App is a web-based application that simplifies running Prowler across your cloud provider accounts. It provides a user-friendly interface to visualize the results and streamline your security assessments.

-![Prowler App](docs/img/overview.png)
+![Prowler App](docs/products/img/overview.png)

 >For more details, refer to the [Prowler App Documentation](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-app-installation)

@@ -80,27 +73,42 @@ prowler <provider>
 ```console
 prowler dashboard
 ```
-![Prowler Dashboard](docs/img/dashboard.png)
+![Prowler Dashboard](docs/products/img/dashboard.png)

 # Prowler at a Glance
+> [!Tip]
+> For the most accurate and up-to-date information about checks, services, frameworks, and categories, visit [**Prowler Hub**](https://hub.prowler.com).

-| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) |
-|---|---|---|---|---|
-| AWS | 564 | 82 | 34 | 10 |
-| GCP | 79 | 13 | 7 | 3 |
-| Azure | 140 | 18 | 8 | 3 |
-| Kubernetes | 83 | 7 | 4 | 7 |
-| GitHub | 3 | 2 | 1 | 0 |
-| M365 | 44 | 2 | 2 | 0 |
-| NHN (Unofficial) | 6 | 2 | 1 | 0 |

-> Use the following commands to list Prowler's available checks, services, compliance frameworks, and categories: `prowler <provider> --list-checks`, `prowler <provider> --list-services`, `prowler <provider> --list-compliance` and `prowler <provider> --list-categories`.
+| Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Stage | Interface |
+|---|---|---|---|---|---|---|---|
+| AWS | 576 | 82 | 36 | 10 | Official | Stable | UI, API, CLI |
+| GCP | 79 | 13 | 10 | 3 | Official | Stable | UI, API, CLI |
+| Azure | 162 | 19 | 11 | 4 | Official | Stable | UI, API, CLI |
+| Kubernetes | 83 | 7 | 5 | 7 | Official | Stable | UI, API, CLI |
+| GitHub | 17 | 2 | 1 | 0 | Official | Stable | UI, API, CLI |
+| M365 | 70 | 7 | 3 | 2 | Official | Stable | UI, API, CLI |
+| IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | Beta | CLI |
+| MongoDB Atlas | 10 | 3 | 0 | 0 | Official | Beta | CLI |
+| LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | Beta | CLI |
+| NHN | 6 | 2 | 1 | 0 | Unofficial | Beta | CLI |
+
+> [!Note]
+> The numbers in the table are updated periodically.
+
+
+
+> [!Note]
+> Use the following commands to list Prowler's available checks, services, compliance frameworks, and categories:
+> - `prowler <provider> --list-checks`
+> - `prowler <provider> --list-services`
+> - `prowler <provider> --list-compliance`
+> - `prowler <provider> --list-categories`

 # 💻 Installation

 ## Prowler App

-Installing Prowler App
 Prowler App offers flexible installation methods tailored to various environments:

 > For detailed instructions on using Prowler App, refer to the [Prowler App Usage Guide](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/prowler-app/).
@@ -130,6 +138,14 @@ If your workstation's architecture is incompatible, you can resolve this by:

 > Once configured, access the Prowler App at http://localhost:3000. Sign up using your email and password to get started.

+### Common Issues with Docker Pull Installation
+
+> [!Note]
+  If you want to use AWS role assumption (e.g., with the "Connect assuming IAM Role" option), you may need to mount your local `.aws` directory into the container as a volume (e.g., `- "${HOME}/.aws:/home/prowler/.aws:ro"`). There are several ways to configure credentials for Docker containers. See the [Troubleshooting](./docs/troubleshooting.md) section for more details and examples.
+
+You can find more information in the [Troubleshooting](./docs/troubleshooting.md) section.
+
+
 ### From GitHub

 **Requirements**
@@ -225,7 +241,7 @@ The following versions of Prowler CLI are available, depending on your requireme

 The container images are available here:
 - Prowler CLI:
-    - [DockerHub](https://hub.docker.com/r/toniblyx/prowler/tags)
+    - [DockerHub](https://hub.docker.com/r/prowlercloud/prowler/tags)
    - [AWS Public ECR](https://gallery.ecr.aws/prowler-cloud/prowler)
 - Prowler App:
    - [DockerHub - Prowler UI](https://hub.docker.com/r/prowlercloud/prowler-ui/tags)
@@ -260,7 +276,7 @@ python prowler-cli.py -v
 - **Prowler API**: A backend service, developed with Django REST Framework, responsible for running Prowler scans and storing the generated results.
 - **Prowler SDK**: A Python SDK designed to extend the functionality of the Prowler CLI for advanced capabilities.

-![Prowler App Architecture](docs/img/prowler-app-architecture.png)
+![Prowler App Architecture](docs/products/img/prowler-app-architecture.png)

 ## Prowler CLI

@@ -286,40 +302,12 @@ And many more environments.

 ![Architecture](docs/img/architecture.png)

-# Deprecations from v3
-
-## General
- `Allowlist` now is called `Mutelist`.
- The `--quiet` option has been deprecated. Use the `--status` flag to filter findings based on their status: PASS, FAIL, or MANUAL.
- All findings with an `INFO` status have been reclassified as `MANUAL`.
- The CSV output format is standardized across all providers.
-
-**Deprecated Output Formats**
-
-The following formats are now deprecated:
- Native JSON has been replaced with JSON in [OCSF] v1.1.0 format, which is standardized across all providers (https://schema.ocsf.io/).
-
-## AWS
-
-**AWS Flag Deprecation**
-
-The flag --sts-endpoint-region has been deprecated due to the adoption of AWS STS regional tokens.
-
-**Sending FAIL Results to AWS Security Hub**
-
- To send only FAILS to AWS Security Hub, use one of the following options: `--send-sh-only-fails` or `--security-hub --status FAIL`.
-
-
 # 📖 Documentation

-**Documentation Resources**
-
 For installation instructions, usage details, tutorials, and the Developer Guide, visit https://docs.prowler.com/

 # 📃 License

-**Prowler License Information**
-
-Prowler is licensed under the Apache License 2.0, as indicated in each file within the repository. Obtaining a Copy of the License
+Prowler is licensed under the Apache License 2.0.

 A copy of the License is available at <http://www.apache.org/licenses/LICENSE-2.0>
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,23 +1,65 @@
-# Security Policy
+# Security

-## Software Security
-As an **AWS Partner** and we have passed the [AWS Foundation Technical Review (FTR)](https://aws.amazon.com/partners/foundational-technical-review/) and we use the following tools and automation to make sure our code is secure and dependencies up-to-dated:
+## Reporting Vulnerabilities

- `bandit` for code security review.
- `safety` and `dependabot` for dependencies.
- `hadolint` and `dockle` for our containers security.
- `snyk` in Docker Hub.
- `clair` in Amazon ECR.
- `vulture`, `flake8`, `black` and `pylint` for formatting and best practices.
+At Prowler, we consider the security of our open source software and systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.

-## Reporting a Vulnerability
+If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our users, our clients and our systems.

-If you would like to report a vulnerability or have a security concern regarding Prowler Open Source or ProwlerPro service, please submit the information by contacting to https://support.prowler.com.
+When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) the security impact of the bug. The following issues are considered out of scope:

-The information you share with ProwlerPro as part of this process is kept confidential within ProwlerPro. We will only share this information with a third party if the vulnerability you report is found to affect a third-party product, in which case we will share this information with the third-party product's author or manufacturer. Otherwise, we will only share this information as permitted by you.
+- Social engineering support or attacks requiring social engineering.
+- Clickjacking on pages with no sensitive actions.
+- Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
+- Attacks requiring Man-In-The-Middle (MITM) or physical access to a user's device.
+- Previously known vulnerable libraries without a working Proof of Concept (PoC).
+- Comma Separated Values (CSV) injection without demonstrating a vulnerability.
+- Missing best practices in SSL/TLS configuration.
+- Any activity that could lead to the disruption of service (DoS).
+- Rate limiting or brute force issues on non-authentication endpoints.
+- Missing best practices in Content Security Policy (CSP).
+- Missing HttpOnly or Secure flags on cookies.
+- Configuration of or missing security headers.
+- Missing email best practices, such as invalid, incomplete, or missing SPF/DKIM/DMARC records.
+- Vulnerabilities only affecting users of outdated or unpatched browsers (less than two stable versions behind).
+- Software version disclosure, banner identification issues, or descriptive error messages.
+- Tabnabbing.
+- Issues that require unlikely user interaction.
+- Improper logout functionality and improper session timeout.
+- CORS misconfiguration without an exploitation scenario.
+- Broken link hijacking.
+- Automated scanning results (e.g., sqlmap, Burp active scanner) that have not been manually verified.
+- Content spoofing and text injection issues without a clear attack vector.
+- Email spoofing without exploiting security flaws.
+- Dead links or broken links.
+- User enumeration.

-We will review the submitted report, and assign it a tracking number. We will then respond to you, acknowledging receipt of the report, and outline the next steps in the process.
+Testing guidelines:
+- Do not run automated scanners on other customer projects. Running automated scanners can run up costs for our users. Aggressively configured scanners might inadvertently disrupt services, exploit vulnerabilities, lead to system instability or breaches and violate Terms of Service from our upstream providers. Our own security systems won't be able to distinguish hostile reconnaissance from whitehat research. If you wish to run an automated scanner, notify us at support@prowler.com and only run it on your own Prowler app project. Do NOT attack Prowler in usage of other customers.
+- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data.

-You will receive a non-automated response to your initial contact within 24 hours, confirming receipt of your reported vulnerability.
+Reporting guidelines:
+- File a report through our Support Desk at https://support.prowler.com
+- If it is about a lack of a security functionality, please file a feature request instead at https://github.com/prowler-cloud/prowler/issues
+- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible.
+- If you have further questions and want direct interaction with the Prowler team, please contact us at via our Community Slack at goto.prowler.com/slack.

-We will coordinate public notification of any validated vulnerability with you. Where possible, we prefer that our respective public disclosures be posted simultaneously.
+Disclosure guidelines:
+- In order to protect our users and customers, do not reveal the problem to others until we have researched, addressed and informed our affected customers.
+- If you want to publicly share your research about Prowler at a conference, in a blog or any other public forum, you should share a draft with us for review and approval at least 30 days prior to the publication date. Please note that the following should not be included:
+    - Data regarding any Prowler user or customer projects.
+    - Prowler customers' data.
+    - Information about Prowler employees, contractors or partners.
+
+What we promise:
+- We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date.
+- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
+- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
+- We will keep you informed of the progress towards resolving the problem.
+- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
+
+We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
+
+---
+
+For more information about our security policies, please refer to our [Security](https://docs.prowler.com/projects/prowler-open-source/en/latest/security/) section in our documentation.
--- a/api/.env.example
+++ b/api/.env.example
@@ -19,6 +19,8 @@ DJANGO_REFRESH_TOKEN_LIFETIME=1440
 DJANGO_CACHE_MAX_AGE=3600
 DJANGO_STALE_WHILE_REVALIDATE=60
 DJANGO_SECRETS_ENCRYPTION_KEY=""
+# Throttle, two options: Empty means no throttle; or if desired use one in DRF format: https://www.django-rest-framework.org/api-guide/throttling/#setting-the-throttling-policy
+DJANGO_THROTTLE_TOKEN_OBTAIN=50/minute
 # Decide whether to allow Django manage database table partitions
 DJANGO_MANAGE_DB_PARTITIONS=[True|False]
 DJANGO_CELERY_DEADLOCK_ATTEMPTS=5
--- a/api/.gitignore
+++ b/api/.gitignore
@@ -1,168 +0,0 @@
-# Byte-compiled / optimized / DLL files
-__pycache__/
-*.pyc
-*.py[cod]
-*$py.class
-
-# C extensions
-*.so
-
-# Distribution / packaging
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-share/python-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-MANIFEST
-
-# PyInstaller
-#  Usually these files are written by a python script from a template
-#  before PyInstaller builds the exe, so as to inject date/other infos into it.
-*.manifest
-*.spec
-
-# Installer logs
-pip-log.txt
-pip-delete-this-directory.txt
-
-# Unit test / coverage reports
-htmlcov/
-.tox/
-.nox/
-.coverage
-.coverage.*
-.cache
-nosetests.xml
-coverage.xml
-*.cover
-*.py,cover
-.hypothesis/
-.pytest_cache/
-cover/
-
-# Translations
-*.mo
-*.pot
-
-# Django stuff:
-*.log
-local_settings.py
-db.sqlite3
-db.sqlite3-journal
-/_data/
-
-# Flask stuff:
-instance/
-.webassets-cache
-
-# Scrapy stuff:
-.scrapy
-
-# Sphinx documentation
-docs/_build/
-
-# PyBuilder
-.pybuilder/
-target/
-
-# Jupyter Notebook
-.ipynb_checkpoints
-
-# IPython
-profile_default/
-ipython_config.py
-
-# pyenv
-#   For a library or package, you might want to ignore these files since the code is
-#   intended to run in multiple environments; otherwise, check them in:
-# .python-version
-
-# pipenv
-#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
-#   However, in case of collaboration, if having platform-specific dependencies or dependencies
-#   having no cross-platform support, pipenv may install dependencies that don't work, or not
-#   install all needed dependencies.
-#Pipfile.lock
-
-# poetry
-#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
-#   This is especially recommended for binary packages to ensure reproducibility, and is more
-#   commonly ignored for libraries.
-#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
-
-# pdm
-#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
-#pdm.lock
-#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
-#   in version control.
-#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
-.pdm.toml
-.pdm-python
-.pdm-build/
-
-# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
-__pypackages__/
-
-# Celery stuff
-celerybeat-schedule
-celerybeat.pid
-
-# SageMath parsed files
-*.sage.py
-
-# Environments
-.env
-*.env
-.venv
-env/
-venv/
-ENV/
-env.bak/
-venv.bak/
-
-# Spyder project settings
-.spyderproject
-.spyproject
-
-# Rope project settings
-.ropeproject
-
-# mkdocs documentation
-/site
-
-# mypy
-.mypy_cache/
-.dmypy.json
-dmypy.json
-
-# Pyre type checker
-.pyre/
-
-# pytype static type analyzer
-.pytype/
-
-# Cython debug symbols
-cython_debug/
-
-# PyCharm
-#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
-#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
-#  and can be added to the global gitignore or merged into this file.  For a more nuclear
-#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-.idea/
-
-# VSCode
-.vscode/
--- a/api/.pre-commit-config.yaml
+++ b/api/.pre-commit-config.yaml
@@ -1,91 +0,0 @@
-repos:
-  ## GENERAL
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.6.0
-    hooks:
-      - id: check-merge-conflict
-      - id: check-yaml
-        args: ["--unsafe"]
-      - id: check-json
-      - id: end-of-file-fixer
-      - id: trailing-whitespace
-      - id: no-commit-to-branch
-      - id: pretty-format-json
-        args: ["--autofix", "--no-sort-keys", "--no-ensure-ascii"]
-        exclude: 'src/backend/api/fixtures/dev/.*\.json$'
-
-  ## TOML
-  - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
-    rev: v2.13.0
-    hooks:
-      - id: pretty-format-toml
-        args: [--autofix]
-        files: pyproject.toml
-
-  ## BASH
-  - repo: https://github.com/koalaman/shellcheck-precommit
-    rev: v0.10.0
-    hooks:
-      - id: shellcheck
-        exclude: contrib
-  ## PYTHON
-  - repo: https://github.com/astral-sh/ruff-pre-commit
-    # Ruff version.
-    rev: v0.5.0
-    hooks:
-      # Run the linter.
-      - id: ruff
-        args: [ --fix ]
-      # Run the formatter.
-      - id: ruff-format
-
-  - repo: https://github.com/python-poetry/poetry
-    rev: 1.8.0
-    hooks:
-      - id: poetry-check
-        args: ["--directory=src"]
-      - id: poetry-lock
-        args: ["--no-update", "--directory=src"]
-
-  - repo: https://github.com/hadolint/hadolint
-    rev: v2.13.0-beta
-    hooks:
-      - id: hadolint
-        args: ["--ignore=DL3013", "Dockerfile"]
-
-  - repo: local
-    hooks:
-      - id: pylint
-        name: pylint
-        entry: bash -c 'poetry run pylint --disable=W,C,R,E -j 0 -rn -sn src/'
-        language: system
-        files: '.*\.py'
-
-      - id: trufflehog
-        name: TruffleHog
-        description: Detect secrets in your data.
-        entry: bash -c 'trufflehog --no-update git file://. --only-verified --fail'
-        # For running trufflehog in docker, use the following entry instead:
-        # entry: bash -c 'docker run -v "$(pwd):/workdir" -i --rm trufflesecurity/trufflehog:latest git file:///workdir --only-verified --fail'
-        language: system
-        stages: ["commit", "push"]
-
-      - id: bandit
-        name: bandit
-        description: "Bandit is a tool for finding common security issues in Python code"
-        entry: bash -c 'poetry run bandit -q -lll -x '*_test.py,./contrib/,./.venv/' -r .'
-        language: system
-        files: '.*\.py'
-
-      - id: safety
-        name: safety
-        description: "Safety is a tool that checks your installed dependencies for known security vulnerabilities"
-        entry: bash -c 'poetry run safety check --ignore 70612,66963,74429,77119'
-        language: system
-
-      - id: vulture
-        name: vulture
-        description: "Vulture finds unused code in Python programs."
-        entry: bash -c 'poetry run vulture --exclude "contrib,.venv,tests,conftest.py" --min-confidence 100 .'
-        language: system
-        files: '.*\.py'
--- a/api/CHANGELOG.md
+++ b/api/CHANGELOG.md
@@ -2,6 +2,146 @@

 All notable changes to the **Prowler API** are documented in this file.

+## [1.14.0] (Prowler UNRELEASED)
+
+### Added
+- Default JWT keys are generated and stored if they are missing from configuration [(#8655)](https://github.com/prowler-cloud/prowler/pull/8655)
+- `compliance_name` for each compliance [(#7920)](https://github.com/prowler-cloud/prowler/pull/7920)
+- Support for M365 Certificate authentication [(#8538)](https://github.com/prowler-cloud/prowler/pull/8538)
+- API Key support [(#8805)](https://github.com/prowler-cloud/prowler/pull/8805)
+- SAML role mapping protection for single-admin tenants to prevent accidental lockout [(#8882)](https://github.com/prowler-cloud/prowler/pull/8882)
+- Support for `passed_findings` and `total_findings` fields in compliance requirement overview for accurate Prowler ThreatScore calculation [(#8582)](https://github.com/prowler-cloud/prowler/pull/8582)
+- Database read replica support [(#8869)](https://github.com/prowler-cloud/prowler/pull/8869)
+
+### Changed
+- Now the MANAGE_ACCOUNT permission is required to modify or read user permissions instead of MANAGE_USERS [(#8281)](https://github.com/prowler-cloud/prowler/pull/8281)
+- Now at least one user with MANAGE_ACCOUNT permission is required in the tenant [(#8729)](https://github.com/prowler-cloud/prowler/pull/8729)
+
+### Security
+- Django updated to the latest 5.1 security release, 5.1.13, due to problems with potential [SQL injection](https://github.com/prowler-cloud/prowler/security/dependabot/104) and [directory traversals](https://github.com/prowler-cloud/prowler/security/dependabot/103) [(#8842)](https://github.com/prowler-cloud/prowler/pull/8842)
+
+---
+
+## [1.13.2] (Prowler 5.12.3)
+
+### Fixed
+- 500 error when deleting user [(#8731)](https://github.com/prowler-cloud/prowler/pull/8731)
+
+---
+
+## [1.13.1] (Prowler 5.12.2)
+
+### Changed
+- Renamed compliance overview task queue to `compliance` [(#8755)](https://github.com/prowler-cloud/prowler/pull/8755)
+
+### Security
+- Django updated to the latest 5.1 security release, 5.1.12, due to [problems](https://www.djangoproject.com/weblog/2025/sep/03/security-releases/) with potential SQL injection in FilteredRelation column aliases [(#8693)](https://github.com/prowler-cloud/prowler/pull/8693)
+
+---
+
+## [1.13.0] (Prowler 5.12.0)
+
+### Added
+- Integration with JIRA, enabling sending findings to a JIRA project [(#8622)](https://github.com/prowler-cloud/prowler/pull/8622), [(#8637)](https://github.com/prowler-cloud/prowler/pull/8637)
+- `GET /overviews/findings_severity` now supports `filter[status]` and `filter[status__in]` to aggregate by specific statuses (`FAIL`, `PASS`)[(#8186)](https://github.com/prowler-cloud/prowler/pull/8186)
+- Throttling options for `/api/v1/tokens` using the `DJANGO_THROTTLE_TOKEN_OBTAIN` environment variable [(#8647)](https://github.com/prowler-cloud/prowler/pull/8647)
+
+---
+
+## [1.12.0] (Prowler 5.11.0)
+
+### Added
+- Lighthouse support for OpenAI GPT-5 [(#8527)](https://github.com/prowler-cloud/prowler/pull/8527)
+- Integration with Amazon Security Hub, enabling sending findings to Security Hub [(#8365)](https://github.com/prowler-cloud/prowler/pull/8365)
+- Generate ASFF output for AWS providers with SecurityHub integration enabled [(#8569)](https://github.com/prowler-cloud/prowler/pull/8569)
+
+### Fixed
+- GitHub provider always scans user instead of organization when using provider UID [(#8587)](https://github.com/prowler-cloud/prowler/pull/8587)
+
+---
+
+## [1.11.0] (Prowler 5.10.0)
+
+### Added
+- Github provider support [(#8271)](https://github.com/prowler-cloud/prowler/pull/8271)
+- Integration with Amazon S3, enabling storage and retrieval of scan data via S3 buckets [(#8056)](https://github.com/prowler-cloud/prowler/pull/8056)
+
+### Fixed
+- Avoid sending errors to Sentry in M365 provider when user authentication fails [(#8420)](https://github.com/prowler-cloud/prowler/pull/8420)
+
+---
+
+## [1.10.2] (Prowler v5.9.2)
+
+### Changed
+- Optimized queries for resources views [(#8336)](https://github.com/prowler-cloud/prowler/pull/8336)
+
+---
+
+## [v1.10.1] (Prowler v5.9.1)
+
+### Fixed
+- Calculate failed findings during scans to prevent heavy database queries [(#8322)](https://github.com/prowler-cloud/prowler/pull/8322)
+
+---
+
+## [v1.10.0] (Prowler v5.9.0)
+
+### Added
+- SSO with SAML support [(#8175)](https://github.com/prowler-cloud/prowler/pull/8175)
+- `GET /resources/metadata`, `GET /resources/metadata/latest` and `GET /resources/latest` to expose resource metadata and latest scan results [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
+
+### Changed
+- `/processors` endpoints to post-process findings. Currently, only the Mutelist processor is supported to allow to mute findings.
+- Optimized the underlying queries for resources endpoints [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
+- Optimized include parameters for resources view [(#8229)](https://github.com/prowler-cloud/prowler/pull/8229)
+- Optimized overview background tasks [(#8300)](https://github.com/prowler-cloud/prowler/pull/8300)
+
+### Fixed
+- Search filter for findings and resources [(#8112)](https://github.com/prowler-cloud/prowler/pull/8112)
+- RBAC is now applied to `GET /overviews/providers` [(#8277)](https://github.com/prowler-cloud/prowler/pull/8277)
+
+### Changed
+- `POST /schedules/daily` returns a `409 CONFLICT` if already created [(#8258)](https://github.com/prowler-cloud/prowler/pull/8258)
+
+### Security
+- Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers [(#8225)](https://github.com/prowler-cloud/prowler/pull/8225)
+
+---
+
+## [v1.9.1] (Prowler v5.8.1)
+
+### Added
+- Custom exception for provider connection errors during scans [(#8234)](https://github.com/prowler-cloud/prowler/pull/8234)
+
+### Changed
+- Summary and overview tasks now use a dedicated queue and no longer propagate errors to compliance tasks [(#8214)](https://github.com/prowler-cloud/prowler/pull/8214)
+
+### Fixed
+- Scan with no resources will not trigger legacy code for findings metadata [(#8183)](https://github.com/prowler-cloud/prowler/pull/8183)
+- Invitation email comparison case-insensitive [(#8206)](https://github.com/prowler-cloud/prowler/pull/8206)
+
+### Removed
+- Validation of the provider's secret type during updates [(#8197)](https://github.com/prowler-cloud/prowler/pull/8197)
+
+---
+
+## [v1.9.0] (Prowler v5.8.0)
+
+### Added
+- Support GCP Service Account key [(#7824)](https://github.com/prowler-cloud/prowler/pull/7824)
+- `GET /compliance-overviews` endpoints to retrieve compliance metadata and specific requirements statuses [(#7877)](https://github.com/prowler-cloud/prowler/pull/7877)
+- Lighthouse configuration support [(#7848)](https://github.com/prowler-cloud/prowler/pull/7848)
+
+### Changed
+- Reworked `GET /compliance-overviews` to return proper requirement metrics [(#7877)](https://github.com/prowler-cloud/prowler/pull/7877)
+- Optional `user` and `password` for M365 provider [(#7992)](https://github.com/prowler-cloud/prowler/pull/7992)
+
+### Fixed
+- Scheduled scans are no longer deleted when their daily schedule run is disabled [(#8082)](https://github.com/prowler-cloud/prowler/pull/8082)
+
+---
+
 ## [v1.8.5] (Prowler v5.7.5)

 ### Fixed
@@ -13,51 +153,50 @@ All notable changes to the **Prowler API** are documented in this file.
 ## [v1.8.4] (Prowler v5.7.4)

 ### Removed
- Reverted RLS transaction handling and DB custom backend [(#7994)](https://github.com/prowler-cloud/prowler/pull/7994).
+- Reverted RLS transaction handling and DB custom backend [(#7994)](https://github.com/prowler-cloud/prowler/pull/7994)

 ---

 ## [v1.8.3] (Prowler v5.7.3)

 ### Added
- Database backend to handle already closed connections [(#7935)](https://github.com/prowler-cloud/prowler/pull/7935).
+- Database backend to handle already closed connections [(#7935)](https://github.com/prowler-cloud/prowler/pull/7935)

 ### Changed
 - Renamed field encrypted_password to password for M365 provider [(#7784)](https://github.com/prowler-cloud/prowler/pull/7784)

 ### Fixed
- Fixed transaction persistence with RLS operations [(#7916)](https://github.com/prowler-cloud/prowler/pull/7916).
- Reverted the change `get_with_retry` to use the original `get` method for retrieving tasks [(#7932)](https://github.com/prowler-cloud/prowler/pull/7932).
- Fixed the connection status verification before launching a scan [(#7831)](https://github.com/prowler-cloud/prowler/pull/7831)
+- Transaction persistence with RLS operations [(#7916)](https://github.com/prowler-cloud/prowler/pull/7916)
+- Reverted the change `get_with_retry` to use the original `get` method for retrieving tasks [(#7932)](https://github.com/prowler-cloud/prowler/pull/7932)

 ---

 ## [v1.8.2] (Prowler v5.7.2)

 ### Fixed
- Fixed task lookup to use task_kwargs instead of task_args for scan report resolution. [(#7830)](https://github.com/prowler-cloud/prowler/pull/7830)
- Fixed Kubernetes UID validation to allow valid context names [(#7871)](https://github.com/prowler-cloud/prowler/pull/7871)
- Fixed the connection status verification before launching a scan [(#7831)](https://github.com/prowler-cloud/prowler/pull/7831)
- Fixed a race condition when creating background tasks [(#7876)](https://github.com/prowler-cloud/prowler/pull/7876).
- Fixed an error when modifying or retrieving tenants due to missing user UUID in transaction context [(#7890)](https://github.com/prowler-cloud/prowler/pull/7890).
+- Task lookup to use task_kwargs instead of task_args for scan report resolution [(#7830)](https://github.com/prowler-cloud/prowler/pull/7830)
+- Kubernetes UID validation to allow valid context names [(#7871)](https://github.com/prowler-cloud/prowler/pull/7871)
+- Connection status verification before launching a scan [(#7831)](https://github.com/prowler-cloud/prowler/pull/7831)
+- Race condition when creating background tasks [(#7876)](https://github.com/prowler-cloud/prowler/pull/7876)
+- Error when modifying or retrieving tenants due to missing user UUID in transaction context [(#7890)](https://github.com/prowler-cloud/prowler/pull/7890)

 ---

 ## [v1.8.1] (Prowler v5.7.1)

 ### Fixed
- Added database index to improve performance on finding lookup [(#7800)](https://github.com/prowler-cloud/prowler/pull/7800).
+- Added database index to improve performance on finding lookup [(#7800)](https://github.com/prowler-cloud/prowler/pull/7800)

 ---

 ## [v1.8.0] (Prowler v5.7.0)

 ### Added
- Added huge improvements to `/findings/metadata` and resource related filters for findings [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690).
- Added improvements to `/overviews` endpoints [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690).
- Added new queue to perform backfill background tasks [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690).
- Added new endpoints to retrieve latest findings and metadata [(#7743)](https://github.com/prowler-cloud/prowler/pull/7743).
- Added export support for Prowler ThreatScore in M365 [(7783)](https://github.com/prowler-cloud/prowler/pull/7783)
+- Huge improvements to `/findings/metadata` and resource related filters for findings [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690)
+- Improvements to `/overviews` endpoints [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690)
+- Queue to perform backfill background tasks [(#7690)](https://github.com/prowler-cloud/prowler/pull/7690)
+- New endpoints to retrieve latest findings and metadata [(#7743)](https://github.com/prowler-cloud/prowler/pull/7743)
+- Export support for Prowler ThreatScore in M365 [(7783)](https://github.com/prowler-cloud/prowler/pull/7783)

 ---

@@ -65,9 +204,9 @@ All notable changes to the **Prowler API** are documented in this file.

 ### Added

- Added M365 as a new provider [(#7563)](https://github.com/prowler-cloud/prowler/pull/7563).
- Added a `compliance/` folder and ZIP‐export functionality for all compliance reports.[(#7653)](https://github.com/prowler-cloud/prowler/pull/7653).
- Added a new API endpoint to fetch and download any specific compliance file by name [(#7653)](https://github.com/prowler-cloud/prowler/pull/7653).
+- M365 as a new provider [(#7563)](https://github.com/prowler-cloud/prowler/pull/7563)
+- `compliance/` folder and ZIP‐export functionality for all compliance reports [(#7653)](https://github.com/prowler-cloud/prowler/pull/7653)
+- API endpoint to fetch and download any specific compliance file by name [(#7653)](https://github.com/prowler-cloud/prowler/pull/7653)

 ---

@@ -75,46 +214,42 @@ All notable changes to the **Prowler API** are documented in this file.

 ### Added

- Support for developing new integrations [(#7167)](https://github.com/prowler-cloud/prowler/pull/7167).
- HTTP Security Headers [(#7289)](https://github.com/prowler-cloud/prowler/pull/7289).
- New endpoint to get the compliance overviews metadata [(#7333)](https://github.com/prowler-cloud/prowler/pull/7333).
- Support for muted findings [(#7378)](https://github.com/prowler-cloud/prowler/pull/7378).
- Added missing fields to API findings and resources [(#7318)](https://github.com/prowler-cloud/prowler/pull/7318).
+- Support for developing new integrations [(#7167)](https://github.com/prowler-cloud/prowler/pull/7167)
+- HTTP Security Headers [(#7289)](https://github.com/prowler-cloud/prowler/pull/7289)
+- New endpoint to get the compliance overviews metadata [(#7333)](https://github.com/prowler-cloud/prowler/pull/7333)
+- Support for muted findings [(#7378)](https://github.com/prowler-cloud/prowler/pull/7378)
+- Missing fields to API findings and resources [(#7318)](https://github.com/prowler-cloud/prowler/pull/7318)

 ---

 ## [v1.5.4] (Prowler v5.4.4)

 ### Fixed
- Fixed a bug with periodic tasks when trying to delete a provider ([#7466])(https://github.com/prowler-cloud/prowler/pull/7466).
+- Bug with periodic tasks when trying to delete a provider [(#7466)](https://github.com/prowler-cloud/prowler/pull/7466)

 ---

 ## [v1.5.3] (Prowler v5.4.3)

 ### Fixed
- Added duplicated scheduled scans handling ([#7401])(https://github.com/prowler-cloud/prowler/pull/7401).
- Added environment variable to configure the deletion task batch size ([#7423])(https://github.com/prowler-cloud/prowler/pull/7423).
+- Duplicated scheduled scans handling [(#7401)](https://github.com/prowler-cloud/prowler/pull/7401)
+- Environment variable to configure the deletion task batch size [(#7423)](https://github.com/prowler-cloud/prowler/pull/7423)

 ---

 ## [v1.5.2] (Prowler v5.4.2)

 ### Changed
- Refactored deletion logic and implemented retry mechanism for deletion tasks [(#7349)](https://github.com/prowler-cloud/prowler/pull/7349).
+- Refactored deletion logic and implemented retry mechanism for deletion tasks [(#7349)](https://github.com/prowler-cloud/prowler/pull/7349)

 ---

 ## [v1.5.1] (Prowler v5.4.1)

 ### Fixed
- Added a handled response in case local files are missing [(#7183)](https://github.com/prowler-cloud/prowler/pull/7183).
- Fixed a race condition when deleting export files after the S3 upload [(#7172)](https://github.com/prowler-cloud/prowler/pull/7172).
- Handled exception when a provider has no secret in test connection [(#7283)](https://github.com/prowler-cloud/prowler/pull/7283).
-
-### Added
-
- Support for developing new integrations [(#7167)](https://github.com/prowler-cloud/prowler/pull/7167).
+- Handle response in case local files are missing [(#7183)](https://github.com/prowler-cloud/prowler/pull/7183)
+- Race condition when deleting export files after the S3 upload [(#7172)](https://github.com/prowler-cloud/prowler/pull/7172)
+- Handle exception when a provider has no secret in test connection [(#7283)](https://github.com/prowler-cloud/prowler/pull/7283)

 ---

@@ -122,20 +257,20 @@ All notable changes to the **Prowler API** are documented in this file.

 ### Added
 - Social login integration with Google and GitHub [(#6906)](https://github.com/prowler-cloud/prowler/pull/6906)
- Add API scan report system, now all scans launched from the API will generate a compressed file with the report in OCSF, CSV and HTML formats [(#6878)](https://github.com/prowler-cloud/prowler/pull/6878).
+- API scan report system, now all scans launched from the API will generate a compressed file with the report in OCSF, CSV and HTML formats [(#6878)](https://github.com/prowler-cloud/prowler/pull/6878)
 - Configurable Sentry integration [(#6874)](https://github.com/prowler-cloud/prowler/pull/6874)

 ### Changed
- Optimized `GET /findings` endpoint to improve response time and size [(#7019)](https://github.com/prowler-cloud/prowler/pull/7019).
+- Optimized `GET /findings` endpoint to improve response time and size [(#7019)](https://github.com/prowler-cloud/prowler/pull/7019)

 ---

 ## [v1.4.0] (Prowler v5.3.0)

 ### Changed
- Daily scheduled scan instances are now created beforehand with `SCHEDULED` state [(#6700)](https://github.com/prowler-cloud/prowler/pull/6700).
- Findings endpoints now require at least one date filter [(#6800)](https://github.com/prowler-cloud/prowler/pull/6800).
- Findings metadata endpoint received a performance improvement [(#6863)](https://github.com/prowler-cloud/prowler/pull/6863).
- Increased the allowed length of the provider UID for Kubernetes providers [(#6869)](https://github.com/prowler-cloud/prowler/pull/6869).
+- Daily scheduled scan instances are now created beforehand with `SCHEDULED` state [(#6700)](https://github.com/prowler-cloud/prowler/pull/6700)
+- Findings endpoints now require at least one date filter [(#6800)](https://github.com/prowler-cloud/prowler/pull/6800)
+- Findings metadata endpoint received a performance improvement [(#6863)](https://github.com/prowler-cloud/prowler/pull/6863)
+- Increased the allowed length of the provider UID for Kubernetes providers [(#6869)](https://github.com/prowler-cloud/prowler/pull/6869)

 ---
--- a/api/Dockerfile
+++ b/api/Dockerfile
@@ -6,7 +6,19 @@ ARG POWERSHELL_VERSION=7.5.0
 ENV POWERSHELL_VERSION=${POWERSHELL_VERSION}

 # hadolint ignore=DL3008
-RUN apt-get update && apt-get install -y --no-install-recommends wget libicu72 \
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    wget \
+    libicu72 \
+    gcc \
+    g++ \
+    make \
+    libxml2-dev \
+    libxmlsec1-dev \
+    libxmlsec1-openssl \
+    pkg-config \
+    libtool \
+    libxslt1-dev \
+    python3-dev \
    && rm -rf /var/lib/apt/lists/*

 # Install PowerShell
@@ -32,23 +44,25 @@ USER prowler

 WORKDIR /home/prowler

+# Ensure output directory exists
+RUN mkdir -p /tmp/prowler_api_output
+
 COPY pyproject.toml ./

 RUN pip install --no-cache-dir --upgrade pip && \
    pip install --no-cache-dir poetry

-COPY src/backend/ ./backend/
-
 ENV PATH="/home/prowler/.local/bin:$PATH"

 # Add `--no-root` to avoid installing the current project as a package
 RUN poetry install --no-root && \
    rm -rf ~/.cache/pip

-COPY docker-entrypoint.sh ./docker-entrypoint.sh
-
 RUN poetry run python "$(poetry env info --path)/src/prowler/prowler/providers/m365/lib/powershell/m365_powershell.py"

+COPY src/backend/ ./backend/
+COPY docker-entrypoint.sh ./docker-entrypoint.sh
+
 WORKDIR /home/prowler/backend

 # Development image
--- a/api/README.md
+++ b/api/README.md
@@ -18,7 +18,11 @@ Valkey exposes a Redis 7.2 compliant API. Any service that exposes the Redis API

 # Modify environment variables

-Under the root path of the project, you can find a file called `.env.example`. This file shows all the environment variables that the project uses. You *must* create a new file called `.env` and set the values for the variables.
+Under the root path of the project, you can find a file called `.env`. This file shows all the environment variables that the project uses. You should review it and set the values for the variables you want to change.
+
+If you don’t set `DJANGO_TOKEN_SIGNING_KEY` or `DJANGO_TOKEN_VERIFYING_KEY`, the API will generate them at `~/.config/prowler-api/` with `0600` and `0644` permissions; back up these files to persist identity across redeploys.
+
+**Important note**: Every Prowler version (or repository branches and tags) could have different variables set in its `.env` file. Please use the `.env` file that corresponds with each version.

 ## Local deployment
 Keep in mind if you export the `.env` file to use it with local deployment that you will have to do it within the context of the Poetry interpreter, not before. Otherwise, variables will not be loaded properly.
@@ -257,7 +261,7 @@ cd src/backend
 python manage.py loaddata api/fixtures/0_dev_users.json --database admin
 ```

-> The default credentials are `dev@prowler.com:thisisapassword123` or `dev2@prowler.com:thisisapassword123`
+> The default credentials are `dev@prowler.com:Thisisapassword123@` or `dev2@prowler.com:Thisisapassword123@`

 ## Run tests

--- a/api/docker-compose.yml
+++ b/api/docker-compose.yml
@@ -1,125 +0,0 @@
-services:
-  api:
-    build:
-      dockerfile: Dockerfile
-    image: prowler-api
-    env_file:
-      - path: ./.env
-        required: false
-    ports:
-      - "${DJANGO_PORT:-8000}:${DJANGO_PORT:-8000}"
-    profiles:
-      - prod
-    depends_on:
-      postgres:
-        condition: service_healthy
-      valkey:
-        condition: service_healthy
-    entrypoint:
-      - "../docker-entrypoint.sh"
-      - "prod"
-
-  api-dev:
-    build:
-      dockerfile: Dockerfile
-      target: dev
-    image: prowler-api-dev
-    environment:
-      - DJANGO_SETTINGS_MODULE=config.django.devel
-      - DJANGO_LOGGING_FORMATTER=human_readable
-    env_file:
-      - path: ./.env
-        required: false
-    ports:
-      - "${DJANGO_PORT:-8080}:${DJANGO_PORT:-8080}"
-    volumes:
-      - "./src/backend:/home/prowler/backend"
-      - "./pyproject.toml:/home/prowler/pyproject.toml"
-    profiles:
-      - dev
-    depends_on:
-      postgres:
-        condition: service_healthy
-      valkey:
-        condition: service_healthy
-    entrypoint:
-      - "../docker-entrypoint.sh"
-      - "dev"
-
-  postgres:
-    image: postgres:16.3-alpine
-    ports:
-      - "${POSTGRES_PORT:-5432}:${POSTGRES_PORT:-5432}"
-    hostname: "postgres-db"
-    volumes:
-      - ./_data/postgres:/var/lib/postgresql/data
-    environment:
-      - POSTGRES_USER=${POSTGRES_ADMIN_USER:-prowler}
-      - POSTGRES_PASSWORD=${POSTGRES_ADMIN_PASSWORD:-S3cret}
-      - POSTGRES_DB=${POSTGRES_DB:-prowler_db}
-    env_file:
-      - path: ./.env
-        required: false
-    healthcheck:
-      test: ["CMD-SHELL", "sh -c 'pg_isready -U ${POSTGRES_ADMIN_USER:-prowler} -d ${POSTGRES_DB:-prowler_db}'"]
-      interval: 5s
-      timeout: 5s
-      retries: 5
-
-  valkey:
-    image: valkey/valkey:7-alpine3.19
-    ports:
-      - "${VALKEY_PORT:-6379}:6379"
-    hostname: "valkey"
-    volumes:
-      - ./_data/valkey:/data
-    env_file:
-      - path: ./.env
-        required: false
-    healthcheck:
-      test: ["CMD-SHELL", "sh -c 'valkey-cli ping'"]
-      interval: 10s
-      timeout: 5s
-      retries: 3
-
-  worker:
-    build:
-      dockerfile: Dockerfile
-    image: prowler-worker
-    environment:
-      - DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE:-config.django.production}
-    env_file:
-      - path: ./.env
-        required: false
-    profiles:
-      - dev
-      - prod
-    depends_on:
-      valkey:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-    entrypoint:
-      - "../docker-entrypoint.sh"
-      - "worker"
-
-  worker-beat:
-    build:
-      dockerfile: Dockerfile
-    image: prowler-worker
-    environment:
-      - DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE:-config.django.production}
-    env_file:
-      - path: ./.env
-        required: false
-    profiles:
-      - dev
-      - prod
-    depends_on:
-      valkey:
-        condition: service_healthy
-      postgres:
-        condition: service_healthy
-    entrypoint:
-      - "../docker-entrypoint.sh"
-      - "beat"
--- a/api/docker-entrypoint.sh
+++ b/api/docker-entrypoint.sh
@@ -3,6 +3,10 @@

 apply_migrations() {
  echo "Applying database migrations..."
+
+  # Fix Inconsistent migration history after adding sites app
+  poetry run python manage.py check_and_fix_socialaccount_sites_migration --database admin
+
  poetry run python manage.py migrate --database admin
 }

@@ -28,7 +32,7 @@ start_prod_server() {

 start_worker() {
  echo "Starting the worker..."
-  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion,backfill -E --max-tasks-per-child 1
+  poetry run python -m celery -A config.celery worker -l "${DJANGO_LOGGING_LEVEL:-info}" -Q celery,scans,scan-reports,deletion,backfill,overview,integrations,compliance -E --max-tasks-per-child 1
 }

 start_worker_beat() {
--- a/api/poetry.lock
+++ b/api/poetry.lock
--- a/api/pyproject.toml
+++ b/api/pyproject.toml
@@ -7,8 +7,8 @@ authors = [{name = "Prowler Engineering", email = "engineering@prowler.com"}]
 dependencies = [
  "celery[pytest] (>=5.4.0,<6.0.0)",
  "dj-rest-auth[with_social,jwt] (==7.0.1)",
-  "django==5.1.8",
-  "django-allauth==65.4.1",
+  "django (==5.1.13)",
+  "django-allauth[saml] (>=65.8.0,<66.0.0)",
  "django-celery-beat (>=2.7.0,<3.0.0)",
  "django-celery-results (>=2.5.1,<3.0.0)",
  "django-cors-headers==4.4.0",
@@ -23,11 +23,17 @@ dependencies = [
  "drf-spectacular==0.27.2",
  "drf-spectacular-jsonapi==0.5.1",
  "gunicorn==23.0.0",
-  "prowler @ git+https://github.com/prowler-cloud/prowler.git@v5.7",
+  "lxml==5.3.2",
+  "prowler @ git+https://github.com/prowler-cloud/prowler.git@master",
  "psycopg2-binary==2.9.9",
  "pytest-celery[redis] (>=1.0.1,<2.0.0)",
  "sentry-sdk[django] (>=2.20.0,<3.0.0)",
-  "uuid6==2024.7.10"
+  "uuid6==2024.7.10",
+  "openai (>=1.82.0,<2.0.0)",
+  "xmlsec==1.3.14",
+  "h2 (==4.3.0)",
+  "markdown (>=3.9,<4.0)",
+  "drf-simple-apikey (==2.2.1)"
 ]
 description = "Prowler's API (Django/DRF)"
 license = "Apache-2.0"
@@ -35,7 +41,7 @@ name = "prowler-api"
 package-mode = false
 # Needed for the SDK compatibility
 requires-python = ">=3.11,<3.13"
-version = "1.8.5"
+version = "1.14.0"

 [project.scripts]
 celery = "src.backend.config.settings.celery"
--- a/api/src/backend/api/adapters.py
+++ b/api/src/backend/api/adapters.py
@@ -17,6 +17,8 @@ class ProwlerSocialAccountAdapter(DefaultSocialAccountAdapter):
    def pre_social_login(self, request, sociallogin):
        # Link existing accounts with the same email address
        email = sociallogin.account.extra_data.get("email")
+        if sociallogin.provider.id == "saml":
+            email = sociallogin.user.email
        if email:
            existing_user = self.get_user_by_email(email)
            if existing_user:
@@ -29,33 +31,41 @@ class ProwlerSocialAccountAdapter(DefaultSocialAccountAdapter):
        """
        with transaction.atomic(using=MainRouter.admin_db):
            user = super().save_user(request, sociallogin, form)
-            user.save(using=MainRouter.admin_db)
-            social_account_name = sociallogin.account.extra_data.get("name")
-            if social_account_name:
-                user.name = social_account_name
-                user.save(using=MainRouter.admin_db)
+            provider = sociallogin.provider.id
+            extra = sociallogin.account.extra_data

-            tenant = Tenant.objects.using(MainRouter.admin_db).create(
-                name=f"{user.email.split('@')[0]} default tenant"
-            )
-            with rls_transaction(str(tenant.id)):
-                Membership.objects.using(MainRouter.admin_db).create(
-                    user=user, tenant=tenant, role=Membership.RoleChoices.OWNER
-                )
-                role = Role.objects.using(MainRouter.admin_db).create(
-                    name="admin",
-                    tenant_id=tenant.id,
-                    manage_users=True,
-                    manage_account=True,
-                    manage_billing=True,
-                    manage_providers=True,
-                    manage_integrations=True,
-                    manage_scans=True,
-                    unlimited_visibility=True,
-                )
-                UserRoleRelationship.objects.using(MainRouter.admin_db).create(
-                    user=user,
-                    role=role,
-                    tenant_id=tenant.id,
+            if provider != "saml":
+                # Handle other providers (e.g., GitHub, Google)
+                user.save(using=MainRouter.admin_db)
+                social_account_name = extra.get("name")
+                if social_account_name:
+                    user.name = social_account_name
+                    user.save(using=MainRouter.admin_db)
+
+                tenant = Tenant.objects.using(MainRouter.admin_db).create(
+                    name=f"{user.email.split('@')[0]} default tenant"
                )
+                with rls_transaction(str(tenant.id)):
+                    Membership.objects.using(MainRouter.admin_db).create(
+                        user=user, tenant=tenant, role=Membership.RoleChoices.OWNER
+                    )
+                    role = Role.objects.using(MainRouter.admin_db).create(
+                        name="admin",
+                        tenant_id=tenant.id,
+                        manage_users=True,
+                        manage_account=True,
+                        manage_billing=True,
+                        manage_providers=True,
+                        manage_integrations=True,
+                        manage_scans=True,
+                        unlimited_visibility=True,
+                    )
+                    UserRoleRelationship.objects.using(MainRouter.admin_db).create(
+                        user=user,
+                        role=role,
+                        tenant_id=tenant.id,
+                    )
+            else:
+                request.session["saml_user_created"] = str(user.id)
+
        return user
--- a/api/src/backend/api/apps.py
+++ b/api/src/backend/api/apps.py
@@ -1,4 +1,26 @@
+import logging
+import os
+import sys
+from pathlib import Path
+
+from config.custom_logging import BackendLogger
+from config.env import env
 from django.apps import AppConfig
+from django.conf import settings
+
+logger = logging.getLogger(BackendLogger.API)
+
+SIGNING_KEY_ENV = "DJANGO_TOKEN_SIGNING_KEY"
+VERIFYING_KEY_ENV = "DJANGO_TOKEN_VERIFYING_KEY"
+
+PRIVATE_KEY_FILE = "jwt_private.pem"
+PUBLIC_KEY_FILE = "jwt_public.pem"
+
+KEYS_DIRECTORY = (
+    Path.home() / ".config" / "prowler-api"
+)  # `/home/prowler/.config/prowler-api` inside the container
+
+_keys_initialized = False  # Flag to prevent multiple executions within the same process


 class ApiConfig(AppConfig):
@@ -6,7 +28,142 @@ class ApiConfig(AppConfig):
    name = "api"

    def ready(self):
+        from api import schema_extensions  # noqa: F401
        from api import signals  # noqa: F401
        from api.compliance import load_prowler_compliance

+        # Generate required cryptographic keys if not present, but only if:
+        #   `"manage.py" not in sys.argv`: If an external server (e.g., Gunicorn) is running the app
+        #   `os.environ.get("RUN_MAIN")`: If it's not a Django command or using `runserver`,
+        #                                 only the main process will do it
+        if "manage.py" not in sys.argv or os.environ.get("RUN_MAIN"):
+            self._ensure_crypto_keys()
+
        load_prowler_compliance()
+
+    def _ensure_crypto_keys(self):
+        """
+        Orchestrator method that ensures all required cryptographic keys are present.
+        This method coordinates the generation of:
+          - RSA key pairs for JWT token signing and verification
+        Note: During development, Django spawns multiple processes (migrations, fixtures, etc.)
+        which will each generate their own keys. This is expected behavior and each process
+        will have consistent keys for its lifetime. In production, set the keys as environment
+        variables to avoid regeneration.
+        """
+        global _keys_initialized
+
+        # Skip key generation if running tests
+        if hasattr(settings, "TESTING") and settings.TESTING:
+            return
+
+        # Skip if already initialized in this process
+        if _keys_initialized:
+            return
+
+        # Check if both JWT keys are set; if not, generate them
+        signing_key = env.str(SIGNING_KEY_ENV, default="").strip()
+        verifying_key = env.str(VERIFYING_KEY_ENV, default="").strip()
+
+        if not signing_key or not verifying_key:
+            logger.info(
+                f"Generating JWT RSA key pair. In production, set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' "
+                "environment variables."
+            )
+            self._ensure_jwt_keys()
+
+        # Mark as initialized to prevent future executions in this process
+        _keys_initialized = True
+
+    def _read_key_file(self, file_name):
+        """
+        Utility method to read the contents of a file.
+        """
+        file_path = KEYS_DIRECTORY / file_name
+        return file_path.read_text().strip() if file_path.is_file() else None
+
+    def _write_key_file(self, file_name, content, private=True):
+        """
+        Utility method to write content to a file.
+        """
+        try:
+            file_path = KEYS_DIRECTORY / file_name
+            file_path.parent.mkdir(parents=True, exist_ok=True)
+            file_path.write_text(content)
+            file_path.chmod(0o600 if private else 0o644)
+
+        except Exception as e:
+            logger.error(
+                f"Error writing key file '{file_name}': {e}. "
+                f"Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
+            )
+            raise e
+
+    def _ensure_jwt_keys(self):
+        """
+        Generate RSA key pairs for JWT token signing and verification
+        if they are not already set in environment variables.
+        """
+        # Read existing keys from files if they exist
+        signing_key = self._read_key_file(PRIVATE_KEY_FILE)
+        verifying_key = self._read_key_file(PUBLIC_KEY_FILE)
+
+        if not signing_key or not verifying_key:
+            # Generate and store the RSA key pair
+            signing_key, verifying_key = self._generate_jwt_keys()
+            self._write_key_file(PRIVATE_KEY_FILE, signing_key, private=True)
+            self._write_key_file(PUBLIC_KEY_FILE, verifying_key, private=False)
+            logger.info("JWT keys generated and stored successfully")
+
+        else:
+            logger.info("JWT keys already generated")
+
+        # Set environment variables and Django settings
+        os.environ[SIGNING_KEY_ENV] = signing_key
+        settings.SIMPLE_JWT["SIGNING_KEY"] = signing_key
+
+        os.environ[VERIFYING_KEY_ENV] = verifying_key
+        settings.SIMPLE_JWT["VERIFYING_KEY"] = verifying_key
+
+    def _generate_jwt_keys(self):
+        """
+        Generate and set RSA key pairs for JWT token operations.
+        """
+        try:
+            from cryptography.hazmat.primitives import serialization
+            from cryptography.hazmat.primitives.asymmetric import rsa
+
+            # Generate RSA key pair
+            private_key = rsa.generate_private_key(  # Future improvement: we could read the next values from env vars
+                public_exponent=65537,
+                key_size=2048,
+            )
+
+            # Serialize private key (for signing)
+            private_pem = private_key.private_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PrivateFormat.PKCS8,
+                encryption_algorithm=serialization.NoEncryption(),
+            ).decode("utf-8")
+
+            # Serialize public key (for verification)
+            public_key = private_key.public_key()
+            public_pem = public_key.public_bytes(
+                encoding=serialization.Encoding.PEM,
+                format=serialization.PublicFormat.SubjectPublicKeyInfo,
+            ).decode("utf-8")
+
+            logger.debug("JWT RSA key pair generated successfully.")
+            return private_pem, public_pem
+
+        except ImportError as e:
+            logger.warning(
+                "The 'cryptography' package is required for automatic JWT key generation."
+            )
+            raise e
+
+        except Exception as e:
+            logger.error(
+                f"Error generating JWT keys: {e}. Please set '{SIGNING_KEY_ENV}' and '{VERIFYING_KEY_ENV}' manually."
+            )
+            raise e
--- a/api/src/backend/api/authentication.py
+++ b/api/src/backend/api/authentication.py
@@ -0,0 +1,95 @@
+from typing import Optional, Tuple
+from uuid import UUID
+
+from cryptography.fernet import InvalidToken
+from django.utils import timezone
+from drf_simple_apikey.backends import APIKeyAuthentication as BaseAPIKeyAuth
+from drf_simple_apikey.crypto import get_crypto
+from rest_framework.authentication import BaseAuthentication
+from rest_framework.exceptions import AuthenticationFailed
+from rest_framework.request import Request
+from rest_framework_simplejwt.authentication import JWTAuthentication
+
+from api.db_router import MainRouter
+from api.models import TenantAPIKey, TenantAPIKeyManager
+
+
+class TenantAPIKeyAuthentication(BaseAPIKeyAuth):
+    model = TenantAPIKey
+
+    def __init__(self):
+        self.key_crypto = get_crypto()
+
+    def _authenticate_credentials(self, request, key):
+        """
+        Override to use admin connection, bypassing RLS during authentication.
+        Delegates to parent after temporarily routing model queries to admin DB.
+        """
+        # Temporarily point the model's manager to admin database
+        original_objects = self.model.objects
+        self.model.objects = self.model.objects.using(MainRouter.admin_db)
+
+        try:
+            # Call parent method which will now use admin database
+            return super()._authenticate_credentials(request, key)
+        finally:
+            # Restore original manager
+            self.model.objects = original_objects
+
+    def authenticate(self, request: Request):
+        prefixed_key = self.get_key(request)
+
+        # Split prefix from key (format: pk_xxxxxxxx.encrypted_key)
+        try:
+            prefix, key = prefixed_key.split(TenantAPIKeyManager.separator, 1)
+        except ValueError:
+            raise AuthenticationFailed("Invalid API Key.")
+
+        try:
+            entity, _ = self._authenticate_credentials(request, key)
+        except InvalidToken:
+            raise AuthenticationFailed("Invalid API Key.")
+
+        # Get the API key instance to update last_used_at and retrieve tenant info
+        # We need to decrypt again to get the pk (already validated by _authenticate_credentials)
+        payload = self.key_crypto.decrypt(key)
+        api_key_pk = payload["_pk"]
+
+        # Convert string UUID back to UUID object for lookup
+        if isinstance(api_key_pk, str):
+            api_key_pk = UUID(api_key_pk)
+
+        try:
+            api_key_instance = TenantAPIKey.objects.using(MainRouter.admin_db).get(
+                id=api_key_pk, prefix=prefix
+            )
+        except TenantAPIKey.DoesNotExist:
+            raise AuthenticationFailed("Invalid API Key.")
+
+        # Update last_used_at
+        api_key_instance.last_used_at = timezone.now()
+        api_key_instance.save(update_fields=["last_used_at"], using=MainRouter.admin_db)
+
+        return entity, {
+            "tenant_id": str(api_key_instance.tenant_id),
+            "sub": str(api_key_instance.entity.id),
+            "api_key_prefix": prefix,
+        }
+
+
+class CombinedJWTOrAPIKeyAuthentication(BaseAuthentication):
+    jwt_auth = JWTAuthentication()
+    api_key_auth = TenantAPIKeyAuthentication()
+
+    def authenticate(self, request: Request) -> Optional[Tuple[object, dict]]:
+        auth_header = request.headers.get("Authorization", "")
+
+        # Prioritize JWT authentication if both are present
+        if auth_header.startswith("Bearer "):
+            return self.jwt_auth.authenticate(request)
+
+        if auth_header.startswith("Api-Key "):
+            return self.api_key_auth.authenticate(request)
+
+        # Default fallback
+        return self.jwt_auth.authenticate(request)
--- a/api/src/backend/api/base_views.py
+++ b/api/src/backend/api/base_views.py
@@ -1,13 +1,15 @@
+from django.conf import settings
 from django.core.exceptions import ObjectDoesNotExist
 from django.db import transaction
 from rest_framework import permissions
 from rest_framework.exceptions import NotAuthenticated
 from rest_framework.filters import SearchFilter
+from rest_framework.permissions import SAFE_METHODS
 from rest_framework_json_api import filters
 from rest_framework_json_api.views import ModelViewSet
-from rest_framework_simplejwt.authentication import JWTAuthentication

-from api.db_router import MainRouter
+from api.authentication import CombinedJWTOrAPIKeyAuthentication
+from api.db_router import MainRouter, reset_read_db_alias, set_read_db_alias
 from api.db_utils import POSTGRES_USER_VAR, rls_transaction
 from api.filters import CustomDjangoFilterBackend
 from api.models import Role, Tenant
@@ -15,7 +17,7 @@ from api.rbac.permissions import HasPermissions


 class BaseViewSet(ModelViewSet):
-    authentication_classes = [JWTAuthentication]
+    authentication_classes = [CombinedJWTOrAPIKeyAuthentication]
    required_permissions = []
    permission_classes = [permissions.IsAuthenticated, HasPermissions]
    filter_backends = [
@@ -31,6 +33,20 @@ class BaseViewSet(ModelViewSet):
    ordering_fields = "__all__"
    ordering = ["id"]

+    def _get_request_db_alias(self, request):
+        if request is None:
+            return MainRouter.default_db
+
+        read_alias = (
+            MainRouter.replica_db
+            if request.method in SAFE_METHODS
+            and MainRouter.replica_db in settings.DATABASES
+            else None
+        )
+        if read_alias:
+            return read_alias
+        return MainRouter.default_db
+
    def initial(self, request, *args, **kwargs):
        """
        Sets required_permissions before permissions are checked.
@@ -48,8 +64,21 @@ class BaseViewSet(ModelViewSet):

 class BaseRLSViewSet(BaseViewSet):
    def dispatch(self, request, *args, **kwargs):
-        with transaction.atomic():
-            return super().dispatch(request, *args, **kwargs)
+        self.db_alias = self._get_request_db_alias(request)
+        alias_token = None
+        try:
+            if self.db_alias != MainRouter.default_db:
+                alias_token = set_read_db_alias(self.db_alias)
+
+            if request is not None:
+                request.db_alias = self.db_alias
+
+            with transaction.atomic(using=self.db_alias):
+                return super().dispatch(request, *args, **kwargs)
+        finally:
+            if alias_token is not None:
+                reset_read_db_alias(alias_token)
+            self.db_alias = MainRouter.default_db

    def initial(self, request, *args, **kwargs):
        # Ideally, this logic would be in the `.setup()` method but DRF view sets don't call it
@@ -61,7 +90,9 @@ class BaseRLSViewSet(BaseViewSet):
        if tenant_id is None:
            raise NotAuthenticated("Tenant ID is not present in token")

-        with rls_transaction(tenant_id):
+        with rls_transaction(
+            tenant_id, using=getattr(self, "db_alias", MainRouter.default_db)
+        ):
            self.request.tenant_id = tenant_id
            return super().initial(request, *args, **kwargs)

@@ -73,18 +104,33 @@ class BaseRLSViewSet(BaseViewSet):

 class BaseTenantViewset(BaseViewSet):
    def dispatch(self, request, *args, **kwargs):
-        with transaction.atomic():
-            tenant = super().dispatch(request, *args, **kwargs)
-
+        self.db_alias = self._get_request_db_alias(request)
+        alias_token = None
        try:
-            # If the request is a POST, create the admin role
-            if request.method == "POST":
-                isinstance(tenant, dict) and self._create_admin_role(tenant.data["id"])
-        except Exception as e:
-            self._handle_creation_error(e, tenant)
-            raise
+            if self.db_alias != MainRouter.default_db:
+                alias_token = set_read_db_alias(self.db_alias)

-        return tenant
+            if request is not None:
+                request.db_alias = self.db_alias
+
+            with transaction.atomic(using=self.db_alias):
+                tenant = super().dispatch(request, *args, **kwargs)
+
+            try:
+                # If the request is a POST, create the admin role
+                if request.method == "POST":
+                    isinstance(tenant, dict) and self._create_admin_role(
+                        tenant.data["id"]
+                    )
+            except Exception as e:
+                self._handle_creation_error(e, tenant)
+                raise
+
+            return tenant
+        finally:
+            if alias_token is not None:
+                reset_read_db_alias(alias_token)
+            self.db_alias = MainRouter.default_db

    def _create_admin_role(self, tenant_id):
        Role.objects.using(MainRouter.admin_db).create(
@@ -117,14 +163,31 @@ class BaseTenantViewset(BaseViewSet):
            raise NotAuthenticated("Tenant ID is not present in token")

        user_id = str(request.user.id)
-        with rls_transaction(value=user_id, parameter=POSTGRES_USER_VAR):
+        with rls_transaction(
+            value=user_id,
+            parameter=POSTGRES_USER_VAR,
+            using=getattr(self, "db_alias", MainRouter.default_db),
+        ):
            return super().initial(request, *args, **kwargs)


 class BaseUserViewset(BaseViewSet):
    def dispatch(self, request, *args, **kwargs):
-        with transaction.atomic():
-            return super().dispatch(request, *args, **kwargs)
+        self.db_alias = self._get_request_db_alias(request)
+        alias_token = None
+        try:
+            if self.db_alias != MainRouter.default_db:
+                alias_token = set_read_db_alias(self.db_alias)
+
+            if request is not None:
+                request.db_alias = self.db_alias
+
+            with transaction.atomic(using=self.db_alias):
+                return super().dispatch(request, *args, **kwargs)
+        finally:
+            if alias_token is not None:
+                reset_read_db_alias(alias_token)
+            self.db_alias = MainRouter.default_db

    def initial(self, request, *args, **kwargs):
        # TODO refactor after improving RLS on users
@@ -137,6 +200,8 @@ class BaseUserViewset(BaseViewSet):
        if tenant_id is None:
            raise NotAuthenticated("Tenant ID is not present in token")

-        with rls_transaction(tenant_id):
+        with rls_transaction(
+            tenant_id, using=getattr(self, "db_alias", MainRouter.default_db)
+        ):
            self.request.tenant_id = tenant_id
            return super().initial(request, *args, **kwargs)
--- a/api/src/backend/api/compliance.py
+++ b/api/src/backend/api/compliance.py
@@ -150,12 +150,16 @@ def generate_scan_compliance(
                requirement["checks"][check_id] = status
                requirement["checks_status"][status.lower()] += 1

-            if requirement["status"] != "FAIL" and any(
-                value == "FAIL" for value in requirement["checks"].values()
-            ):
-                requirement["status"] = "FAIL"
-                compliance_overview[compliance_id]["requirements_status"]["passed"] -= 1
-                compliance_overview[compliance_id]["requirements_status"]["failed"] += 1
+                if requirement["status"] != "FAIL" and any(
+                    value == "FAIL" for value in requirement["checks"].values()
+                ):
+                    requirement["status"] = "FAIL"
+                    compliance_overview[compliance_id]["requirements_status"][
+                        "passed"
+                    ] -= 1
+                    compliance_overview[compliance_id]["requirements_status"][
+                        "failed"
+                    ] += 1


 def generate_compliance_overview_template(prowler_compliance: dict):
@@ -190,10 +194,16 @@ def generate_compliance_overview_template(prowler_compliance: dict):
                total_checks = len(requirement.Checks)
                checks_dict = {check: None for check in requirement.Checks}

+                req_status_val = "MANUAL" if total_checks == 0 else "PASS"
+
                # Build requirement dictionary
                requirement_dict = {
                    "name": requirement.Name or requirement.Id,
                    "description": requirement.Description,
+                    "tactics": getattr(requirement, "Tactics", []),
+                    "subtechniques": getattr(requirement, "SubTechniques", []),
+                    "platforms": getattr(requirement, "Platforms", []),
+                    "technique_url": getattr(requirement, "TechniqueURL", ""),
                    "attributes": [
                        dict(attribute) for attribute in requirement.Attributes
                    ],
@@ -204,23 +214,22 @@ def generate_compliance_overview_template(prowler_compliance: dict):
                        "manual": 0,
                        "total": total_checks,
                    },
-                    "status": "PASS",
+                    "status": req_status_val,
                }

-                # Update requirements status
-                if total_checks == 0:
+                # Update requirements status counts for the framework
+                if req_status_val == "MANUAL":
                    requirements_status["manual"] += 1
+                elif req_status_val == "PASS":
+                    requirements_status["passed"] += 1

                # Add requirement to compliance requirements
                compliance_requirements[requirement.Id] = requirement_dict

-            # Calculate pending requirements
-            pending_requirements = total_requirements - requirements_status["manual"]
-            requirements_status["passed"] = pending_requirements
-
            # Build compliance dictionary
            compliance_dict = {
                "framework": compliance_data.Framework,
+                "name": compliance_data.Name,
                "version": compliance_data.Version,
                "provider": provider_type,
                "description": compliance_data.Description,
--- a/api/src/backend/api/db_router.py
+++ b/api/src/backend/api/db_router.py
@@ -1,9 +1,31 @@
+from contextvars import ContextVar
+
+from django.conf import settings
+
 ALLOWED_APPS = ("django", "socialaccount", "account", "authtoken", "silk")

+_read_db_alias = ContextVar("read_db_alias", default=None)
+
+
+def set_read_db_alias(alias: str | None):
+    if not alias:
+        return None
+    return _read_db_alias.set(alias)
+
+
+def get_read_db_alias() -> str | None:
+    return _read_db_alias.get()
+
+
+def reset_read_db_alias(token) -> None:
+    if token is not None:
+        _read_db_alias.reset(token)
+

 class MainRouter:
    default_db = "default"
    admin_db = "admin"
+    replica_db = "replica"

    def db_for_read(self, model, **hints):  # noqa: F841
        model_table_name = model._meta.db_table
@@ -11,6 +33,9 @@ class MainRouter:
            model_table_name.startswith(f"{app}_") for app in ALLOWED_APPS
        ):
            return self.admin_db
+        read_alias = get_read_db_alias()
+        if read_alias:
+            return read_alias
        return None

    def db_for_write(self, model, **hints):  # noqa: F841
@@ -27,3 +52,8 @@ class MainRouter:
        if {obj1._state.db, obj2._state.db} <= {self.default_db, self.admin_db}:
            return True
        return None
+
+
+READ_REPLICA_ALIAS = (
+    MainRouter.replica_db if MainRouter.replica_db in settings.DATABASES else None
+)
--- a/api/src/backend/api/db_utils.py
+++ b/api/src/backend/api/db_utils.py
@@ -1,3 +1,4 @@
+import re
 import secrets
 import uuid
 from contextlib import contextmanager
@@ -5,12 +6,14 @@ from datetime import datetime, timedelta, timezone

 from django.conf import settings
 from django.contrib.auth.models import BaseUserManager
-from django.db import connection, models, transaction
+from django.db import DEFAULT_DB_ALIAS, connection, connections, models, transaction
 from django_celery_beat.models import PeriodicTask
 from psycopg2 import connect as psycopg2_connect
 from psycopg2.extensions import AsIs, new_type, register_adapter, register_type
 from rest_framework_json_api.serializers import ValidationError

+from api.db_router import get_read_db_alias, reset_read_db_alias, set_read_db_alias
+
 DB_USER = settings.DATABASES["default"]["USER"] if not settings.TESTING else "test"
 DB_PASSWORD = (
    settings.DATABASES["default"]["PASSWORD"] if not settings.TESTING else "test"
@@ -48,7 +51,11 @@ def psycopg_connection(database_alias: str):


@contextmanager
-def rls_transaction(value: str, parameter: str = POSTGRES_TENANT_VAR):
+def rls_transaction(
+    value: str,
+    parameter: str = POSTGRES_TENANT_VAR,
+    using: str | None = None,
+):
    """
    Creates a new database transaction setting the given configuration value for Postgres RLS. It validates the
    if the value is a valid UUID.
@@ -56,16 +63,32 @@ def rls_transaction(value: str, parameter: str = POSTGRES_TENANT_VAR):
    Args:
        value (str): Database configuration parameter value.
        parameter (str): Database configuration parameter name, by default is 'api.tenant_id'.
+        using (str | None): Optional database alias to run the transaction against. Defaults to the
+            active read alias (if any) or Django's default connection.
    """
-    with transaction.atomic():
-        with connection.cursor() as cursor:
-            try:
-                # just in case the value is an UUID object
-                uuid.UUID(str(value))
-            except ValueError:
-                raise ValidationError("Must be a valid UUID")
-            cursor.execute(SET_CONFIG_QUERY, [parameter, value])
-            yield cursor
+    requested_alias = using or get_read_db_alias()
+    db_alias = requested_alias or DEFAULT_DB_ALIAS
+    if db_alias not in connections:
+        db_alias = DEFAULT_DB_ALIAS
+
+    router_token = None
+    try:
+        if db_alias != DEFAULT_DB_ALIAS:
+            router_token = set_read_db_alias(db_alias)
+
+        with transaction.atomic(using=db_alias):
+            conn = connections[db_alias]
+            with conn.cursor() as cursor:
+                try:
+                    # just in case the value is a UUID object
+                    uuid.UUID(str(value))
+                except ValueError:
+                    raise ValidationError("Must be a valid UUID")
+                cursor.execute(SET_CONFIG_QUERY, [parameter, value])
+                yield cursor
+    finally:
+        if router_token is not None:
+            reset_read_db_alias(router_token)


 class CustomUserManager(BaseUserManager):
@@ -152,6 +175,51 @@ def delete_related_daily_task(provider_id: str):
    PeriodicTask.objects.filter(name=task_name).delete()


+def create_objects_in_batches(
+    tenant_id: str, model, objects: list, batch_size: int = 500
+):
+    """
+    Bulk-create model instances in repeated, per-tenant RLS transactions.
+
+    All chunks execute in their own transaction, so no single transaction
+    grows too large.
+
+    Args:
+        tenant_id (str): UUID string of the tenant under which to set RLS.
+        model: Django model class whose `.objects.bulk_create()` will be called.
+        objects (list): List of model instances (unsaved) to bulk-create.
+        batch_size (int): Maximum number of objects per bulk_create call.
+    """
+    total = len(objects)
+    for i in range(0, total, batch_size):
+        chunk = objects[i : i + batch_size]
+        with rls_transaction(value=tenant_id, parameter=POSTGRES_TENANT_VAR):
+            model.objects.bulk_create(chunk, batch_size)
+
+
+def update_objects_in_batches(
+    tenant_id: str, model, objects: list, fields: list, batch_size: int = 500
+):
+    """
+    Bulk-update model instances in repeated, per-tenant RLS transactions.
+
+    All chunks execute in their own transaction, so no single transaction
+    grows too large.
+
+    Args:
+        tenant_id (str): UUID string of the tenant under which to set RLS.
+        model: Django model class whose `.objects.bulk_update()` will be called.
+        objects (list): List of model instances (saved) to bulk-update.
+        fields (list): List of field names to update.
+        batch_size (int): Maximum number of objects per bulk_update call.
+    """
+    total = len(objects)
+    for start in range(0, total, batch_size):
+        chunk = objects[start : start + batch_size]
+        with rls_transaction(value=tenant_id, parameter=POSTGRES_TENANT_VAR):
+            model.objects.bulk_update(chunk, fields, batch_size)
+
+
 # Postgres Enums


@@ -227,6 +295,72 @@ def register_enum(apps, schema_editor, enum_class):  # noqa: F841
        register_adapter(enum_class, enum_adapter)


+def _should_create_index_on_partition(
+    partition_name: str, all_partitions: bool = False
+) -> bool:
+    """
+    Determine if we should create an index on this partition.
+
+    Args:
+        partition_name: The name of the partition (e.g., "findings_2025_aug", "findings_default")
+        all_partitions: If True, create on all partitions. If False, only current/future partitions.
+
+    Returns:
+        bool: True if index should be created on this partition, False otherwise.
+    """
+    if all_partitions:
+        return True
+
+    # Extract date from partition name if it follows the pattern
+    # Partition names look like: findings_2025_aug, findings_2025_jul, etc.
+    date_pattern = r"(\d{4})_([a-z]{3})$"
+    match = re.search(date_pattern, partition_name)
+
+    if not match:
+        # If we can't parse the date, include it to be safe (e.g., default partition)
+        return True
+
+    try:
+        year_str, month_abbr = match.groups()
+        year = int(year_str)
+
+        # Map month abbreviations to numbers
+        month_map = {
+            "jan": 1,
+            "feb": 2,
+            "mar": 3,
+            "apr": 4,
+            "may": 5,
+            "jun": 6,
+            "jul": 7,
+            "aug": 8,
+            "sep": 9,
+            "oct": 10,
+            "nov": 11,
+            "dec": 12,
+        }
+
+        month = month_map.get(month_abbr.lower())
+        if month is None:
+            # Unknown month abbreviation, include it to be safe
+            return True
+
+        partition_date = datetime(year, month, 1, tzinfo=timezone.utc)
+
+        # Get current month start
+        now = datetime.now(timezone.utc)
+        current_month_start = now.replace(
+            day=1, hour=0, minute=0, second=0, microsecond=0
+        )
+
+        # Include current month and future partitions
+        return partition_date >= current_month_start
+
+    except (ValueError, TypeError):
+        # If date parsing fails, include it to be safe
+        return True
+
+
 def create_index_on_partitions(
    apps,  # noqa: F841
    schema_editor,
@@ -235,16 +369,39 @@ def create_index_on_partitions(
    columns: str,
    method: str = "BTREE",
    where: str = "",
+    all_partitions: bool = True,
 ):
    """
-    Create an index on every existing partition of `parent_table`.
+    Create an index on existing partitions of `parent_table`.

    Args:
        parent_table: The name of the root table (e.g. "findings").
        index_name: A short name for the index (will be prefixed per-partition).
        columns: The parenthesized column list, e.g. "tenant_id, scan_id, status".
-        method:   The index method—BTREE, GIN, etc.  Defaults to BTREE.
-        where:    Optional WHERE clause (without the leading "WHERE"), e.g. "status = 'FAIL'".
+        method: The index method—BTREE, GIN, etc. Defaults to BTREE.
+        where: Optional WHERE clause (without the leading "WHERE"), e.g. "status = 'FAIL'".
+        all_partitions: Whether to create indexes on all partitions or just current/future ones.
+                       Defaults to False (current/future only) to avoid maintenance overhead
+                       on old partitions where the index may not be needed.
+
+    Examples:
+        # Create index only on current and future partitions (recommended for new indexes)
+        create_index_on_partitions(
+            apps, schema_editor,
+            parent_table="findings",
+            index_name="new_performance_idx",
+            columns="tenant_id, status, severity",
+            all_partitions=False  # Default behavior
+        )
+
+        # Create index on all partitions (use when migrating existing critical indexes)
+        create_index_on_partitions(
+            apps, schema_editor,
+            parent_table="findings",
+            index_name="critical_existing_idx",
+            columns="tenant_id, scan_id",
+            all_partitions=True
+        )
    """
    with connection.cursor() as cursor:
        cursor.execute(
@@ -259,13 +416,14 @@ def create_index_on_partitions(

    where_sql = f" WHERE {where}" if where else ""
    for partition in partitions:
-        idx_name = f"{partition.replace('.', '_')}_{index_name}"
-        sql = (
-            f"CREATE INDEX CONCURRENTLY IF NOT EXISTS {idx_name} "
-            f"ON {partition} USING {method} ({columns})"
-            f"{where_sql};"
-        )
-        schema_editor.execute(sql)
+        if _should_create_index_on_partition(partition, all_partitions):
+            idx_name = f"{partition.replace('.', '_')}_{index_name}"
+            sql = (
+                f"CREATE INDEX CONCURRENTLY IF NOT EXISTS {idx_name} "
+                f"ON {partition} USING {method} ({columns})"
+                f"{where_sql};"
+            )
+            schema_editor.execute(sql)


 def drop_index_on_partitions(
@@ -279,7 +437,7 @@ def drop_index_on_partitions(

    Args:
        parent_table: The name of the root table (e.g. "findings").
-        index_name:   The same short name used when creating them.
+        index_name: The same short name used when creating them.
    """
    with connection.cursor() as cursor:
        cursor.execute(
@@ -298,6 +456,12 @@ def drop_index_on_partitions(
        schema_editor.execute(sql)


+def generate_api_key_prefix():
+    """Generate a random 8-character prefix for API keys (e.g., 'pk_abc123de')."""
+    random_chars = generate_random_token(length=8)
+    return f"pk_{random_chars}"
+
+
 # Postgres enum definition for member role


@@ -416,3 +580,15 @@ class IntegrationTypeEnum(EnumType):
 class IntegrationTypeEnumField(PostgresEnumField):
    def __init__(self, *args, **kwargs):
        super().__init__("integration_type", *args, **kwargs)
+
+
+# Postgres enum definition for Processor type
+
+
+class ProcessorTypeEnum(EnumType):
+    enum_type_name = "processor_type"
+
+
+class ProcessorTypeEnumField(PostgresEnumField):
+    def __init__(self, *args, **kwargs):
+        super().__init__("processor_type", *args, **kwargs)
--- a/api/src/backend/api/exceptions.py
+++ b/api/src/backend/api/exceptions.py
@@ -1,9 +1,13 @@
 from django.core.exceptions import ValidationError as django_validation_error
 from rest_framework import status
-from rest_framework.exceptions import APIException
+from rest_framework.exceptions import (
+    APIException,
+    AuthenticationFailed,
+    NotAuthenticated,
+)
 from rest_framework_json_api.exceptions import exception_handler
 from rest_framework_json_api.serializers import ValidationError
-from rest_framework_simplejwt.exceptions import TokenError, InvalidToken
+from rest_framework_simplejwt.exceptions import InvalidToken, TokenError


 class ModelValidationError(ValidationError):
@@ -32,14 +36,70 @@ class InvitationTokenExpiredException(APIException):
    default_code = "token_expired"


+# Task Management Exceptions (non-HTTP)
+class TaskManagementError(Exception):
+    """Base exception for task management errors."""
+
+    def __init__(self, task=None):
+        self.task = task
+        super().__init__()
+
+
+class TaskFailedException(TaskManagementError):
+    """Raised when a task has failed."""
+
+
+class TaskNotFoundException(TaskManagementError):
+    """Raised when a task is not found."""
+
+
+class TaskInProgressException(TaskManagementError):
+    """Raised when a task is running but there's no related Task object to return."""
+
+    def __init__(self, task_result=None):
+        self.task_result = task_result
+        super().__init__()
+
+
+# Provider connection errors
+class ProviderConnectionError(Exception):
+    """Base exception for provider connection errors."""
+
+
 def custom_exception_handler(exc, context):
    if isinstance(exc, django_validation_error):
        if hasattr(exc, "error_dict"):
            exc = ValidationError(exc.message_dict)
        else:
            exc = ValidationError(detail=exc.messages[0], code=exc.code)
-    elif isinstance(exc, (TokenError, InvalidToken)):
-        exc.detail["messages"] = [
-            message_item["message"] for message_item in exc.detail["messages"]
-        ]
+    # Force 401 status for AuthenticationFailed exceptions regardless of the authentication backend
+    elif isinstance(exc, (AuthenticationFailed, NotAuthenticated, TokenError)):
+        exc.status_code = status.HTTP_401_UNAUTHORIZED
+        if isinstance(exc, (TokenError, InvalidToken)):
+            if (
+                hasattr(exc, "detail")
+                and isinstance(exc.detail, dict)
+                and "messages" in exc.detail
+            ):
+                exc.detail["messages"] = [
+                    message_item["message"] for message_item in exc.detail["messages"]
+                ]
    return exception_handler(exc, context)
+
+
+class ConflictException(APIException):
+    status_code = status.HTTP_409_CONFLICT
+    default_detail = "A conflict occurred. The resource already exists."
+    default_code = "conflict"
+
+    def __init__(self, detail=None, code=None, pointer=None):
+        error_detail = {
+            "detail": detail or self.default_detail,
+            "status": self.status_code,
+            "code": self.default_code,
+        }
+
+        if pointer:
+            error_detail["source"] = {"pointer": pointer}
+
+        super().__init__(detail=[error_detail])
--- a/api/src/backend/api/filters.py
+++ b/api/src/backend/api/filters.py
@@ -1,7 +1,8 @@
 from datetime import date, datetime, timedelta, timezone

+from dateutil.parser import parse
 from django.conf import settings
-from django.db.models import Q
+from django.db.models import F, Q
 from django_filters.rest_framework import (
    BaseInFilter,
    BooleanFilter,
@@ -22,12 +23,14 @@ from api.db_utils import (
    StatusEnumField,
 )
 from api.models import (
-    ComplianceOverview,
+    ComplianceRequirementOverview,
    Finding,
    Integration,
    Invitation,
    Membership,
+    OverviewStatusChoices,
    PermissionChoices,
+    Processor,
    Provider,
    ProviderGroup,
    ProviderSecret,
@@ -40,6 +43,7 @@ from api.models import (
    StateChoices,
    StatusChoices,
    Task,
+    TenantAPIKey,
    User,
 )
 from api.rls import Tenant
@@ -216,10 +220,31 @@ class MembershipFilter(FilterSet):


 class ProviderFilter(FilterSet):
-    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
-    connected = BooleanFilter()
+    inserted_at = DateFilter(
+        field_name="inserted_at",
+        lookup_expr="date",
+        help_text="""Filter by date when the provider was added
+        (format: YYYY-MM-DD)""",
+    )
+    updated_at = DateFilter(
+        field_name="updated_at",
+        lookup_expr="date",
+        help_text="""Filter by date when the provider was updated
+        (format: YYYY-MM-DD)""",
+    )
+    connected = BooleanFilter(
+        help_text="""Filter by connection status. Set to True to return only
+        connected providers, or False to return only providers with failed
+        connections. If not specified, both connected and failed providers are
+        included. Providers with no connection attempt (status is null) are
+        excluded from this filter."""
+    )
    provider = ChoiceFilter(choices=Provider.ProviderChoices.choices)
+    provider__in = ChoiceInFilter(
+        field_name="provider",
+        choices=Provider.ProviderChoices.choices,
+        lookup_expr="in",
+    )

    class Meta:
        model = Provider
@@ -338,6 +363,8 @@ class ResourceFilter(ProviderRelationshipFilterSet):
    tags = CharFilter(method="filter_tag")
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    scan = UUIDFilter(field_name="provider__scan", lookup_expr="exact")
+    scan__in = UUIDInFilter(field_name="provider__scan", lookup_expr="in")

    class Meta:
        model = Resource
@@ -352,6 +379,82 @@ class ResourceFilter(ProviderRelationshipFilterSet):
            "updated_at": ["gte", "lte"],
        }

+    def filter_queryset(self, queryset):
+        if not (self.data.get("scan") or self.data.get("scan__in")) and not (
+            self.data.get("updated_at")
+            or self.data.get("updated_at__date")
+            or self.data.get("updated_at__gte")
+            or self.data.get("updated_at__lte")
+        ):
+            raise ValidationError(
+                [
+                    {
+                        "detail": "At least one date filter is required: filter[updated_at], filter[updated_at.gte], "
+                        "or filter[updated_at.lte].",
+                        "status": 400,
+                        "source": {"pointer": "/data/attributes/updated_at"},
+                        "code": "required",
+                    }
+                ]
+            )
+
+        gte_date = (
+            parse(self.data.get("updated_at__gte")).date()
+            if self.data.get("updated_at__gte")
+            else datetime.now(timezone.utc).date()
+        )
+        lte_date = (
+            parse(self.data.get("updated_at__lte")).date()
+            if self.data.get("updated_at__lte")
+            else datetime.now(timezone.utc).date()
+        )
+
+        if abs(lte_date - gte_date) > timedelta(
+            days=settings.FINDINGS_MAX_DAYS_IN_RANGE
+        ):
+            raise ValidationError(
+                [
+                    {
+                        "detail": f"The date range cannot exceed {settings.FINDINGS_MAX_DAYS_IN_RANGE} days.",
+                        "status": 400,
+                        "source": {"pointer": "/data/attributes/updated_at"},
+                        "code": "invalid",
+                    }
+                ]
+            )
+
+        return super().filter_queryset(queryset)
+
+    def filter_tag_key(self, queryset, name, value):
+        return queryset.filter(Q(tags__key=value) | Q(tags__key__icontains=value))
+
+    def filter_tag_value(self, queryset, name, value):
+        return queryset.filter(Q(tags__value=value) | Q(tags__value__icontains=value))
+
+    def filter_tag(self, queryset, name, value):
+        # We won't know what the user wants to filter on just based on the value,
+        # and we don't want to build special filtering logic for every possible
+        # provider tag spec, so we'll just do a full text search
+        return queryset.filter(tags__text_search=value)
+
+
+class LatestResourceFilter(ProviderRelationshipFilterSet):
+    tag_key = CharFilter(method="filter_tag_key")
+    tag_value = CharFilter(method="filter_tag_value")
+    tag = CharFilter(method="filter_tag")
+    tags = CharFilter(method="filter_tag")
+
+    class Meta:
+        model = Resource
+        fields = {
+            "provider": ["exact", "in"],
+            "uid": ["exact", "icontains"],
+            "name": ["exact", "icontains"],
+            "region": ["exact", "icontains", "in"],
+            "service": ["exact", "icontains", "in"],
+            "type": ["exact", "icontains", "in"],
+        }
+
    def filter_tag_key(self, queryset, name, value):
        return queryset.filter(Q(tags__key=value) | Q(tags__key__icontains=value))

@@ -567,8 +670,16 @@ class LatestFindingFilter(CommonFindingFilters):


 class ProviderSecretFilter(FilterSet):
-    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    updated_at = DateFilter(field_name="updated_at", lookup_expr="date")
+    inserted_at = DateFilter(
+        field_name="inserted_at",
+        lookup_expr="date",
+        help_text="Filter by date when the secret was added (format: YYYY-MM-DD)",
+    )
+    updated_at = DateFilter(
+        field_name="updated_at",
+        lookup_expr="date",
+        help_text="Filter by date when the secret was updated (format: YYYY-MM-DD)",
+    )
    provider = UUIDFilter(field_name="provider__id", lookup_expr="exact")

    class Meta:
@@ -637,12 +748,11 @@ class RoleFilter(FilterSet):

 class ComplianceOverviewFilter(FilterSet):
    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
-    provider_type = ChoiceFilter(choices=Provider.ProviderChoices.choices)
-    provider_type__in = ChoiceInFilter(choices=Provider.ProviderChoices.choices)
-    scan_id = UUIDFilter(field_name="scan__id")
+    scan_id = UUIDFilter(field_name="scan_id")
+    region = CharFilter(field_name="region")

    class Meta:
-        model = ComplianceOverview
+        model = ComplianceRequirementOverview
        fields = {
            "inserted_at": ["date", "gte", "lte"],
            "compliance_id": ["exact", "icontains"],
@@ -671,6 +781,72 @@ class ScanSummaryFilter(FilterSet):
        }


+class ScanSummarySeverityFilter(ScanSummaryFilter):
+    """Filter for findings_severity ScanSummary endpoint - includes status filters"""
+
+    # Custom status filters - only for severity grouping endpoint
+    status = ChoiceFilter(method="filter_status", choices=OverviewStatusChoices.choices)
+    status__in = CharInFilter(method="filter_status_in", lookup_expr="in")
+
+    def filter_status(self, queryset, name, value):
+        # Validate the status value
+        if value not in [choice[0] for choice in OverviewStatusChoices.choices]:
+            raise ValidationError(f"Invalid status value: {value}")
+
+        # Apply the filter by annotating the queryset with the status field
+        if value == OverviewStatusChoices.FAIL:
+            return queryset.annotate(status_count=F("fail"))
+        elif value == OverviewStatusChoices.PASS:
+            return queryset.annotate(status_count=F("_pass"))
+        else:
+            return queryset.annotate(status_count=F("total"))
+
+    def filter_status_in(self, queryset, name, value):
+        # Validate the status values
+        valid_statuses = [choice[0] for choice in OverviewStatusChoices.choices]
+        for status_val in value:
+            if status_val not in valid_statuses:
+                raise ValidationError(f"Invalid status value: {status_val}")
+
+        # If all statuses or no valid statuses, use total
+        if (
+            set(value)
+            >= {
+                OverviewStatusChoices.FAIL,
+                OverviewStatusChoices.PASS,
+            }
+            or not value
+        ):
+            return queryset.annotate(status_count=F("total"))
+
+        # Build the sum expression based on status values
+        sum_expression = None
+        for status in value:
+            if status == OverviewStatusChoices.FAIL:
+                field_expr = F("fail")
+            elif status == OverviewStatusChoices.PASS:
+                field_expr = F("_pass")
+            else:
+                continue
+
+            if sum_expression is None:
+                sum_expression = field_expr
+            else:
+                sum_expression = sum_expression + field_expr
+
+        if sum_expression is None:
+            return queryset.annotate(status_count=F("total"))
+
+        return queryset.annotate(status_count=sum_expression)
+
+    class Meta:
+        model = ScanSummary
+        fields = {
+            "inserted_at": ["date", "gte", "lte"],
+            "region": ["exact", "icontains", "in"],
+        }
+
+
 class ServiceOverviewFilter(ScanSummaryFilter):
    def is_valid(self):
        # Check if at least one of the inserted_at filters is present
@@ -705,3 +881,49 @@ class IntegrationFilter(FilterSet):
        fields = {
            "inserted_at": ["date", "gte", "lte"],
        }
+
+
+class ProcessorFilter(FilterSet):
+    processor_type = ChoiceFilter(choices=Processor.ProcessorChoices.choices)
+    processor_type__in = ChoiceInFilter(
+        choices=Processor.ProcessorChoices.choices,
+        field_name="processor_type",
+        lookup_expr="in",
+    )
+
+
+class IntegrationJiraFindingsFilter(FilterSet):
+    # To be expanded as needed
+    finding_id = UUIDFilter(field_name="id", lookup_expr="exact")
+    finding_id__in = UUIDInFilter(field_name="id", lookup_expr="in")
+
+    class Meta:
+        model = Finding
+        fields = {}
+
+    def filter_queryset(self, queryset):
+        # Validate that there is at least one filter provided
+        if not self.data:
+            raise ValidationError(
+                {
+                    "findings": "No finding filters provided. At least one filter is required."
+                }
+            )
+        return super().filter_queryset(queryset)
+
+
+class TenantApiKeyFilter(FilterSet):
+    inserted_at = DateFilter(field_name="created", lookup_expr="date")
+    inserted_at__gte = DateFilter(field_name="created", lookup_expr="gte")
+    inserted_at__lte = DateFilter(field_name="created", lookup_expr="lte")
+    expires_at = DateFilter(field_name="expiry_date", lookup_expr="date")
+    expires_at__gte = DateFilter(field_name="expiry_date", lookup_expr="gte")
+    expires_at__lte = DateFilter(field_name="expiry_date", lookup_expr="lte")
+
+    class Meta:
+        model = TenantAPIKey
+        fields = {
+            "prefix": ["exact", "icontains"],
+            "revoked": ["exact"],
+            "name": ["exact", "icontains"],
+        }
--- a/api/src/backend/api/fixtures/dev/0_dev_users.json
+++ b/api/src/backend/api/fixtures/dev/0_dev_users.json
@@ -3,7 +3,7 @@
    "model": "api.user",
    "pk": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
    "fields": {
-      "password": "pbkdf2_sha256$720000$vA62S78kog2c2ytycVQdke$Fp35GVLLMyy5fUq3krSL9I02A+ocQ+RVa4S22LIAO5s=",
+      "password": "pbkdf2_sha256$870000$Z63pGJ7nre48hfcGbk5S0O$rQpKczAmijs96xa+gPVJifpT3Fetb8DOusl5Eq6gxac=",
      "last_login": null,
      "name": "Devie Prowlerson",
      "email": "dev@prowler.com",
@@ -16,7 +16,7 @@
    "model": "api.user",
    "pk": "b6493a3a-c997-489b-8b99-278bf74de9f6",
    "fields": {
-      "password": "pbkdf2_sha256$720000$vA62S78kog2c2ytycVQdke$Fp35GVLLMyy5fUq3krSL9I02A+ocQ+RVa4S22LIAO5s=",
+      "password": "pbkdf2_sha256$870000$Z63pGJ7nre48hfcGbk5S0O$rQpKczAmijs96xa+gPVJifpT3Fetb8DOusl5Eq6gxac=",
      "last_login": null,
      "name": "Devietoo Prowlerson",
      "email": "dev2@prowler.com",
@@ -24,5 +24,18 @@
      "is_active": true,
      "date_joined": "2024-09-18T09:04:20.850Z"
    }
+  },
+  {
+    "model": "api.user",
+    "pk": "6d4f8a91-3c2e-4b5a-8f7d-1e9c5b2a4d6f",
+    "fields": {
+      "password": "pbkdf2_sha256$870000$Z63pGJ7nre48hfcGbk5S0O$rQpKczAmijs96xa+gPVJifpT3Fetb8DOusl5Eq6gxac=",
+      "last_login": null,
+      "name": "E2E Test User",
+      "email": "e2e@prowler.com",
+      "company_name": "Prowler E2E Tests",
+      "is_active": true,
+      "date_joined": "2024-01-01T00:00:00.850Z"
+    }
  }
 ]
--- a/api/src/backend/api/fixtures/dev/1_dev_tenants.json
+++ b/api/src/backend/api/fixtures/dev/1_dev_tenants.json
@@ -46,5 +46,24 @@
      "role": "member",
      "date_joined": "2024-09-19T11:03:59.712Z"
    }
+  },
+  {
+    "model": "api.tenant",
+    "pk": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+    "fields": {
+      "inserted_at": "2024-01-01T00:00:00Z",
+      "updated_at": "2024-01-01T00:00:00Z",
+      "name": "E2E Test Tenant"
+    }
+  },
+  {
+    "model": "api.membership",
+    "pk": "9b1a2c3d-4e5f-6789-abc1-23456789def0",
+    "fields": {
+      "user": "6d4f8a91-3c2e-4b5a-8f7d-1e9c5b2a4d6f",
+      "tenant": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+      "role": "owner",
+      "date_joined": "2024-01-01T00:00:00.000Z"
+    }
  }
 ]
--- a/api/src/backend/api/fixtures/dev/6_dev_rbac.json
+++ b/api/src/backend/api/fixtures/dev/6_dev_rbac.json
@@ -149,5 +149,32 @@
      "user": "8b38e2eb-6689-4f1e-a4ba-95b275130200",
      "inserted_at": "2024-11-20T15:36:14.302Z"
    }
+  },
+  {
+    "model": "api.role",
+    "pk": "a5b6c7d8-9e0f-1234-5678-90abcdef1234",
+    "fields": {
+      "tenant": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+      "name": "e2e_admin",
+      "manage_users": true,
+      "manage_account": true,
+      "manage_billing": true,
+      "manage_providers": true,
+      "manage_integrations": true,
+      "manage_scans": true,
+      "unlimited_visibility": true,
+      "inserted_at": "2024-01-01T00:00:00.000Z",
+      "updated_at": "2024-01-01T00:00:00.000Z"
+    }
+  },
+  {
+    "model": "api.userrolerelationship",
+    "pk": "f1e2d3c4-b5a6-9876-5432-10fedcba9876",
+    "fields": {
+      "tenant": "7c8f94a3-e2d1-4b3a-9f87-2c4d5e6f1a2b",
+      "role": "a5b6c7d8-9e0f-1234-5678-90abcdef1234",
+      "user": "6d4f8a91-3c2e-4b5a-8f7d-1e9c5b2a4d6f",
+      "inserted_at": "2024-01-01T00:00:00.000Z"
+    }
  }
 ]
--- a/api/src/backend/api/fixtures/dev/7_dev_compliance.json
+++ b/api/src/backend/api/fixtures/dev/7_dev_compliance.json
--- a/api/src/backend/api/management/commands/check_and_fix_socialaccount_sites_migration.py
+++ b/api/src/backend/api/management/commands/check_and_fix_socialaccount_sites_migration.py
@@ -0,0 +1,80 @@
+from django.contrib.sites.models import Site
+from django.core.management.base import BaseCommand
+from django.db import DEFAULT_DB_ALIAS, connection, connections, transaction
+from django.db.migrations.recorder import MigrationRecorder
+
+
+def table_exists(table_name):
+    with connection.cursor() as cursor:
+        cursor.execute(
+            """
+                SELECT EXISTS (
+                    SELECT 1 FROM information_schema.tables
+                    WHERE table_name = %s
+                )
+            """,
+            [table_name],
+        )
+        return cursor.fetchone()[0]
+
+
+class Command(BaseCommand):
+    help = "Fix migration inconsistency between socialaccount and sites"
+
+    def add_arguments(self, parser):
+        parser.add_argument(
+            "--database",
+            default=DEFAULT_DB_ALIAS,
+            help="Specifies the database to operate on.",
+        )
+
+    def handle(self, *args, **options):
+        db = options["database"]
+        connection = connections[db]
+        recorder = MigrationRecorder(connection)
+
+        applied = set(recorder.applied_migrations())
+
+        has_social = ("socialaccount", "0001_initial") in applied
+
+        with connection.cursor() as cursor:
+            cursor.execute(
+                """
+                SELECT EXISTS (
+                    SELECT FROM information_schema.tables
+                    WHERE table_name = 'django_site'
+                );
+            """
+            )
+            site_table_exists = cursor.fetchone()[0]
+
+        if has_social and not site_table_exists:
+            self.stdout.write(
+                f"Detected inconsistency in '{db}'. Creating 'django_site' table manually..."
+            )
+
+            with transaction.atomic(using=db):
+                with connection.schema_editor() as schema_editor:
+                    schema_editor.create_model(Site)
+
+                recorder.record_applied("sites", "0001_initial")
+                recorder.record_applied("sites", "0002_alter_domain_unique")
+
+            self.stdout.write(
+                "Fixed: 'django_site' table created and migrations registered."
+            )
+
+            # Ensure the relationship table also exists
+            if not table_exists("socialaccount_socialapp_sites"):
+                self.stdout.write(
+                    "Detected missing 'socialaccount_socialapp_sites' table. Creating manually..."
+                )
+                with connection.schema_editor() as schema_editor:
+                    from allauth.socialaccount.models import SocialApp
+
+                    schema_editor.create_model(
+                        SocialApp._meta.get_field("sites").remote_field.through
+                    )
+                self.stdout.write(
+                    "Fixed: 'socialaccount_socialapp_sites' table created."
+                )
--- a/api/src/backend/api/middleware.py
+++ b/api/src/backend/api/middleware.py
@@ -8,9 +8,14 @@ def extract_auth_info(request) -> dict:
    if getattr(request, "auth", None) is not None:
        tenant_id = request.auth.get("tenant_id", "N/A")
        user_id = request.auth.get("sub", "N/A")
+        api_key_prefix = request.auth.get("api_key_prefix", "N/A")
    else:
-        tenant_id, user_id = "N/A", "N/A"
-    return {"tenant_id": tenant_id, "user_id": user_id}
+        tenant_id, user_id, api_key_prefix = "N/A", "N/A", "N/A"
+    return {
+        "tenant_id": tenant_id,
+        "user_id": user_id,
+        "api_key_prefix": api_key_prefix,
+    }


 class APILoggingMiddleware:
@@ -38,6 +43,7 @@ class APILoggingMiddleware:
            extra={
                "user_id": auth_info["user_id"],
                "tenant_id": auth_info["tenant_id"],
+                "api_key_prefix": auth_info["api_key_prefix"],
                "method": request.method,
                "path": request.path,
                "query_params": request.GET.dict(),
--- a/api/src/backend/api/migrations/0026_provider_secret_gcp_service_account.py
+++ b/api/src/backend/api/migrations/0026_provider_secret_gcp_service_account.py
@@ -0,0 +1,14 @@
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0025_findings_uid_index_parent"),
+    ]
+
+    operations = [
+        migrations.RunSQL(
+            "ALTER TYPE provider_secret_type ADD VALUE IF NOT EXISTS 'service_account';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
--- a/api/src/backend/api/migrations/0027_compliance_requirement_overviews.py
+++ b/api/src/backend/api/migrations/0027_compliance_requirement_overviews.py
@@ -0,0 +1,124 @@
+# Generated by Django 5.1.8 on 2025-05-21 11:37
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import api.db_utils
+import api.rls
+from api.rls import RowLevelSecurityConstraint
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0026_provider_secret_gcp_service_account"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ComplianceRequirementOverview",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("compliance_id", models.TextField(blank=False)),
+                ("framework", models.TextField(blank=False)),
+                ("version", models.TextField(blank=True)),
+                ("description", models.TextField(blank=True)),
+                ("region", models.TextField(blank=False)),
+                ("requirement_id", models.TextField(blank=False)),
+                (
+                    "requirement_status",
+                    api.db_utils.StatusEnumField(
+                        choices=[
+                            ("FAIL", "Fail"),
+                            ("PASS", "Pass"),
+                            ("MANUAL", "Manual"),
+                        ]
+                    ),
+                ),
+                ("passed_checks", models.IntegerField(default=0)),
+                ("failed_checks", models.IntegerField(default=0)),
+                ("total_checks", models.IntegerField(default=0)),
+                (
+                    "scan",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="compliance_requirements_overviews",
+                        related_query_name="compliance_requirements_overview",
+                        to="api.scan",
+                    ),
+                ),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "compliance_requirements_overviews",
+                "abstract": False,
+                "indexes": [
+                    models.Index(
+                        fields=["tenant_id", "scan_id"], name="cro_tenant_scan_idx"
+                    ),
+                    models.Index(
+                        fields=["tenant_id", "scan_id", "compliance_id"],
+                        name="cro_scan_comp_idx",
+                    ),
+                    models.Index(
+                        fields=["tenant_id", "scan_id", "compliance_id", "region"],
+                        name="cro_scan_comp_reg_idx",
+                    ),
+                    models.Index(
+                        fields=[
+                            "tenant_id",
+                            "scan_id",
+                            "compliance_id",
+                            "requirement_id",
+                        ],
+                        name="cro_scan_comp_req_idx",
+                    ),
+                    models.Index(
+                        fields=[
+                            "tenant_id",
+                            "scan_id",
+                            "compliance_id",
+                            "requirement_id",
+                            "region",
+                        ],
+                        name="cro_scan_comp_req_reg_idx",
+                    ),
+                ],
+                "constraints": [
+                    models.UniqueConstraint(
+                        fields=(
+                            "tenant_id",
+                            "scan_id",
+                            "compliance_id",
+                            "requirement_id",
+                            "region",
+                        ),
+                        name="unique_tenant_compliance_requirement_overview",
+                    )
+                ],
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="ComplianceRequirementOverview",
+            constraint=RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_compliancerequirementoverview",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0028_findings_check_index_partitions.py
+++ b/api/src/backend/api/migrations/0028_findings_check_index_partitions.py
@@ -0,0 +1,29 @@
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import create_index_on_partitions, drop_index_on_partitions
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0027_compliance_requirement_overviews"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="findings",
+                index_name="find_tenant_scan_check_idx",
+                columns="tenant_id, scan_id, check_id",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="findings",
+                index_name="find_tenant_scan_check_idx",
+            ),
+        )
+    ]
--- a/api/src/backend/api/migrations/0029_findings_check_index_parent.py
+++ b/api/src/backend/api/migrations/0029_findings_check_index_parent.py
@@ -0,0 +1,17 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0028_findings_check_index_partitions"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="finding",
+            index=models.Index(
+                fields=["tenant_id", "scan_id", "check_id"],
+                name="find_tenant_scan_check_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0030_lighthouseconfiguration.py
+++ b/api/src/backend/api/migrations/0030_lighthouseconfiguration.py
@@ -0,0 +1,107 @@
+# Generated by Django 5.1.10 on 2025-06-12 12:45
+
+import uuid
+
+import django.core.validators
+import django.db.models.deletion
+from django.db import migrations, models
+
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0029_findings_check_index_parent"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="LighthouseConfiguration",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "name",
+                    models.CharField(
+                        help_text="Name of the configuration",
+                        max_length=100,
+                        validators=[django.core.validators.MinLengthValidator(3)],
+                    ),
+                ),
+                (
+                    "api_key",
+                    models.BinaryField(
+                        help_text="Encrypted API key for the LLM service"
+                    ),
+                ),
+                (
+                    "model",
+                    models.CharField(
+                        choices=[
+                            ("gpt-4o-2024-11-20", "GPT-4o v2024-11-20"),
+                            ("gpt-4o-2024-08-06", "GPT-4o v2024-08-06"),
+                            ("gpt-4o-2024-05-13", "GPT-4o v2024-05-13"),
+                            ("gpt-4o", "GPT-4o Default"),
+                            ("gpt-4o-mini-2024-07-18", "GPT-4o Mini v2024-07-18"),
+                            ("gpt-4o-mini", "GPT-4o Mini Default"),
+                        ],
+                        default="gpt-4o-2024-08-06",
+                        help_text="Must be one of the supported model names",
+                        max_length=50,
+                    ),
+                ),
+                (
+                    "temperature",
+                    models.FloatField(default=0, help_text="Must be between 0 and 1"),
+                ),
+                (
+                    "max_tokens",
+                    models.IntegerField(
+                        default=4000, help_text="Must be between 500 and 5000"
+                    ),
+                ),
+                (
+                    "business_context",
+                    models.TextField(
+                        blank=True,
+                        default="",
+                        help_text="Additional business context for this AI model configuration",
+                    ),
+                ),
+                ("is_active", models.BooleanField(default=True)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "lighthouse_configurations",
+                "abstract": False,
+                "constraints": [
+                    models.UniqueConstraint(
+                        fields=("tenant_id",),
+                        name="unique_lighthouse_config_per_tenant",
+                    ),
+                ],
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="lighthouseconfiguration",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_lighthouseconfiguration",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0031_scan_disable_on_cascade_periodic_tasks.py
+++ b/api/src/backend/api/migrations/0031_scan_disable_on_cascade_periodic_tasks.py
@@ -0,0 +1,24 @@
+# Generated by Django 5.1.10 on 2025-06-23 10:04
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0030_lighthouseconfiguration"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="scan",
+            name="scheduler_task",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                to="django_celery_beat.periodictask",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0032_saml.py
+++ b/api/src/backend/api/migrations/0032_saml.py
@@ -0,0 +1,150 @@
+# Generated by Django 5.1.10 on 2025-07-02 15:47
+
+import uuid
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+import api.db_utils
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0031_scan_disable_on_cascade_periodic_tasks"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="integration",
+            name="integration_type",
+            field=api.db_utils.IntegrationTypeEnumField(
+                choices=[
+                    ("amazon_s3", "Amazon S3"),
+                    ("aws_security_hub", "AWS Security Hub"),
+                    ("jira", "JIRA"),
+                    ("slack", "Slack"),
+                ]
+            ),
+        ),
+        migrations.CreateModel(
+            name="SAMLToken",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                ("expires_at", models.DateTimeField(editable=False)),
+                ("token", models.JSONField(unique=True)),
+                (
+                    "user",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "saml_tokens",
+            },
+        ),
+        migrations.CreateModel(
+            name="SAMLConfiguration",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                (
+                    "email_domain",
+                    models.CharField(
+                        help_text="Email domain used to identify the tenant, e.g. prowlerdemo.com",
+                        max_length=254,
+                        unique=True,
+                    ),
+                ),
+                (
+                    "metadata_xml",
+                    models.TextField(
+                        help_text="Raw IdP metadata XML to configure SingleSignOnService, certificates, etc."
+                    ),
+                ),
+                ("created_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "saml_configurations",
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="samlconfiguration",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_samlconfiguration",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="samlconfiguration",
+            constraint=models.UniqueConstraint(
+                fields=("tenant",), name="unique_samlconfig_per_tenant"
+            ),
+        ),
+        migrations.CreateModel(
+            name="SAMLDomainIndex",
+            fields=[
+                (
+                    "id",
+                    models.BigAutoField(
+                        auto_created=True,
+                        primary_key=True,
+                        serialize=False,
+                        verbose_name="ID",
+                    ),
+                ),
+                ("email_domain", models.CharField(max_length=254, unique=True)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "saml_domain_index",
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="samldomainindex",
+            constraint=models.UniqueConstraint(
+                fields=("email_domain", "tenant"),
+                name="unique_resources_by_email_domain",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="samldomainindex",
+            constraint=api.rls.BaseSecurityConstraint(
+                name="statements_on_samldomainindex",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0033_processors_enum.py
+++ b/api/src/backend/api/migrations/0033_processors_enum.py
@@ -0,0 +1,34 @@
+# Generated by Django 5.1.5 on 2025-03-03 15:46
+
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import PostgresEnumMigration, ProcessorTypeEnum, register_enum
+from api.models import Processor
+
+ProcessorTypeEnumMigration = PostgresEnumMigration(
+    enum_name="processor_type",
+    enum_values=tuple(
+        processor_type[0] for processor_type in Processor.ProcessorChoices.choices
+    ),
+)
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0032_saml"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            ProcessorTypeEnumMigration.create_enum_type,
+            reverse_code=ProcessorTypeEnumMigration.drop_enum_type,
+        ),
+        migrations.RunPython(
+            partial(register_enum, enum_class=ProcessorTypeEnum),
+            reverse_code=migrations.RunPython.noop,
+        ),
+    ]
--- a/api/src/backend/api/migrations/0034_processors.py
+++ b/api/src/backend/api/migrations/0034_processors.py
@@ -0,0 +1,88 @@
+# Generated by Django 5.1.5 on 2025-03-26 13:04
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import api.db_utils
+import api.rls
+from api.rls import RowLevelSecurityConstraint
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0033_processors_enum"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="Processor",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                ("updated_at", models.DateTimeField(auto_now=True)),
+                (
+                    "processor_type",
+                    api.db_utils.ProcessorTypeEnumField(
+                        choices=[("mutelist", "Mutelist")]
+                    ),
+                ),
+                ("configuration", models.JSONField(default=dict)),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "processors",
+                "abstract": False,
+                "indexes": [
+                    models.Index(
+                        fields=["tenant_id", "id"], name="processor_tenant_id_idx"
+                    ),
+                    models.Index(
+                        fields=["tenant_id", "processor_type"],
+                        name="processor_tenant_type_idx",
+                    ),
+                ],
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="processor",
+            constraint=models.UniqueConstraint(
+                fields=("tenant_id", "processor_type"),
+                name="unique_processor_types_tenant",
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="processor",
+            constraint=RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_processor",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+        migrations.AddField(
+            model_name="scan",
+            name="processor",
+            field=models.ForeignKey(
+                blank=True,
+                null=True,
+                on_delete=django.db.models.deletion.SET_NULL,
+                related_name="scans",
+                related_query_name="scan",
+                to="api.processor",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0035_finding_muted_reason.py
+++ b/api/src/backend/api/migrations/0035_finding_muted_reason.py
@@ -0,0 +1,22 @@
+import django.core.validators
+import django.db.models.deletion
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0034_processors"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="finding",
+            name="muted_reason",
+            field=models.TextField(
+                blank=True,
+                max_length=500,
+                null=True,
+                validators=[django.core.validators.MinLengthValidator(3)],
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0036_rfm_tenant_finding_index_partitions.py
+++ b/api/src/backend/api/migrations/0036_rfm_tenant_finding_index_partitions.py
@@ -0,0 +1,30 @@
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import create_index_on_partitions, drop_index_on_partitions
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0035_finding_muted_reason"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_finding_idx",
+                columns="tenant_id, finding_id",
+                method="BTREE",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_finding_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0037_rfm_tenant_finding_index_parent.py
+++ b/api/src/backend/api/migrations/0037_rfm_tenant_finding_index_parent.py
@@ -0,0 +1,17 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0036_rfm_tenant_finding_index_partitions"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="resourcefindingmapping",
+            index=models.Index(
+                fields=["tenant_id", "finding_id"],
+                name="rfm_tenant_finding_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0038_resource_failed_findings_count.py
+++ b/api/src/backend/api/migrations/0038_resource_failed_findings_count.py
@@ -0,0 +1,15 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0037_rfm_tenant_finding_index_parent"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="resource",
+            name="failed_findings_count",
+            field=models.IntegerField(default=0),
+        )
+    ]
--- a/api/src/backend/api/migrations/0039_resource_resources_failed_findings_idx.py
+++ b/api/src/backend/api/migrations/0039_resource_resources_failed_findings_idx.py
@@ -0,0 +1,20 @@
+from django.contrib.postgres.operations import AddIndexConcurrently
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0038_resource_failed_findings_count"),
+    ]
+
+    operations = [
+        AddIndexConcurrently(
+            model_name="resource",
+            index=models.Index(
+                fields=["tenant_id", "-failed_findings_count", "id"],
+                name="resources_failed_findings_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0040_rfm_tenant_resource_index_partitions.py
+++ b/api/src/backend/api/migrations/0040_rfm_tenant_resource_index_partitions.py
@@ -0,0 +1,30 @@
+from functools import partial
+
+from django.db import migrations
+
+from api.db_utils import create_index_on_partitions, drop_index_on_partitions
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0039_resource_resources_failed_findings_idx"),
+    ]
+
+    operations = [
+        migrations.RunPython(
+            partial(
+                create_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_resource_idx",
+                columns="tenant_id, resource_id",
+                method="BTREE",
+            ),
+            reverse_code=partial(
+                drop_index_on_partitions,
+                parent_table="resource_finding_mappings",
+                index_name="rfm_tenant_resource_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0041_rfm_tenant_resource_parent_partitions.py
+++ b/api/src/backend/api/migrations/0041_rfm_tenant_resource_parent_partitions.py
@@ -0,0 +1,17 @@
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0040_rfm_tenant_resource_index_partitions"),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name="resourcefindingmapping",
+            index=models.Index(
+                fields=["tenant_id", "resource_id"],
+                name="rfm_tenant_resource_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0042_scan_scans_prov_ins_desc_idx.py
+++ b/api/src/backend/api/migrations/0042_scan_scans_prov_ins_desc_idx.py
@@ -0,0 +1,23 @@
+from django.contrib.postgres.operations import AddIndexConcurrently
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    atomic = False
+
+    dependencies = [
+        ("api", "0041_rfm_tenant_resource_parent_partitions"),
+        ("django_celery_beat", "0019_alter_periodictasks_options"),
+    ]
+
+    operations = [
+        AddIndexConcurrently(
+            model_name="scan",
+            index=models.Index(
+                condition=models.Q(("state", "completed")),
+                fields=["tenant_id", "provider_id", "-inserted_at"],
+                include=("id",),
+                name="scans_prov_ins_desc_idx",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0043_github_provider.py
+++ b/api/src/backend/api/migrations/0043_github_provider.py
@@ -0,0 +1,33 @@
+# Generated by Django 5.1.7 on 2025-07-09 14:44
+
+from django.db import migrations
+
+import api.db_utils
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0042_scan_scans_prov_ins_desc_idx"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="provider",
+            name="provider",
+            field=api.db_utils.ProviderEnumField(
+                choices=[
+                    ("aws", "AWS"),
+                    ("azure", "Azure"),
+                    ("gcp", "GCP"),
+                    ("kubernetes", "Kubernetes"),
+                    ("m365", "M365"),
+                    ("github", "GitHub"),
+                ],
+                default="aws",
+            ),
+        ),
+        migrations.RunSQL(
+            "ALTER TYPE provider ADD VALUE IF NOT EXISTS 'github';",
+            reverse_sql=migrations.RunSQL.noop,
+        ),
+    ]
--- a/api/src/backend/api/migrations/0044_integration_unique_configuration_per_tenant.py
+++ b/api/src/backend/api/migrations/0044_integration_unique_configuration_per_tenant.py
@@ -0,0 +1,19 @@
+# Generated by Django 5.1.10 on 2025-07-17 11:52
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0043_github_provider"),
+    ]
+
+    operations = [
+        migrations.AddConstraint(
+            model_name="integration",
+            constraint=models.UniqueConstraint(
+                fields=("configuration", "tenant"),
+                name="unique_configuration_per_tenant",
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0045_alter_scan_output_location.py
+++ b/api/src/backend/api/migrations/0045_alter_scan_output_location.py
@@ -0,0 +1,17 @@
+# Generated by Django 5.1.10 on 2025-07-21 16:08
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0044_integration_unique_configuration_per_tenant"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="scan",
+            name="output_location",
+            field=models.CharField(blank=True, max_length=4096, null=True),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0046_lighthouse_gpt5.py
+++ b/api/src/backend/api/migrations/0046_lighthouse_gpt5.py
@@ -0,0 +1,33 @@
+# Generated by Django 5.1.10 on 2025-08-20 09:04
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0045_alter_scan_output_location"),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name="lighthouseconfiguration",
+            name="model",
+            field=models.CharField(
+                choices=[
+                    ("gpt-4o-2024-11-20", "GPT-4o v2024-11-20"),
+                    ("gpt-4o-2024-08-06", "GPT-4o v2024-08-06"),
+                    ("gpt-4o-2024-05-13", "GPT-4o v2024-05-13"),
+                    ("gpt-4o", "GPT-4o Default"),
+                    ("gpt-4o-mini-2024-07-18", "GPT-4o Mini v2024-07-18"),
+                    ("gpt-4o-mini", "GPT-4o Mini Default"),
+                    ("gpt-5-2025-08-07", "GPT-5 v2025-08-07"),
+                    ("gpt-5", "GPT-5 Default"),
+                    ("gpt-5-mini-2025-08-07", "GPT-5 Mini v2025-08-07"),
+                    ("gpt-5-mini", "GPT-5 Mini Default"),
+                ],
+                default="gpt-4o-2024-08-06",
+                help_text="Must be one of the supported model names",
+                max_length=50,
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0047_remove_integration_unique_configuration_per_tenant.py
+++ b/api/src/backend/api/migrations/0047_remove_integration_unique_configuration_per_tenant.py
@@ -0,0 +1,16 @@
+# Generated by Django 5.1.10 on 2025-08-20 08:24
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0046_lighthouse_gpt5"),
+    ]
+
+    operations = [
+        migrations.RemoveConstraint(
+            model_name="integration",
+            name="unique_configuration_per_tenant",
+        ),
+    ]
--- a/api/src/backend/api/migrations/0048_api_key.py
+++ b/api/src/backend/api/migrations/0048_api_key.py
@@ -0,0 +1,136 @@
+# Generated by Django 5.1.12 on 2025-09-30 13:10
+
+import uuid
+
+import django.core.validators
+import django.db.models.deletion
+import drf_simple_apikey.models
+from django.conf import settings
+from django.db import migrations, models
+
+import api.db_utils
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0047_remove_integration_unique_configuration_per_tenant"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="TenantAPIKey",
+            fields=[
+                (
+                    "name",
+                    models.CharField(
+                        max_length=255,
+                        validators=[django.core.validators.MinLengthValidator(3)],
+                    ),
+                ),
+                (
+                    "expiry_date",
+                    models.DateTimeField(
+                        default=drf_simple_apikey.models._expiry_date,
+                        help_text="Once API key expires, entities cannot use it anymore.",
+                        verbose_name="Expires",
+                    ),
+                ),
+                (
+                    "revoked",
+                    models.BooleanField(
+                        blank=True,
+                        default=False,
+                        help_text="If the API key is revoked, entities cannot use it anymore. (This cannot be undone.)",
+                    ),
+                ),
+                ("created", models.DateTimeField(auto_now=True)),
+                (
+                    "whitelisted_ips",
+                    models.JSONField(
+                        blank=True,
+                        help_text="List of allowed IP addresses for this API key.",
+                        null=True,
+                    ),
+                ),
+                (
+                    "blacklisted_ips",
+                    models.JSONField(
+                        blank=True,
+                        help_text="List of denied IP addresses for this API key.",
+                        null=True,
+                    ),
+                ),
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                (
+                    "prefix",
+                    models.CharField(
+                        default=api.db_utils.generate_api_key_prefix,
+                        editable=False,
+                        help_text="Unique prefix to identify the API key",
+                        max_length=11,
+                        unique=True,
+                    ),
+                ),
+                (
+                    "last_used_at",
+                    models.DateTimeField(
+                        blank=True,
+                        help_text="Last time this API key was used for authentication",
+                        null=True,
+                    ),
+                ),
+                (
+                    "entity",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="user_api_keys",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "api_keys",
+                "abstract": False,
+                "indexes": [
+                    models.Index(
+                        fields=["tenant_id", "prefix"],
+                        name="api_keys_tenant_prefix_idx",
+                    )
+                ],
+                "constraints": [
+                    models.UniqueConstraint(
+                        fields=("tenant_id", "prefix"), name="unique_api_key_prefixes"
+                    ),
+                    models.UniqueConstraint(
+                        fields=("tenant_id", "name"),
+                        name="unique_api_key_name_per_tenant",
+                    ),
+                ],
+            },
+        ),
+        migrations.AddConstraint(
+            model_name="tenantapikey",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_tenantapikey",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+    ]
--- a/api/src/backend/api/migrations/0049_compliancerequirementoverview_passed_failed_findings.py
+++ b/api/src/backend/api/migrations/0049_compliancerequirementoverview_passed_failed_findings.py
@@ -0,0 +1,21 @@
+# Generated by Django 5.1.12 on 2025-10-07 10:41
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0048_api_key"),
+    ]
+    operations = [
+        migrations.AddField(
+            model_name="compliancerequirementoverview",
+            name="passed_findings",
+            field=models.IntegerField(default=0),
+        ),
+        migrations.AddField(
+            model_name="compliancerequirementoverview",
+            name="total_findings",
+            field=models.IntegerField(default=0),
+        ),
+    ]
--- a/api/src/backend/api/models.py
+++ b/api/src/backend/api/models.py
@@ -1,30 +1,42 @@
 import json
+import logging
 import re
+import xml.etree.ElementTree as ET
+from datetime import datetime, timedelta, timezone
 from uuid import UUID, uuid4

-from cryptography.fernet import Fernet
+from allauth.socialaccount.models import SocialApp
+from config.custom_logging import BackendLogger
+from config.settings.social_login import SOCIALACCOUNT_PROVIDERS
+from cryptography.fernet import Fernet, InvalidToken
 from django.conf import settings
 from django.contrib.auth.models import AbstractBaseUser
 from django.contrib.postgres.fields import ArrayField
 from django.contrib.postgres.indexes import GinIndex
 from django.contrib.postgres.search import SearchVector, SearchVectorField
+from django.contrib.sites.models import Site
+from django.core.exceptions import ValidationError
 from django.core.validators import MinLengthValidator
 from django.db import models
 from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 from django_celery_beat.models import PeriodicTask
 from django_celery_results.models import TaskResult
+from drf_simple_apikey.crypto import get_crypto
+from drf_simple_apikey.models import AbstractAPIKey, AbstractAPIKeyManager
 from psqlextra.manager import PostgresManager
 from psqlextra.models import PostgresPartitionedModel
 from psqlextra.types import PostgresPartitioningMethod
 from uuid6 import uuid7

+from api.db_router import MainRouter
 from api.db_utils import (
    CustomUserManager,
    FindingDeltaEnumField,
    IntegrationTypeEnumField,
    InvitationStateEnumField,
    MemberRoleEnumField,
+    ProcessorTypeEnumField,
    ProviderEnumField,
    ProviderSecretTypeEnumField,
    ScanTriggerEnumField,
@@ -32,6 +44,7 @@ from api.db_utils import (
    StateEnumField,
    StatusEnumField,
    enum_to_choices,
+    generate_api_key_prefix,
    generate_random_token,
    one_week_from_now,
 )
@@ -49,6 +62,8 @@ fernet = Fernet(settings.SECRETS_ENCRYPTION_KEY.encode())
 # Convert Prowler Severity enum to Django TextChoices
 SeverityChoices = enum_to_choices(Severity)

+logger = logging.getLogger(BackendLogger.API)
+

 class StatusChoices(models.TextChoices):
    """
@@ -62,6 +77,15 @@ class StatusChoices(models.TextChoices):
    MANUAL = "MANUAL", _("Manual")


+class OverviewStatusChoices(models.TextChoices):
+    """
+    Status filters allowed in overview/severity endpoints.
+    """
+
+    FAIL = "FAIL", _("Fail")
+    PASS = "PASS", _("Pass")
+
+
 class StateChoices(models.TextChoices):
    AVAILABLE = "available", _("Available")
    SCHEDULED = "scheduled", _("Scheduled")
@@ -104,6 +128,17 @@ class ActiveProviderPartitionedManager(PostgresManager, ActiveProviderManager):
        return super().get_queryset().filter(self.active_provider_filter())


+class TenantAPIKeyManager(AbstractAPIKeyManager):
+    separator = "."
+
+    def assign_api_key(self, obj) -> str:
+        payload = {"_pk": str(obj.pk), "_exp": obj.expiry_date.timestamp()}
+        key = get_crypto().generate(payload)
+
+        prefixed_key = f"{obj.prefix}{self.separator}{key}"
+        return prefixed_key
+
+
 class User(AbstractBaseUser):
    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    name = models.CharField(max_length=150, validators=[MinLengthValidator(3)])
@@ -183,6 +218,60 @@ class Membership(models.Model):
        resource_name = "memberships"


+class TenantAPIKey(AbstractAPIKey, RowLevelSecurityProtectedModel):
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    name = models.CharField(max_length=100, validators=[MinLengthValidator(3)])
+    prefix = models.CharField(
+        max_length=11,
+        unique=True,
+        default=generate_api_key_prefix,
+        editable=False,
+        help_text="Unique prefix to identify the API key",
+    )
+    last_used_at = models.DateTimeField(
+        null=True,
+        blank=True,
+        help_text="Last time this API key was used for authentication",
+    )
+    entity = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="user_api_keys",
+    )
+
+    objects = TenantAPIKeyManager()
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "api_keys"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            models.UniqueConstraint(
+                fields=("tenant_id", "prefix"),
+                name="unique_api_key_prefixes",
+            ),
+            models.UniqueConstraint(
+                fields=("tenant_id", "name"),
+                name="unique_api_key_name_per_tenant",
+            ),
+        ]
+
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "prefix"], name="api_keys_tenant_prefix_idx"
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "api-keys"
+
+
 class Provider(RowLevelSecurityProtectedModel):
    objects = ActiveProviderManager()
    all_objects = models.Manager()
@@ -193,6 +282,7 @@ class Provider(RowLevelSecurityProtectedModel):
        GCP = "gcp", _("GCP")
        KUBERNETES = "kubernetes", _("Kubernetes")
        M365 = "m365", _("M365")
+        GITHUB = "github", _("GitHub")

    @staticmethod
    def validate_aws_uid(value):
@@ -253,6 +343,16 @@ class Provider(RowLevelSecurityProtectedModel):
                pointer="/data/attributes/uid",
            )

+    @staticmethod
+    def validate_github_uid(value):
+        if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9-]{0,38}$", value):
+            raise ModelValidationError(
+                detail="GitHub provider ID must be a valid GitHub username or organization name (1-39 characters, "
+                "starting with alphanumeric, containing only alphanumeric characters and hyphens).",
+                code="github-uid",
+                pointer="/data/attributes/uid",
+            )
+
    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
    updated_at = models.DateTimeField(auto_now=True, editable=False)
@@ -398,20 +498,6 @@ class Scan(RowLevelSecurityProtectedModel):
    name = models.CharField(
        blank=True, null=True, max_length=100, validators=[MinLengthValidator(3)]
    )
-    provider = models.ForeignKey(
-        Provider,
-        on_delete=models.CASCADE,
-        related_name="scans",
-        related_query_name="scan",
-    )
-    task = models.ForeignKey(
-        Task,
-        on_delete=models.CASCADE,
-        related_name="scans",
-        related_query_name="scan",
-        null=True,
-        blank=True,
-    )
    trigger = ScanTriggerEnumField(
        choices=TriggerChoices.choices,
    )
@@ -427,11 +513,31 @@ class Scan(RowLevelSecurityProtectedModel):
    completed_at = models.DateTimeField(null=True, blank=True)
    next_scan_at = models.DateTimeField(null=True, blank=True)
    scheduler_task = models.ForeignKey(
-        PeriodicTask, on_delete=models.CASCADE, null=True, blank=True
+        PeriodicTask, on_delete=models.SET_NULL, null=True, blank=True
+    )
+    output_location = models.CharField(blank=True, null=True, max_length=4096)
+    provider = models.ForeignKey(
+        Provider,
+        on_delete=models.CASCADE,
+        related_name="scans",
+        related_query_name="scan",
+    )
+    task = models.ForeignKey(
+        Task,
+        on_delete=models.CASCADE,
+        related_name="scans",
+        related_query_name="scan",
+        null=True,
+        blank=True,
+    )
+    processor = models.ForeignKey(
+        "Processor",
+        on_delete=models.SET_NULL,
+        related_name="scans",
+        related_query_name="scan",
+        null=True,
+        blank=True,
    )
-    output_location = models.CharField(blank=True, null=True, max_length=200)
-
-    # TODO: mutelist foreign key

    class Meta(RowLevelSecurityProtectedModel.Meta):
        db_table = "scans"
@@ -458,6 +564,13 @@ class Scan(RowLevelSecurityProtectedModel):
                condition=Q(state=StateChoices.COMPLETED),
                name="scans_prov_state_ins_desc_idx",
            ),
+            # TODO This might replace `scans_prov_state_ins_desc_idx` completely. Review usage
+            models.Index(
+                fields=["tenant_id", "provider_id", "-inserted_at"],
+                condition=Q(state=StateChoices.COMPLETED),
+                include=["id"],
+                name="scans_prov_ins_desc_idx",
+            ),
        ]

    class JSONAPIMeta:
@@ -543,6 +656,8 @@ class Resource(RowLevelSecurityProtectedModel):
    details = models.TextField(blank=True, null=True)
    partition = models.TextField(blank=True, null=True)

+    failed_findings_count = models.IntegerField(default=0)
+
    # Relationships
    tags = models.ManyToManyField(
        ResourceTag,
@@ -589,6 +704,10 @@ class Resource(RowLevelSecurityProtectedModel):
                fields=["tenant_id", "provider_id"],
                name="resources_tenant_provider_idx",
            ),
+            models.Index(
+                fields=["tenant_id", "-failed_findings_count", "id"],
+                name="resources_failed_findings_idx",
+            ),
        ]

        constraints = [
@@ -687,6 +806,9 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
    check_id = models.CharField(max_length=100, blank=False, null=False)
    check_metadata = models.JSONField(default=dict, null=False)
    muted = models.BooleanField(default=False, null=False)
+    muted_reason = models.TextField(
+        blank=True, null=True, validators=[MinLengthValidator(3)], max_length=500
+    )
    compliance = models.JSONField(default=dict, null=True, blank=True)

    # Denormalize resource data for performance
@@ -762,6 +884,10 @@ class Finding(PostgresPartitionedModel, RowLevelSecurityProtectedModel):
            GinIndex(fields=["resource_services"], name="gin_find_service_idx"),
            GinIndex(fields=["resource_regions"], name="gin_find_region_idx"),
            GinIndex(fields=["resource_types"], name="gin_find_rtype_idx"),
+            models.Index(
+                fields=["tenant_id", "scan_id", "check_id"],
+                name="find_tenant_scan_check_idx",
+            ),
        ]

    class JSONAPIMeta:
@@ -824,6 +950,16 @@ class ResourceFindingMapping(PostgresPartitionedModel, RowLevelSecurityProtected
        #   - tenant_id
        #   - id

+        indexes = [
+            models.Index(
+                fields=["tenant_id", "finding_id"],
+                name="rfm_tenant_finding_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "resource_id"],
+                name="rfm_tenant_resource_idx",
+            ),
+        ]
        constraints = [
            models.UniqueConstraint(
                fields=("tenant_id", "resource_id", "finding_id"),
@@ -850,6 +986,7 @@ class ProviderSecret(RowLevelSecurityProtectedModel):
    class TypeChoices(models.TextChoices):
        STATIC = "static", _("Key-value pairs")
        ROLE = "role", _("Role assumption")
+        SERVICE_ACCOUNT = "service_account", _("GCP Service Account Key")

    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
@@ -927,6 +1064,11 @@ class Invitation(RowLevelSecurityProtectedModel):
        null=True,
    )

+    def save(self, *args, **kwargs):
+        if self.email:
+            self.email = self.email.strip().lower()
+        super().save(*args, **kwargs)
+
    class Meta(RowLevelSecurityProtectedModel.Meta):
        db_table = "invitations"

@@ -1142,6 +1284,80 @@ class ComplianceOverview(RowLevelSecurityProtectedModel):
        resource_name = "compliance-overviews"


+class ComplianceRequirementOverview(RowLevelSecurityProtectedModel):
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    compliance_id = models.TextField(blank=False)
+    framework = models.TextField(blank=False)
+    version = models.TextField(blank=True)
+    description = models.TextField(blank=True)
+    region = models.TextField(blank=False)
+
+    requirement_id = models.TextField(blank=False)
+    requirement_status = StatusEnumField(choices=StatusChoices)
+    passed_checks = models.IntegerField(default=0)
+    failed_checks = models.IntegerField(default=0)
+    total_checks = models.IntegerField(default=0)
+    passed_findings = models.IntegerField(default=0)
+    total_findings = models.IntegerField(default=0)
+
+    scan = models.ForeignKey(
+        Scan,
+        on_delete=models.CASCADE,
+        related_name="compliance_requirements_overviews",
+        related_query_name="compliance_requirements_overview",
+    )
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "compliance_requirements_overviews"
+
+        constraints = [
+            models.UniqueConstraint(
+                fields=(
+                    "tenant_id",
+                    "scan_id",
+                    "compliance_id",
+                    "requirement_id",
+                    "region",
+                ),
+                name="unique_tenant_compliance_requirement_overview",
+            ),
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "DELETE"],
+            ),
+        ]
+        indexes = [
+            models.Index(fields=["tenant_id", "scan_id"], name="cro_tenant_scan_idx"),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id"],
+                name="cro_scan_comp_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id", "region"],
+                name="cro_scan_comp_reg_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "scan_id", "compliance_id", "requirement_id"],
+                name="cro_scan_comp_req_idx",
+            ),
+            models.Index(
+                fields=[
+                    "tenant_id",
+                    "scan_id",
+                    "compliance_id",
+                    "requirement_id",
+                    "region",
+                ],
+                name="cro_scan_comp_req_reg_idx",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "compliance-requirements-overviews"
+
+
 class ScanSummary(RowLevelSecurityProtectedModel):
    objects = ActiveProviderManager()
    all_objects = models.Manager()
@@ -1209,8 +1425,7 @@ class ScanSummary(RowLevelSecurityProtectedModel):

 class Integration(RowLevelSecurityProtectedModel):
    class IntegrationChoices(models.TextChoices):
-        S3 = "amazon_s3", _("Amazon S3")
-        SAML = "saml", _("SAML")
+        AMAZON_S3 = "amazon_s3", _("Amazon S3")
        AWS_SECURITY_HUB = "aws_security_hub", _("AWS Security Hub")
        JIRA = "jira", _("JIRA")
        SLACK = "slack", _("Slack")
@@ -1284,6 +1499,273 @@ class IntegrationProviderRelationship(RowLevelSecurityProtectedModel):
        ]


+class SAMLToken(models.Model):
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+    expires_at = models.DateTimeField(editable=False)
+    token = models.JSONField(unique=True)
+    user = models.ForeignKey(User, on_delete=models.CASCADE)
+
+    class Meta:
+        db_table = "saml_tokens"
+
+    def save(self, *args, **kwargs):
+        if not self.expires_at:
+            self.expires_at = datetime.now(timezone.utc) + timedelta(seconds=15)
+        super().save(*args, **kwargs)
+
+    def is_expired(self) -> bool:
+        return datetime.now(timezone.utc) >= self.expires_at
+
+
+class SAMLDomainIndex(models.Model):
+    """
+    Public index of SAML domains. No RLS. Used for fast lookup in SAML login flow.
+    """
+
+    email_domain = models.CharField(max_length=254, unique=True)
+    tenant = models.ForeignKey("Tenant", on_delete=models.CASCADE)
+
+    class Meta:
+        db_table = "saml_domain_index"
+
+        constraints = [
+            models.UniqueConstraint(
+                fields=("email_domain", "tenant"),
+                name="unique_resources_by_email_domain",
+            ),
+            BaseSecurityConstraint(
+                name="statements_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ]
+
+
+class SAMLConfiguration(RowLevelSecurityProtectedModel):
+    """
+    Stores per-tenant SAML settings, including email domain and IdP metadata.
+    Automatically syncs to a SocialApp instance on save.
+
+    Note:
+    This model exists to provide a tenant-aware abstraction over SAML configuration.
+    It supports row-level security, custom validation, and metadata parsing, enabling
+    Prowler to expose a clean API and admin interface for managing SAML integrations.
+
+    Although Django Allauth uses the SocialApp model to store provider configuration,
+    it is not designed for multi-tenant use. SocialApp lacks support for tenant scoping,
+    email domain mapping, and structured metadata handling.
+
+    By managing SAMLConfiguration separately, we ensure:
+        - Strong isolation between tenants via RLS.
+        - Ownership of raw IdP metadata and its validation.
+        - An explicit link between SAML config and business-level identifiers (e.g. email domain).
+        - Programmatic transformation into the SocialApp format used by Allauth.
+
+    In short, this model acts as a secure and user-friendly layer over Allauth's lower-level primitives.
+    """
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    email_domain = models.CharField(
+        max_length=254,
+        unique=True,
+        help_text="Email domain used to identify the tenant, e.g. prowlerdemo.com",
+    )
+    metadata_xml = models.TextField(
+        help_text="Raw IdP metadata XML to configure SingleSignOnService, certificates, etc."
+    )
+    created_at = models.DateTimeField(auto_now_add=True)
+    updated_at = models.DateTimeField(auto_now=True)
+
+    class JSONAPIMeta:
+        resource_name = "saml-configurations"
+
+    class Meta:
+        db_table = "saml_configurations"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            # 1 config per tenant
+            models.UniqueConstraint(
+                fields=["tenant"],
+                name="unique_samlconfig_per_tenant",
+            ),
+        ]
+
+    def clean(self, old_email_domain=None, is_create=False):
+        # Domain must not contain @
+        if "@" in self.email_domain:
+            raise ValidationError({"email_domain": "Domain must not contain @"})
+
+        # Enforce at most one config per tenant
+        qs = SAMLConfiguration.objects.filter(tenant=self.tenant)
+        # Exclude ourselves in case of update
+        if self.pk:
+            qs = qs.exclude(pk=self.pk)
+        if qs.exists():
+            raise ValidationError(
+                {"tenant": "A SAML configuration already exists for this tenant."}
+            )
+
+        # The email domain must be unique in the entire system
+        qs = SAMLConfiguration.objects.using(MainRouter.admin_db).filter(
+            email_domain__iexact=self.email_domain
+        )
+        if qs.exists() and old_email_domain != self.email_domain:
+            raise ValidationError(
+                {"tenant": "There is a problem with your email domain."}
+            )
+
+        # The entityID must be unique in the system
+        idp_settings = self._parsed_metadata
+        entity_id = idp_settings.get("entity_id")
+
+        if entity_id:
+            # Find any SocialApp with this entityID
+            q = SocialApp.objects.filter(provider="saml", provider_id=entity_id)
+
+            # If updating, exclude our own SocialApp from the check
+            if not is_create:
+                q = q.exclude(client_id=old_email_domain)
+            else:
+                q = q.exclude(client_id=self.email_domain)
+
+            if q.exists():
+                raise ValidationError(
+                    {"metadata_xml": "There is a problem with your metadata."}
+                )
+
+    def save(self, *args, **kwargs):
+        self.email_domain = self.email_domain.strip().lower()
+        is_create = not SAMLConfiguration.objects.filter(pk=self.pk).exists()
+
+        if not is_create:
+            old = SAMLConfiguration.objects.get(pk=self.pk)
+            old_email_domain = old.email_domain
+            old_metadata_xml = old.metadata_xml
+        else:
+            old_email_domain = None
+            old_metadata_xml = None
+
+        self._parsed_metadata = self._parse_metadata()
+        self.clean(old_email_domain, is_create)
+        super().save(*args, **kwargs)
+
+        if is_create or (
+            old_email_domain != self.email_domain
+            or old_metadata_xml != self.metadata_xml
+        ):
+            self._sync_social_app(old_email_domain)
+
+        # Sync the public index
+        if not is_create and old_email_domain and old_email_domain != self.email_domain:
+            SAMLDomainIndex.objects.filter(email_domain=old_email_domain).delete()
+
+        # Create/update the new domain index
+        SAMLDomainIndex.objects.update_or_create(
+            email_domain=self.email_domain, defaults={"tenant": self.tenant}
+        )
+
+    def delete(self, *args, **kwargs):
+        super().delete(*args, **kwargs)
+
+        SocialApp.objects.filter(provider="saml", client_id=self.email_domain).delete()
+        SAMLDomainIndex.objects.filter(email_domain=self.email_domain).delete()
+
+    def _parse_metadata(self):
+        """
+        Parse the raw IdP metadata XML and extract:
+            - entity_id
+            - sso_url
+            - slo_url (may be None)
+            - x509cert (required)
+        """
+        ns = {
+            "md": "urn:oasis:names:tc:SAML:2.0:metadata",
+            "ds": "http://www.w3.org/2000/09/xmldsig#",
+        }
+        try:
+            root = ET.fromstring(self.metadata_xml)
+        except ET.ParseError as e:
+            raise ValidationError({"metadata_xml": f"Invalid XML: {e}"})
+
+        # Entity ID
+        entity_id = root.attrib.get("entityID")
+        if not entity_id:
+            raise ValidationError({"metadata_xml": "Missing entityID in metadata."})
+
+        # SSO endpoint (must exist)
+        sso = root.find(".//md:IDPSSODescriptor/md:SingleSignOnService", ns)
+        if sso is None or "Location" not in sso.attrib:
+            raise ValidationError(
+                {"metadata_xml": "Missing SingleSignOnService in metadata."}
+            )
+        sso_url = sso.attrib["Location"]
+
+        # SLO endpoint (optional)
+        slo = root.find(".//md:IDPSSODescriptor/md:SingleLogoutService", ns)
+        slo_url = slo.attrib.get("Location") if slo is not None else None
+
+        # X.509 certificate (required)
+        cert = root.find(
+            './/md:KeyDescriptor[@use="signing"]/ds:KeyInfo/ds:X509Data/ds:X509Certificate',
+            ns,
+        )
+        if cert is None or not cert.text or not cert.text.strip():
+            raise ValidationError(
+                {
+                    "metadata_xml": 'Metadata must include a <ds:X509Certificate> under <KeyDescriptor use="signing">.'
+                }
+            )
+        x509cert = cert.text.strip()
+
+        return {
+            "entity_id": entity_id,
+            "sso_url": sso_url,
+            "slo_url": slo_url,
+            "x509cert": x509cert,
+        }
+
+    def _sync_social_app(self, previous_email_domain=None):
+        """
+        Create or update the corresponding SocialApp based on email_domain.
+        If the domain changed, update the matching SocialApp.
+        """
+        settings_dict = SOCIALACCOUNT_PROVIDERS["saml"].copy()
+        settings_dict["idp"] = self._parsed_metadata
+
+        current_site = Site.objects.get(id=settings.SITE_ID)
+
+        social_app_qs = SocialApp.objects.filter(
+            provider="saml", client_id=previous_email_domain or self.email_domain
+        )
+
+        client_id = self.email_domain[:191]
+        name = f"SAML-{self.email_domain}"[:40]
+
+        if social_app_qs.exists():
+            social_app = social_app_qs.first()
+            social_app.client_id = client_id
+            social_app.name = name
+            social_app.settings = settings_dict
+            social_app.provider_id = self._parsed_metadata["entity_id"]
+            social_app.save()
+            social_app.sites.set([current_site])
+        else:
+            social_app = SocialApp.objects.create(
+                provider="saml",
+                client_id=client_id,
+                name=name,
+                settings=settings_dict,
+                provider_id=self._parsed_metadata["entity_id"],
+            )
+            social_app.sites.set([current_site])
+
+
 class ResourceScanSummary(RowLevelSecurityProtectedModel):
    scan_id = models.UUIDField(default=uuid7, db_index=True)
    resource_id = models.UUIDField(default=uuid4, db_index=True)
@@ -1331,3 +1813,173 @@ class ResourceScanSummary(RowLevelSecurityProtectedModel):
                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
            ),
        ]
+
+
+class LighthouseConfiguration(RowLevelSecurityProtectedModel):
+    """
+    Stores configuration and API keys for LLM services.
+    """
+
+    class ModelChoices(models.TextChoices):
+        GPT_4O_2024_11_20 = "gpt-4o-2024-11-20", _("GPT-4o v2024-11-20")
+        GPT_4O_2024_08_06 = "gpt-4o-2024-08-06", _("GPT-4o v2024-08-06")
+        GPT_4O_2024_05_13 = "gpt-4o-2024-05-13", _("GPT-4o v2024-05-13")
+        GPT_4O = "gpt-4o", _("GPT-4o Default")
+        GPT_4O_MINI_2024_07_18 = "gpt-4o-mini-2024-07-18", _("GPT-4o Mini v2024-07-18")
+        GPT_4O_MINI = "gpt-4o-mini", _("GPT-4o Mini Default")
+        GPT_5_2025_08_07 = "gpt-5-2025-08-07", _("GPT-5 v2025-08-07")
+        GPT_5 = "gpt-5", _("GPT-5 Default")
+        GPT_5_MINI_2025_08_07 = "gpt-5-mini-2025-08-07", _("GPT-5 Mini v2025-08-07")
+        GPT_5_MINI = "gpt-5-mini", _("GPT-5 Mini Default")
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+
+    name = models.CharField(
+        max_length=100,
+        validators=[MinLengthValidator(3)],
+        blank=False,
+        null=False,
+        help_text="Name of the configuration",
+    )
+    api_key = models.BinaryField(
+        blank=False, null=False, help_text="Encrypted API key for the LLM service"
+    )
+    model = models.CharField(
+        max_length=50,
+        choices=ModelChoices.choices,
+        blank=False,
+        null=False,
+        default=ModelChoices.GPT_4O_2024_08_06,
+        help_text="Must be one of the supported model names",
+    )
+    temperature = models.FloatField(default=0, help_text="Must be between 0 and 1")
+    max_tokens = models.IntegerField(
+        default=4000, help_text="Must be between 500 and 5000"
+    )
+    business_context = models.TextField(
+        blank=True,
+        null=False,
+        default="",
+        help_text="Additional business context for this AI model configuration",
+    )
+    is_active = models.BooleanField(default=True)
+
+    def __str__(self):
+        return self.name
+
+    def clean(self):
+        super().clean()
+
+        # Validate temperature
+        if not 0 <= self.temperature <= 1:
+            raise ModelValidationError(
+                detail="Temperature must be between 0 and 1",
+                code="invalid_temperature",
+                pointer="/data/attributes/temperature",
+            )
+
+        # Validate max_tokens
+        if not 500 <= self.max_tokens <= 5000:
+            raise ModelValidationError(
+                detail="Max tokens must be between 500 and 5000",
+                code="invalid_max_tokens",
+                pointer="/data/attributes/max_tokens",
+            )
+
+    @property
+    def api_key_decoded(self):
+        """Return the decrypted API key, or None if unavailable or invalid."""
+        if not self.api_key:
+            return None
+
+        try:
+            decrypted_key = fernet.decrypt(bytes(self.api_key))
+            return decrypted_key.decode()
+
+        except InvalidToken:
+            logger.warning("Invalid token while decrypting API key.")
+        except Exception as e:
+            logger.exception("Unexpected error while decrypting API key: %s", e)
+
+    @api_key_decoded.setter
+    def api_key_decoded(self, value):
+        """Store the encrypted API key."""
+        if not value:
+            raise ModelValidationError(
+                detail="API key is required",
+                code="invalid_api_key",
+                pointer="/data/attributes/api_key",
+            )
+
+        # Validate OpenAI API key format
+        openai_key_pattern = r"^sk-[\w-]+T3BlbkFJ[\w-]+$"
+        if not re.match(openai_key_pattern, value):
+            raise ModelValidationError(
+                detail="Invalid OpenAI API key format.",
+                code="invalid_api_key",
+                pointer="/data/attributes/api_key",
+            )
+        self.api_key = fernet.encrypt(value.encode())
+
+    def save(self, *args, **kwargs):
+        self.full_clean()
+        super().save(*args, **kwargs)
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "lighthouse_configurations"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+            # Add unique constraint for name within a tenant
+            models.UniqueConstraint(
+                fields=["tenant_id"], name="unique_lighthouse_config_per_tenant"
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "lighthouse-configurations"
+
+
+class Processor(RowLevelSecurityProtectedModel):
+    class ProcessorChoices(models.TextChoices):
+        MUTELIST = "mutelist", _("Mutelist")
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+    updated_at = models.DateTimeField(auto_now=True, editable=False)
+    processor_type = ProcessorTypeEnumField(choices=ProcessorChoices.choices)
+    configuration = models.JSONField(default=dict)
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "processors"
+
+        constraints = [
+            models.UniqueConstraint(
+                fields=("tenant_id", "processor_type"),
+                name="unique_processor_types_tenant",
+            ),
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ]
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "id"],
+                name="processor_tenant_id_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "processor_type"],
+                name="processor_tenant_type_idx",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "processors"
--- a/api/src/backend/api/pagination.py
+++ b/api/src/backend/api/pagination.py
@@ -1,4 +1,4 @@
-from rest_framework_json_api.pagination import JsonApiPageNumberPagination
+from drf_spectacular_jsonapi.schemas.pagination import JsonApiPageNumberPagination


 class ComplianceOverviewPagination(JsonApiPageNumberPagination):
--- a/api/src/backend/api/renderers.py
+++ b/api/src/backend/api/renderers.py
@@ -11,11 +11,12 @@ class APIJSONRenderer(JSONRenderer):
    def render(self, data, accepted_media_type=None, renderer_context=None):
        request = renderer_context.get("request")
        tenant_id = getattr(request, "tenant_id", None) if request else None
+        db_alias = getattr(request, "db_alias", None) if request else None
        include_param_present = "include" in request.query_params if request else False

        # Use rls_transaction if needed for included resources, otherwise do nothing
        context_manager = (
-            rls_transaction(tenant_id)
+            rls_transaction(tenant_id, using=db_alias)
            if tenant_id and include_param_present
            else nullcontext()
        )
--- a/api/src/backend/api/schema_extensions.py
+++ b/api/src/backend/api/schema_extensions.py
@@ -0,0 +1,16 @@
+from drf_spectacular.extensions import OpenApiAuthenticationExtension
+from drf_spectacular.openapi import AutoSchema
+
+
+class CombinedJWTOrAPIKeyAuthenticationScheme(OpenApiAuthenticationExtension):
+    target_class = "api.authentication.CombinedJWTOrAPIKeyAuthentication"
+    name = "JWT or API Key"
+
+    def get_security_definition(self, auto_schema: AutoSchema):  # noqa: F841
+        return {
+            "type": "http",
+            "scheme": "bearer",
+            "bearerFormat": "JWT",
+            "description": "Supports both JWT Bearer tokens and API Key authentication. "
+            "Use `Bearer <token>` for JWT or `Api-Key <key>` for API keys.",
+        }
--- a/api/src/backend/api/schema_hooks.py
+++ b/api/src/backend/api/schema_hooks.py
@@ -0,0 +1,95 @@
+def _pick_task_response_component(components):
+    schemas = components.get("schemas", {}) or {}
+    for candidate in ("TaskResponse",):
+        if candidate in schemas:
+            return candidate
+    return None
+
+
+def _extract_task_example_from_components(components):
+    schemas = components.get("schemas", {}) or {}
+    candidate = "TaskResponse"
+    doc = schemas.get(candidate)
+    if isinstance(doc, dict) and "example" in doc:
+        return doc["example"]
+
+    res = schemas.get(candidate)
+    if isinstance(res, dict) and "example" in res:
+        example = res["example"]
+        return example if "data" in example else {"data": example}
+
+    # Fallback
+    return {
+        "data": {
+            "type": "tasks",
+            "id": "497f6eca-6276-4993-bfeb-53cbbbba6f08",
+            "attributes": {
+                "inserted_at": "2019-08-24T14:15:22Z",
+                "completed_at": "2019-08-24T14:15:22Z",
+                "name": "string",
+                "state": "available",
+                "result": None,
+                "task_args": None,
+                "metadata": None,
+            },
+        }
+    }
+
+
+def attach_task_202_examples(result, generator, request, public):  # noqa: F841
+    if not isinstance(result, dict):
+        return result
+
+    components = result.get("components", {}) or {}
+    task_resp_component = _pick_task_response_component(components)
+    task_example = _extract_task_example_from_components(components)
+
+    paths = result.get("paths", {}) or {}
+    for path_item in paths.values():
+        if not isinstance(path_item, dict):
+            continue
+
+        for method_obj in path_item.values():
+            if not isinstance(method_obj, dict):
+                continue
+
+            responses = method_obj.get("responses", {}) or {}
+            resp_202 = responses.get("202")
+            if not isinstance(resp_202, dict):
+                continue
+
+            content = resp_202.get("content", {}) or {}
+            jsonapi = content.get("application/vnd.api+json")
+            if not isinstance(jsonapi, dict):
+                continue
+
+            # Inject example if missing
+            if "examples" not in jsonapi and "example" not in jsonapi:
+                jsonapi["examples"] = {
+                    "Task queued": {
+                        "summary": "Task queued",
+                        "value": task_example,
+                    }
+                }
+
+            # Rewrite schema $ref if needed
+            if task_resp_component:
+                schema = jsonapi.get("schema")
+                must_replace = False
+                if not isinstance(schema, dict):
+                    must_replace = True
+                else:
+                    ref = schema.get("$ref")
+                    if not ref:
+                        must_replace = True
+                    else:
+                        current = ref.split("/")[-1]
+                        if current != task_resp_component:
+                            must_replace = True
+
+                if must_replace:
+                    jsonapi["schema"] = {
+                        "$ref": f"#/components/schemas/{task_resp_component}"
+                    }
+
+    return result
--- a/api/src/backend/api/signals.py
+++ b/api/src/backend/api/signals.py
@@ -1,12 +1,12 @@
 from celery import states
 from celery.signals import before_task_publish
 from config.celery import celery_app
-from django.db.models.signals import post_delete
+from django.db.models.signals import post_delete, pre_delete
 from django.dispatch import receiver
 from django_celery_results.backends.database import DatabaseBackend

 from api.db_utils import delete_related_daily_task
-from api.models import Provider
+from api.models import Membership, Provider, TenantAPIKey, User


 def create_task_result_on_publish(sender=None, headers=None, **kwargs):  # noqa: F841
@@ -32,3 +32,27 @@ before_task_publish.connect(
 def delete_provider_scan_task(sender, instance, **kwargs):  # noqa: F841
    # Delete the associated periodic task when the provider is deleted
    delete_related_daily_task(instance.id)
+
+
+@receiver(pre_delete, sender=User)
+def revoke_user_api_keys(sender, instance, **kwargs):  # noqa: F841
+    """
+    Revoke all API keys associated with a user before deletion.
+
+    The entity field will be set to NULL by on_delete=SET_NULL,
+    but we explicitly revoke the keys to prevent further use.
+    """
+    TenantAPIKey.objects.filter(entity=instance).update(revoked=True)
+
+
+@receiver(post_delete, sender=Membership)
+def revoke_membership_api_keys(sender, instance, **kwargs):  # noqa: F841
+    """
+    Revoke all API keys when a user is removed from a tenant.
+
+    When a membership is deleted, all API keys created by that user
+    in that tenant should be revoked to prevent further access.
+    """
+    TenantAPIKey.objects.filter(
+        entity=instance.user, tenant_id=instance.tenant.id
+    ).update(revoked=True)
--- a/api/src/backend/api/specs/v1.yaml
+++ b/api/src/backend/api/specs/v1.yaml
--- a/api/src/backend/api/tests/integration/test_authentication.py
+++ b/api/src/backend/api/tests/integration/test_authentication.py
--- a/api/src/backend/api/tests/integration/test_providers.py
+++ b/api/src/backend/api/tests/integration/test_providers.py
@@ -17,7 +17,7 @@ def test_delete_provider_without_executing_task(
    client = APIClient()

    test_user = "test_email@prowler.com"
-    test_password = "test_password"
+    test_password = "Test_password1@"

    prowler_task = tasks_fixture[0]
    task_mock = Mock()
--- a/api/src/backend/api/tests/test_adapters.py
+++ b/api/src/backend/api/tests/test_adapters.py
@@ -0,0 +1,77 @@
+from unittest.mock import MagicMock, patch
+
+import pytest
+from allauth.socialaccount.models import SocialLogin
+from django.contrib.auth import get_user_model
+
+from api.adapters import ProwlerSocialAccountAdapter
+
+User = get_user_model()
+
+
+@pytest.mark.django_db
+class TestProwlerSocialAccountAdapter:
+    def test_get_user_by_email_returns_user(self, create_test_user):
+        adapter = ProwlerSocialAccountAdapter()
+        user = adapter.get_user_by_email(create_test_user.email)
+        assert user == create_test_user
+
+    def test_get_user_by_email_returns_none_for_unknown_email(self):
+        adapter = ProwlerSocialAccountAdapter()
+        assert adapter.get_user_by_email("notfound@example.com") is None
+
+    def test_pre_social_login_links_existing_user(self, create_test_user, rf):
+        adapter = ProwlerSocialAccountAdapter()
+
+        sociallogin = MagicMock(spec=SocialLogin)
+        sociallogin.account = MagicMock()
+        sociallogin.provider = MagicMock()
+        sociallogin.provider.id = "saml"
+        sociallogin.account.extra_data = {}
+        sociallogin.user = create_test_user
+        sociallogin.connect = MagicMock()
+
+        adapter.pre_social_login(rf.get("/"), sociallogin)
+
+        call_args = sociallogin.connect.call_args
+        assert call_args is not None
+
+        called_request, called_user = call_args[0]
+        assert called_request.path == "/"
+        assert called_user.email == create_test_user.email
+
+    def test_pre_social_login_no_link_if_email_missing(self, rf):
+        adapter = ProwlerSocialAccountAdapter()
+
+        sociallogin = MagicMock(spec=SocialLogin)
+        sociallogin.account = MagicMock()
+        sociallogin.provider = MagicMock()
+        sociallogin.user = MagicMock()
+        sociallogin.provider.id = "saml"
+        sociallogin.account.extra_data = {}
+        sociallogin.connect = MagicMock()
+
+        adapter.pre_social_login(rf.get("/"), sociallogin)
+
+        sociallogin.connect.assert_not_called()
+
+    def test_save_user_saml_sets_session_flag(self, rf):
+        adapter = ProwlerSocialAccountAdapter()
+        request = rf.get("/")
+        request.session = {}
+
+        sociallogin = MagicMock(spec=SocialLogin)
+        sociallogin.provider = MagicMock()
+        sociallogin.provider.id = "saml"
+        sociallogin.account = MagicMock()
+        sociallogin.account.extra_data = {}
+
+        mock_user = MagicMock()
+        mock_user.id = 123
+
+        with patch("api.adapters.super") as mock_super:
+            with patch("api.adapters.transaction"):
+                with patch("api.adapters.MainRouter"):
+                    mock_super.return_value.save_user.return_value = mock_user
+                    adapter.save_user(request, sociallogin)
+                    assert request.session["saml_user_created"] == "123"
--- a/api/src/backend/api/tests/test_apps.py
+++ b/api/src/backend/api/tests/test_apps.py
@@ -0,0 +1,152 @@
+import os
+from pathlib import Path
+from unittest.mock import MagicMock
+
+import pytest
+from django.conf import settings
+
+import api.apps as api_apps_module
+from api.apps import (
+    ApiConfig,
+    PRIVATE_KEY_FILE,
+    PUBLIC_KEY_FILE,
+    SIGNING_KEY_ENV,
+    VERIFYING_KEY_ENV,
+)
+
+
+@pytest.fixture(autouse=True)
+def reset_keys_initialized(monkeypatch):
+    """Ensure per-test clean state for the module-level guard flag."""
+    monkeypatch.setattr(api_apps_module, "_keys_initialized", False, raising=False)
+
+
+def _stub_keys():
+    return (
+        """-----BEGIN PRIVATE KEY-----\nPRIVATE\n-----END PRIVATE KEY-----\n""",
+        """-----BEGIN PUBLIC KEY-----\nPUBLIC\n-----END PUBLIC KEY-----\n""",
+    )
+
+
+def test_generate_jwt_keys_when_missing(monkeypatch, tmp_path):
+    # Arrange: isolate FS, env, and settings; force generation path
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.delenv(SIGNING_KEY_ENV, raising=False)
+    monkeypatch.delenv(VERIFYING_KEY_ENV, raising=False)
+
+    # Work on a copy of SIMPLE_JWT to avoid mutating the global settings dict for other tests
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+    monkeypatch.setattr(settings, "TESTING", False, raising=False)
+
+    # Avoid dependency on the cryptography package
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(_stub_keys))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act
+    config._ensure_crypto_keys()
+
+    # Assert: files created with expected content
+    priv_path = Path(tmp_path) / PRIVATE_KEY_FILE
+    pub_path = Path(tmp_path) / PUBLIC_KEY_FILE
+    assert priv_path.is_file()
+    assert pub_path.is_file()
+    assert priv_path.read_text() == _stub_keys()[0]
+    assert pub_path.read_text() == _stub_keys()[1]
+
+    # Env vars and Django settings updated
+    assert os.environ[SIGNING_KEY_ENV] == _stub_keys()[0]
+    assert os.environ[VERIFYING_KEY_ENV] == _stub_keys()[1]
+    assert settings.SIMPLE_JWT["SIGNING_KEY"] == _stub_keys()[0]
+    assert settings.SIMPLE_JWT["VERIFYING_KEY"] == _stub_keys()[1]
+
+
+def test_ensure_crypto_keys_are_idempotent_within_process(monkeypatch, tmp_path):
+    # Arrange
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.delenv(SIGNING_KEY_ENV, raising=False)
+    monkeypatch.delenv(VERIFYING_KEY_ENV, raising=False)
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+    monkeypatch.setattr(settings, "TESTING", False, raising=False)
+
+    mock_generate = MagicMock(side_effect=_stub_keys)
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(mock_generate))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act: first call should generate, second should be a no-op (guard flag)
+    config._ensure_crypto_keys()
+    config._ensure_crypto_keys()
+
+    # Assert: generation occurred exactly once
+    assert mock_generate.call_count == 1
+
+
+def test_ensure_jwt_keys_uses_existing_files(monkeypatch, tmp_path):
+    # Arrange: pre-create key files
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+
+    existing_private, existing_public = _stub_keys()
+
+    (Path(tmp_path) / PRIVATE_KEY_FILE).write_text(existing_private)
+    (Path(tmp_path) / PUBLIC_KEY_FILE).write_text(existing_public)
+
+    # If generation were called, fail the test
+    def _fail_generate():
+        raise AssertionError("_generate_jwt_keys should not be called when files exist")
+
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(_fail_generate))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act: call the lower-level method directly to set env/settings from files
+    config._ensure_jwt_keys()
+
+    # Assert
+    # _read_key_file() strips trailing newlines; environment/settings should reflect stripped content
+    assert os.environ[SIGNING_KEY_ENV] == existing_private.strip()
+    assert os.environ[VERIFYING_KEY_ENV] == existing_public.strip()
+    assert settings.SIMPLE_JWT["SIGNING_KEY"] == existing_private.strip()
+    assert settings.SIMPLE_JWT["VERIFYING_KEY"] == existing_public.strip()
+
+
+def test_ensure_crypto_keys_skips_when_env_vars(monkeypatch, tmp_path):
+    # Arrange: put values in env so the orchestrator doesn't generate
+    monkeypatch.setattr(
+        api_apps_module, "KEYS_DIRECTORY", Path(tmp_path), raising=False
+    )
+    monkeypatch.setenv(SIGNING_KEY_ENV, "ENV-PRIVATE")
+    monkeypatch.setenv(VERIFYING_KEY_ENV, "ENV-PUBLIC")
+    monkeypatch.setattr(
+        settings, "SIMPLE_JWT", settings.SIMPLE_JWT.copy(), raising=False
+    )
+    monkeypatch.setattr(settings, "TESTING", False, raising=False)
+
+    called = {"ensure": False}
+
+    def _track_call():
+        called["ensure"] = True
+        return _stub_keys()
+
+    monkeypatch.setattr(ApiConfig, "_generate_jwt_keys", staticmethod(_track_call))
+
+    config = ApiConfig("api", api_apps_module)
+
+    # Act
+    config._ensure_crypto_keys()
+
+    # Assert: orchestrator did not trigger generation when env present
+    assert called["ensure"] is False
--- a/api/src/backend/api/tests/test_authentication.py
+++ b/api/src/backend/api/tests/test_authentication.py
@@ -0,0 +1,384 @@
+import time
+from datetime import datetime, timedelta, timezone
+from unittest.mock import patch
+from uuid import uuid4
+
+import pytest
+from django.test import RequestFactory
+from rest_framework.exceptions import AuthenticationFailed
+
+from api.authentication import TenantAPIKeyAuthentication
+from api.db_router import MainRouter
+from api.models import TenantAPIKey
+
+
+@pytest.mark.django_db
+class TestTenantAPIKeyAuthentication:
+    @pytest.fixture
+    def auth_backend(self):
+        """Create an instance of TenantAPIKeyAuthentication."""
+        return TenantAPIKeyAuthentication()
+
+    @pytest.fixture
+    def request_factory(self):
+        """Create a Django request factory."""
+        return RequestFactory()
+
+    def test_authenticate_credentials_uses_admin_database(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that _authenticate_credentials routes queries to admin database."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        # Extract the encrypted key part (after the prefix and separator)
+        _, encrypted_key = raw_key.split(TenantAPIKey.objects.separator, 1)
+
+        # Create a mock request
+        request = request_factory.get("/")
+
+        # Call the method
+        entity, auth_dict = auth_backend._authenticate_credentials(
+            request, encrypted_key
+        )
+
+        # Verify that the entity is the user associated with the API key
+        assert entity == api_key.entity
+        assert entity.id == api_key.entity.id
+
+    def test_authenticate_credentials_restores_manager_on_success(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that the manager is restored after successful authentication."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+        _, encrypted_key = raw_key.split(TenantAPIKey.objects.separator, 1)
+
+        # Store the original manager
+        original_manager = TenantAPIKey.objects
+
+        request = request_factory.get("/")
+
+        # Call the method
+        auth_backend._authenticate_credentials(request, encrypted_key)
+
+        # Verify the manager was restored
+        assert TenantAPIKey.objects == original_manager
+
+    def test_authenticate_credentials_restores_manager_on_exception(
+        self, auth_backend, request_factory
+    ):
+        """Test that the manager is restored even when an exception occurs."""
+        # Store the original manager
+        original_manager = TenantAPIKey.objects
+
+        request = request_factory.get("/")
+
+        # Try to authenticate with an invalid key that will raise an exception
+        with pytest.raises(Exception):
+            auth_backend._authenticate_credentials(request, "invalid_encrypted_key")
+
+        # Verify the manager was restored despite the exception
+        assert TenantAPIKey.objects == original_manager
+
+    def test_authenticate_valid_api_key(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test successful authentication with a valid API key."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        # Create a request with the API key in the Authorization header
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        # Authenticate
+        entity, auth_dict = auth_backend.authenticate(request)
+
+        # Verify the entity and auth dict
+        assert entity == api_key.entity
+        assert auth_dict["tenant_id"] == str(api_key.tenant_id)
+        assert auth_dict["sub"] == str(api_key.entity.id)
+        assert auth_dict["api_key_prefix"] == api_key.prefix
+
+        # Verify that last_used_at was updated
+        api_key.refresh_from_db()
+        assert api_key.last_used_at is not None
+        assert (datetime.now(timezone.utc) - api_key.last_used_at).seconds < 5
+
+    def test_authenticate_valid_api_key_uses_admin_database(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that authenticate uses admin database for API key lookup."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        # Mock the manager's using method to verify it's called with admin_db
+        with patch.object(
+            TenantAPIKey.objects, "using", wraps=TenantAPIKey.objects.using
+        ) as mock_using:
+            auth_backend.authenticate(request)
+
+            # Verify that .using('admin') was called
+            mock_using.assert_called_with(MainRouter.admin_db)
+
+    def test_authenticate_invalid_key_format_missing_separator(
+        self, auth_backend, request_factory
+    ):
+        """Test authentication fails with invalid API key format (no separator)."""
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = "Api-Key invalid_key_no_separator"
+
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "Invalid API Key."
+
+    def test_authenticate_invalid_key_format_empty_prefix(
+        self, auth_backend, request_factory
+    ):
+        """Test authentication fails with empty prefix."""
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = "Api-Key .encrypted_part"
+
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "Invalid API Key."
+
+    def test_authenticate_invalid_encrypted_key(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test authentication fails with invalid encrypted key."""
+        api_key = api_keys_fixture[0]
+
+        # Create an invalid key with valid prefix but invalid encryption
+        invalid_key = f"{api_key.prefix}.invalid_encrypted_data"
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {invalid_key}"
+
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "Invalid API Key."
+
+    def test_authenticate_revoked_api_key(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test authentication fails with a revoked API key."""
+        # Use the revoked API key (index 2 from fixture)
+        api_key = api_keys_fixture[2]
+        raw_key = api_key._raw_key
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        # The revoked key should fail during credential validation
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "This API Key has been revoked."
+
+    def test_authenticate_expired_api_key(
+        self, auth_backend, create_test_user, tenants_fixture, request_factory
+    ):
+        """Test authentication fails with an expired API key."""
+        tenant = tenants_fixture[0]
+        user = create_test_user
+
+        # Create an expired API key
+        api_key, raw_key = TenantAPIKey.objects.create_api_key(
+            name="Expired API Key",
+            tenant_id=tenant.id,
+            entity=user,
+            expiry_date=datetime.now(timezone.utc) - timedelta(days=1),
+        )
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "API Key has already expired."
+
+    def test_authenticate_nonexistent_api_key(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test authentication fails when API key doesn't exist in database."""
+        # Create a valid-looking encrypted key with a non-existent UUID
+        api_key = api_keys_fixture[0]
+        non_existent_uuid = str(uuid4())
+
+        # Manually create an encrypted key with a non-existent ID
+        payload = {
+            "_pk": non_existent_uuid,
+            "_exp": (datetime.now(timezone.utc) + timedelta(days=30)).timestamp(),
+        }
+        encrypted_key = auth_backend.key_crypto.generate(payload)
+        fake_key = f"{api_key.prefix}.{encrypted_key}"
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {fake_key}"
+
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "No entity matching this api key."
+
+    def test_authenticate_updates_last_used_at(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that last_used_at is updated on successful authentication."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        # Store the original last_used_at
+        original_last_used = api_key.last_used_at
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        # Authenticate
+        auth_backend.authenticate(request)
+
+        # Refresh from database
+        api_key.refresh_from_db()
+
+        # Verify last_used_at was updated
+        assert api_key.last_used_at is not None
+        if original_last_used:
+            assert api_key.last_used_at > original_last_used
+
+    def test_authenticate_saves_to_admin_database(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that the API key save operation uses admin database."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        # Mock the save method to verify it's called with using='admin'
+        with patch.object(TenantAPIKey, "save") as mock_save:
+            auth_backend.authenticate(request)
+
+            # Verify save was called with using=admin_db
+            mock_save.assert_called_once_with(
+                update_fields=["last_used_at"], using=MainRouter.admin_db
+            )
+
+    def test_authenticate_returns_correct_auth_dict(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that the auth dict contains all required fields."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        entity, auth_dict = auth_backend.authenticate(request)
+
+        # Verify all required fields are present
+        assert "tenant_id" in auth_dict
+        assert "sub" in auth_dict
+        assert "api_key_prefix" in auth_dict
+
+        # Verify values are correct
+        assert auth_dict["tenant_id"] == str(api_key.tenant_id)
+        assert auth_dict["sub"] == str(api_key.entity.id)
+        assert auth_dict["api_key_prefix"] == api_key.prefix
+
+    def test_authenticate_with_multiple_api_keys_same_tenant(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test that authentication works correctly with multiple API keys for the same tenant."""
+        # Test with first API key
+        api_key1 = api_keys_fixture[0]
+        raw_key1 = api_key1._raw_key
+
+        request1 = request_factory.get("/")
+        request1.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key1}"
+
+        entity1, auth_dict1 = auth_backend.authenticate(request1)
+
+        assert entity1 == api_key1.entity
+        assert auth_dict1["api_key_prefix"] == api_key1.prefix
+
+        # Test with second API key
+        api_key2 = api_keys_fixture[1]
+        raw_key2 = api_key2._raw_key
+
+        request2 = request_factory.get("/")
+        request2.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key2}"
+
+        entity2, auth_dict2 = auth_backend.authenticate(request2)
+
+        assert entity2 == api_key2.entity
+        assert auth_dict2["api_key_prefix"] == api_key2.prefix
+
+        # Verify they're different keys but same tenant
+        assert auth_dict1["api_key_prefix"] != auth_dict2["api_key_prefix"]
+        assert auth_dict1["tenant_id"] == auth_dict2["tenant_id"]
+
+    def test_authenticate_with_wrong_prefix_in_db(
+        self, auth_backend, api_keys_fixture, request_factory
+    ):
+        """Test authentication fails when prefix doesn't match database."""
+        api_key = api_keys_fixture[0]
+        raw_key = api_key._raw_key
+
+        # Extract the encrypted part and combine with wrong prefix
+        _, encrypted_part = raw_key.split(TenantAPIKey.objects.separator, 1)
+        wrong_key = f"pk_wrong123.{encrypted_part}"
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {wrong_key}"
+
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "Invalid API Key."
+
+    def test_authenticate_credentials_exception_handling(
+        self, auth_backend, request_factory
+    ):
+        """Test that exceptions in _authenticate_credentials are properly handled."""
+        request = request_factory.get("/")
+
+        # Test with completely invalid data that will cause InvalidToken
+        with pytest.raises(Exception):
+            auth_backend._authenticate_credentials(request, "completely_invalid")
+
+    def test_authenticate_with_expired_timestamp(
+        self, auth_backend, create_test_user, tenants_fixture, request_factory
+    ):
+        """Test that expired timestamp in encrypted key causes authentication failure."""
+        tenant = tenants_fixture[0]
+        user = create_test_user
+
+        # Create an API key with a very short expiry
+        api_key, raw_key = TenantAPIKey.objects.create_api_key(
+            name="Short-lived API Key",
+            tenant_id=tenant.id,
+            entity=user,
+            expiry_date=datetime.now(timezone.utc) + timedelta(seconds=1),
+        )
+
+        # Wait for the key to expire
+        time.sleep(2)
+
+        request = request_factory.get("/")
+        request.META["HTTP_AUTHORIZATION"] = f"Api-Key {raw_key}"
+
+        # Should fail with expired key
+        with pytest.raises(AuthenticationFailed) as exc_info:
+            auth_backend.authenticate(request)
+
+        assert str(exc_info.value.detail) == "API Key has already expired."
--- a/api/src/backend/api/tests/test_compliance.py
+++ b/api/src/backend/api/tests/test_compliance.py
@@ -1,12 +1,12 @@
-from unittest.mock import patch, MagicMock
+from unittest.mock import MagicMock, patch

 from api.compliance import (
+    generate_compliance_overview_template,
+    generate_scan_compliance,
    get_prowler_provider_checks,
    get_prowler_provider_compliance,
-    load_prowler_compliance,
    load_prowler_checks,
-    generate_scan_compliance,
-    generate_compliance_overview_template,
+    load_prowler_compliance,
 )
 from api.models import Provider

@@ -69,7 +69,7 @@ class TestCompliance:

        load_prowler_compliance()

-        from api.compliance import PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE, PROWLER_CHECKS
+        from api.compliance import PROWLER_CHECKS, PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE

        assert PROWLER_COMPLIANCE_OVERVIEW_TEMPLATE == {
            "template_key": "template_value"
@@ -218,6 +218,10 @@ class TestCompliance:
            Description="Description of requirement 1",
            Attributes=[],
            Checks=["check1", "check2"],
+            Tactics=["tactic1"],
+            SubTechniques=["subtechnique1"],
+            Platforms=["platform1"],
+            TechniqueURL="https://example.com",
        )
        requirement2 = MagicMock(
            Id="requirement2",
@@ -225,12 +229,17 @@ class TestCompliance:
            Description="Description of requirement 2",
            Attributes=[],
            Checks=[],
+            Tactics=[],
+            SubTechniques=[],
+            Platforms=[],
+            TechniqueURL="",
        )
        compliance1 = MagicMock(
            Requirements=[requirement1, requirement2],
            Framework="Framework 1",
            Version="1.0",
            Description="Description of compliance1",
+            Name="Compliance 1",
        )
        prowler_compliance = {"aws": {"compliance1": compliance1}}

@@ -240,6 +249,7 @@ class TestCompliance:
            "aws": {
                "compliance1": {
                    "framework": "Framework 1",
+                    "name": "Compliance 1",
                    "version": "1.0",
                    "provider": "aws",
                    "description": "Description of compliance1",
@@ -247,6 +257,10 @@ class TestCompliance:
                        "requirement1": {
                            "name": "Requirement 1",
                            "description": "Description of requirement 1",
+                            "tactics": ["tactic1"],
+                            "subtechniques": ["subtechnique1"],
+                            "platforms": ["platform1"],
+                            "technique_url": "https://example.com",
                            "attributes": [],
                            "checks": {"check1": None, "check2": None},
                            "checks_status": {
@@ -260,6 +274,10 @@ class TestCompliance:
                        "requirement2": {
                            "name": "Requirement 2",
                            "description": "Description of requirement 2",
+                            "tactics": [],
+                            "subtechniques": [],
+                            "platforms": [],
+                            "technique_url": "",
                            "attributes": [],
                            "checks": {},
                            "checks_status": {
@@ -268,7 +286,7 @@ class TestCompliance:
                                "manual": 0,
                                "total": 0,
                            },
-                            "status": "PASS",
+                            "status": "MANUAL",
                        },
                    },
                    "requirements_status": {
--- a/api/src/backend/api/tests/test_db_utils.py
+++ b/api/src/backend/api/tests/test_db_utils.py
@@ -3,12 +3,18 @@ from enum import Enum
 from unittest.mock import patch

 import pytest
+from django.conf import settings
+from freezegun import freeze_time

 from api.db_utils import (
+    _should_create_index_on_partition,
    batch_delete,
+    create_objects_in_batches,
    enum_to_choices,
+    generate_api_key_prefix,
    generate_random_token,
    one_week_from_now,
+    update_objects_in_batches,
 )
 from api.models import Provider

@@ -138,3 +144,198 @@ class TestBatchDelete:
        )
        assert Provider.objects.all().count() == 0
        assert summary == {"api.Provider": create_test_providers}
+
+
+class TestShouldCreateIndexOnPartition:
+    @freeze_time("2025-05-15 00:00:00Z")
+    @pytest.mark.parametrize(
+        "partition_name, all_partitions, expected",
+        [
+            ("any_name", True, True),
+            ("findings_default", True, True),
+            ("findings_2022_jan", True, True),
+            ("foo_bar", False, True),
+            ("findings_2025_MAY", False, True),
+            ("findings_2025_may", False, True),
+            ("findings_2025_jun", False, True),
+            ("findings_2025_apr", False, False),
+            ("findings_2025_xyz", False, True),
+        ],
+    )
+    def test_partition_inclusion_logic(self, partition_name, all_partitions, expected):
+        assert (
+            _should_create_index_on_partition(partition_name, all_partitions)
+            is expected
+        )
+
+    @freeze_time("2025-05-15 00:00:00Z")
+    def test_invalid_date_components(self):
+        # even if regex matches but int conversion fails, we fallback True
+        # (e.g. year too big, month number parse error)
+        bad_name = "findings_99999_jan"
+        assert _should_create_index_on_partition(bad_name, False) is True
+
+        bad_name2 = "findings_2025_abc"
+        # abc not in month_map → fallback True
+        assert _should_create_index_on_partition(bad_name2, False) is True
+
+
+@pytest.mark.django_db
+class TestCreateObjectsInBatches:
+    @pytest.fixture
+    def tenant(self, tenants_fixture):
+        return tenants_fixture[0]
+
+    def make_provider_instances(self, tenant, count):
+        """
+        Return a list of `count` unsaved Provider instances for the given tenant.
+        """
+        base_uid = 1000
+        return [
+            Provider(
+                tenant=tenant,
+                uid=str(base_uid + i),
+                provider=Provider.ProviderChoices.AWS,
+            )
+            for i in range(count)
+        ]
+
+    def test_exact_multiple_of_batch(self, tenant):
+        total = 6
+        batch_size = 3
+        objs = self.make_provider_instances(tenant, total)
+
+        create_objects_in_batches(str(tenant.id), Provider, objs, batch_size=batch_size)
+
+        qs = Provider.objects.filter(tenant=tenant)
+        assert qs.count() == total
+
+    def test_non_multiple_of_batch(self, tenant):
+        total = 7
+        batch_size = 3
+        objs = self.make_provider_instances(tenant, total)
+
+        create_objects_in_batches(str(tenant.id), Provider, objs, batch_size=batch_size)
+
+        qs = Provider.objects.filter(tenant=tenant)
+        assert qs.count() == total
+
+    def test_batch_size_default(self, tenant):
+        default_size = settings.DJANGO_DELETION_BATCH_SIZE
+        total = default_size + 2
+        objs = self.make_provider_instances(tenant, total)
+
+        create_objects_in_batches(str(tenant.id), Provider, objs)
+
+        qs = Provider.objects.filter(tenant=tenant)
+        assert qs.count() == total
+
+
+@pytest.mark.django_db
+class TestUpdateObjectsInBatches:
+    @pytest.fixture
+    def tenant(self, tenants_fixture):
+        return tenants_fixture[0]
+
+    def make_provider_instances(self, tenant, count):
+        """
+        Return a list of `count` unsaved Provider instances for the given tenant.
+        """
+        base_uid = 2000
+        return [
+            Provider(
+                tenant=tenant,
+                uid=str(base_uid + i),
+                provider=Provider.ProviderChoices.AWS,
+            )
+            for i in range(count)
+        ]
+
+    def test_exact_multiple_of_batch(self, tenant):
+        total = 6
+        batch_size = 3
+        objs = self.make_provider_instances(tenant, total)
+        create_objects_in_batches(str(tenant.id), Provider, objs, batch_size=batch_size)
+
+        # Fetch them back, mutate the `uid` field, then update in batches
+        providers = list(Provider.objects.filter(tenant=tenant))
+        for p in providers:
+            p.uid = f"{p.uid}_upd"
+
+        update_objects_in_batches(
+            tenant_id=str(tenant.id),
+            model=Provider,
+            objects=providers,
+            fields=["uid"],
+            batch_size=batch_size,
+        )
+
+        qs = Provider.objects.filter(tenant=tenant, uid__endswith="_upd")
+        assert qs.count() == total
+
+    def test_non_multiple_of_batch(self, tenant):
+        total = 7
+        batch_size = 3
+        objs = self.make_provider_instances(tenant, total)
+        create_objects_in_batches(str(tenant.id), Provider, objs, batch_size=batch_size)
+
+        providers = list(Provider.objects.filter(tenant=tenant))
+        for p in providers:
+            p.uid = f"{p.uid}_upd"
+
+        update_objects_in_batches(
+            tenant_id=str(tenant.id),
+            model=Provider,
+            objects=providers,
+            fields=["uid"],
+            batch_size=batch_size,
+        )
+
+        qs = Provider.objects.filter(tenant=tenant, uid__endswith="_upd")
+        assert qs.count() == total
+
+    def test_batch_size_default(self, tenant):
+        default_size = settings.DJANGO_DELETION_BATCH_SIZE
+        total = default_size + 2
+        objs = self.make_provider_instances(tenant, total)
+        create_objects_in_batches(str(tenant.id), Provider, objs)
+
+        providers = list(Provider.objects.filter(tenant=tenant))
+        for p in providers:
+            p.uid = f"{p.uid}_upd"
+
+        # Update without specifying batch_size (uses default)
+        update_objects_in_batches(
+            tenant_id=str(tenant.id),
+            model=Provider,
+            objects=providers,
+            fields=["uid"],
+        )
+
+        qs = Provider.objects.filter(tenant=tenant, uid__endswith="_upd")
+        assert qs.count() == total
+
+
+class TestGenerateApiKeyPrefix:
+    def test_prefix_format(self):
+        """Test that generated prefix starts with 'pk_'."""
+        prefix = generate_api_key_prefix()
+        assert prefix.startswith("pk_")
+
+    def test_prefix_length(self):
+        """Test that prefix has correct length (pk_ + 8 random chars = 11)."""
+        prefix = generate_api_key_prefix()
+        assert len(prefix) == 11
+
+    def test_prefix_uniqueness(self):
+        """Test that multiple generations produce unique prefixes."""
+        prefixes = {generate_api_key_prefix() for _ in range(100)}
+        assert len(prefixes) == 100
+
+    def test_prefix_character_set(self):
+        """Test that random part uses only allowed characters."""
+        allowed_chars = "23456789ABCDEFGHJKMNPQRSTVWXYZ"
+        for _ in range(50):
+            prefix = generate_api_key_prefix()
+            random_part = prefix[3:]  # Strip 'pk_'
+            assert all(char in allowed_chars for char in random_part)
--- a/api/src/backend/api/tests/test_middleware.py
+++ b/api/src/backend/api/tests/test_middleware.py
@@ -24,6 +24,7 @@ def test_api_logging_middleware_logging(mock_logger):
        mock_extract_auth_info.return_value = {
            "user_id": "user123",
            "tenant_id": "tenant456",
+            "api_key_prefix": "pk_test",
        }

        with patch("api.middleware.logging.getLogger") as mock_get_logger:
@@ -44,6 +45,7 @@ def test_api_logging_middleware_logging(mock_logger):
                expected_extra = {
                    "user_id": "user123",
                    "tenant_id": "tenant456",
+                    "api_key_prefix": "pk_test",
                    "method": "GET",
                    "path": "/test-path",
                    "query_params": {"param1": "value1", "param2": "value2"},
--- a/api/src/backend/api/tests/test_mixins.py
+++ b/api/src/backend/api/tests/test_mixins.py
@@ -0,0 +1,379 @@
+import json
+from uuid import uuid4
+
+import pytest
+from django_celery_results.models import TaskResult
+from rest_framework import status
+from rest_framework.response import Response
+
+from api.exceptions import (
+    TaskFailedException,
+    TaskInProgressException,
+    TaskNotFoundException,
+)
+from api.models import Task, User
+from api.rls import Tenant
+from api.v1.mixins import PaginateByPkMixin, TaskManagementMixin
+
+
+@pytest.mark.django_db
+class TestPaginateByPkMixin:
+    @pytest.fixture
+    def tenant(self):
+        return Tenant.objects.create(name="Test Tenant")
+
+    @pytest.fixture
+    def users(self, tenant):
+        # Create 5 users with proper email field
+        users = []
+        for i in range(5):
+            user = User.objects.create(email=f"user{i}@example.com", name=f"User {i}")
+            users.append(user)
+        return users
+
+    class DummyView(PaginateByPkMixin):
+        def __init__(self, page):
+            self._page = page
+
+        def paginate_queryset(self, qs):
+            return self._page
+
+        def get_serializer(self, queryset, many):
+            class S:
+                def __init__(self, data):
+                    # serialize to list of ids
+                    self.data = [obj.id for obj in data] if many else queryset.id
+
+            return S(queryset)
+
+        def get_paginated_response(self, data):
+            return Response({"results": data}, status=status.HTTP_200_OK)
+
+    def test_no_pagination(self, users):
+        base_qs = User.objects.all().order_by("id")
+        view = self.DummyView(page=None)
+        resp = view.paginate_by_pk(
+            request=None, base_queryset=base_qs, manager=User.objects
+        )
+        # since no pagination, should return all ids in order
+        expected = [u.id for u in base_qs]
+        assert isinstance(resp, Response)
+        assert resp.data == expected
+
+    def test_with_pagination(self, users):
+        base_qs = User.objects.all().order_by("id")
+        # simulate paging to first 2 ids
+        page = [base_qs[1].id, base_qs[3].id]
+        view = self.DummyView(page=page)
+        resp = view.paginate_by_pk(
+            request=None, base_queryset=base_qs, manager=User.objects
+        )
+        # should fetch only those two users, in the same order as page
+        assert resp.status_code == status.HTTP_200_OK
+        assert resp.data == {"results": page}
+
+
+@pytest.mark.django_db
+class TestTaskManagementMixin:
+    class DummyView(TaskManagementMixin):
+        pass
+
+    @pytest.fixture
+    def tenant(self):
+        return Tenant.objects.create(name="Test Tenant")
+
+    @pytest.fixture(autouse=True)
+    def cleanup(self):
+        Task.objects.all().delete()
+        TaskResult.objects.all().delete()
+
+    def test_no_task_and_no_taskresult_raises_not_found(self):
+        view = self.DummyView()
+        with pytest.raises(TaskNotFoundException):
+            view.check_task_status("task_xyz", {"foo": "bar"})
+
+    def test_no_task_and_no_taskresult_returns_none_when_not_raising(self):
+        view = self.DummyView()
+        result = view.check_task_status(
+            "task_xyz", {"foo": "bar"}, raise_on_not_found=False
+        )
+        assert result is None
+
+    def test_taskresult_pending_raises_in_progress(self):
+        task_kwargs = {"foo": "bar"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_xyz",
+            task_kwargs=json.dumps(task_kwargs),
+            status="PENDING",
+        )
+        view = self.DummyView()
+        with pytest.raises(TaskInProgressException) as excinfo:
+            view.check_task_status("task_xyz", task_kwargs, raise_on_not_found=False)
+        assert hasattr(excinfo.value, "task_result")
+        assert excinfo.value.task_result == tr
+
+    def test_taskresult_started_raises_in_progress(self):
+        task_kwargs = {"foo": "bar"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_xyz",
+            task_kwargs=json.dumps(task_kwargs),
+            status="STARTED",
+        )
+        view = self.DummyView()
+        with pytest.raises(TaskInProgressException) as excinfo:
+            view.check_task_status("task_xyz", task_kwargs, raise_on_not_found=False)
+        assert hasattr(excinfo.value, "task_result")
+        assert excinfo.value.task_result == tr
+
+    def test_taskresult_progress_raises_in_progress(self):
+        task_kwargs = {"foo": "bar"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_xyz",
+            task_kwargs=json.dumps(task_kwargs),
+            status="PROGRESS",
+        )
+        view = self.DummyView()
+        with pytest.raises(TaskInProgressException) as excinfo:
+            view.check_task_status("task_xyz", task_kwargs, raise_on_not_found=False)
+        assert hasattr(excinfo.value, "task_result")
+        assert excinfo.value.task_result == tr
+
+    def test_taskresult_failure_raises_failed(self):
+        task_kwargs = {"a": 1}
+        TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_fail",
+            task_kwargs=json.dumps(task_kwargs),
+            status="FAILURE",
+        )
+        view = self.DummyView()
+        with pytest.raises(TaskFailedException):
+            view.check_task_status("task_fail", task_kwargs, raise_on_not_found=False)
+
+    def test_taskresult_failure_returns_none_when_not_raising(self):
+        task_kwargs = {"a": 1}
+        TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_fail",
+            task_kwargs=json.dumps(task_kwargs),
+            status="FAILURE",
+        )
+        view = self.DummyView()
+        result = view.check_task_status(
+            "task_fail", task_kwargs, raise_on_failed=False, raise_on_not_found=False
+        )
+        assert result is None
+
+    def test_taskresult_success_returns_none(self):
+        task_kwargs = {"x": 2}
+        TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_ok",
+            task_kwargs=json.dumps(task_kwargs),
+            status="SUCCESS",
+        )
+        view = self.DummyView()
+        # should not raise, and returns None
+        assert (
+            view.check_task_status("task_ok", task_kwargs, raise_on_not_found=False)
+            is None
+        )
+
+    def test_taskresult_revoked_returns_none(self):
+        task_kwargs = {"x": 2}
+        TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="task_revoked",
+            task_kwargs=json.dumps(task_kwargs),
+            status="REVOKED",
+        )
+        view = self.DummyView()
+        # should not raise, and returns None
+        assert (
+            view.check_task_status(
+                "task_revoked", task_kwargs, raise_on_not_found=False
+            )
+            is None
+        )
+
+    def test_task_with_failed_status_raises_failed(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="FAILURE",
+        )
+        task = Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        with pytest.raises(TaskFailedException) as excinfo:
+            view.check_task_status("scan_task", task_kwargs)
+        # Check that the exception contains the expected task
+        assert hasattr(excinfo.value, "task")
+        assert excinfo.value.task == task
+
+    def test_task_with_cancelled_status_raises_failed(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="REVOKED",
+        )
+        task = Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        with pytest.raises(TaskFailedException) as excinfo:
+            view.check_task_status("scan_task", task_kwargs)
+        # Check that the exception contains the expected task
+        assert hasattr(excinfo.value, "task")
+        assert excinfo.value.task == task
+
+    def test_task_with_failed_status_returns_task_when_not_raising(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="FAILURE",
+        )
+        task = Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.check_task_status("scan_task", task_kwargs, raise_on_failed=False)
+        assert result == task
+
+    def test_task_with_completed_status_returns_none(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="SUCCESS",
+        )
+        Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.check_task_status("scan_task", task_kwargs)
+        assert result is None
+
+    def test_task_with_executing_status_returns_task(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="STARTED",
+        )
+        task = Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.check_task_status("scan_task", task_kwargs)
+        assert result is not None
+        assert result.pk == task.pk
+
+    def test_task_with_pending_status_returns_task(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="PENDING",
+        )
+        task = Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.check_task_status("scan_task", task_kwargs)
+        assert result is not None
+        assert result.pk == task.pk
+
+    def test_get_task_response_if_running_returns_none_for_completed_task(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="SUCCESS",
+        )
+        Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.get_task_response_if_running("scan_task", task_kwargs)
+        assert result is None
+
+    def test_get_task_response_if_running_returns_none_for_no_task(self):
+        view = self.DummyView()
+        result = view.get_task_response_if_running(
+            "nonexistent", {"foo": "bar"}, raise_on_not_found=False
+        )
+        assert result is None
+
+    def test_get_task_response_if_running_returns_202_for_executing_task(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="STARTED",
+        )
+        task = Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.get_task_response_if_running("scan_task", task_kwargs)
+
+        assert isinstance(result, Response)
+        assert result.status_code == status.HTTP_202_ACCEPTED
+        assert "Content-Location" in result.headers
+        # The response should contain the serialized task data
+        assert result.data is not None
+        assert "id" in result.data
+        assert str(result.data["id"]) == str(task.id)
+
+    def test_get_task_response_if_running_returns_none_for_available_task(self, tenant):
+        task_kwargs = {"provider_id": "test"}
+        tr = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs),
+            status="PENDING",
+        )
+        Task.objects.create(tenant=tenant, task_runner_task=tr)
+        view = self.DummyView()
+        result = view.get_task_response_if_running("scan_task", task_kwargs)
+        # PENDING maps to AVAILABLE, which is not EXECUTING, so should return None
+        assert result is None
+
+    def test_kwargs_filtering_works_correctly(self, tenant):
+        # Create tasks with different kwargs
+        task_kwargs_1 = {"provider_id": "test1", "scan_type": "full"}
+        task_kwargs_2 = {"provider_id": "test2", "scan_type": "quick"}
+
+        tr1 = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs_1),
+            status="STARTED",
+        )
+        tr2 = TaskResult.objects.create(
+            task_id=str(uuid4()),
+            task_name="scan_task",
+            task_kwargs=json.dumps(task_kwargs_2),
+            status="STARTED",
+        )
+
+        task1 = Task.objects.create(tenant=tenant, task_runner_task=tr1)
+        task2 = Task.objects.create(tenant=tenant, task_runner_task=tr2)
+
+        view = self.DummyView()
+
+        # Should find task1 when searching for its kwargs
+        result1 = view.check_task_status("scan_task", {"provider_id": "test1"})
+        assert result1 is not None
+        assert result1.pk == task1.pk
+
+        # Should find task2 when searching for its kwargs
+        result2 = view.check_task_status("scan_task", {"provider_id": "test2"})
+        assert result2 is not None
+        assert result2.pk == task2.pk
+
+        # Should not find anything when searching for non-existent kwargs
+        result3 = view.check_task_status(
+            "scan_task", {"provider_id": "test3"}, raise_on_not_found=False
+        )
+        assert result3 is None
--- a/api/src/backend/api/tests/test_models.py
+++ b/api/src/backend/api/tests/test_models.py
@@ -1,6 +1,9 @@
 import pytest
+from allauth.socialaccount.models import SocialApp
+from django.core.exceptions import ValidationError

-from api.models import Resource, ResourceTag
+from api.db_router import MainRouter
+from api.models import Resource, ResourceTag, SAMLConfiguration, SAMLDomainIndex


@pytest.mark.django_db
@@ -120,3 +123,204 @@ class TestResourceModel:
 #             compliance={},
 #         )
 #         assert Finding.objects.filter(uid=long_uid).exists()
+
+
+@pytest.mark.django_db
+class TestSAMLConfigurationModel:
+    VALID_METADATA = """<?xml version='1.0' encoding='UTF-8'?>
+    <md:EntityDescriptor entityID='TEST' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'>
+    <md:IDPSSODescriptor WantAuthnRequestsSigned='false' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'>
+        <md:KeyDescriptor use='signing'>
+        <ds:KeyInfo xmlns:ds='http://www.w3.org/2000/09/xmldsig#'>
+            <ds:X509Data>
+            <ds:X509Certificate>FAKECERTDATA</ds:X509Certificate>
+            </ds:X509Data>
+        </ds:KeyInfo>
+        </md:KeyDescriptor>
+        <md:SingleSignOnService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://idp.test/sso'/>
+    </md:IDPSSODescriptor>
+    </md:EntityDescriptor>
+    """
+
+    def test_creates_valid_configuration(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+        config = SAMLConfiguration.objects.using(MainRouter.admin_db).create(
+            email_domain="ssoexample.com",
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant,
+        )
+
+        assert config.email_domain == "ssoexample.com"
+        assert SocialApp.objects.filter(client_id="ssoexample.com").exists()
+
+    def test_email_domain_with_at_symbol_fails(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+        config = SAMLConfiguration(
+            email_domain="invalid@domain.com",
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config.clean()
+
+        errors = exc_info.value.message_dict
+        assert "email_domain" in errors
+        assert "Domain must not contain @" in errors["email_domain"][0]
+
+    def test_duplicate_email_domain_fails(self, tenants_fixture):
+        tenant1, tenant2, *_ = tenants_fixture
+
+        SAMLConfiguration.objects.using(MainRouter.admin_db).create(
+            email_domain="duplicate.com",
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant1,
+        )
+
+        config = SAMLConfiguration(
+            email_domain="duplicate.com",
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant2,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config.clean()
+
+        errors = exc_info.value.message_dict
+        assert "tenant" in errors
+        assert "There is a problem with your email domain." in errors["tenant"][0]
+
+    def test_duplicate_tenant_config_fails(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+
+        SAMLConfiguration.objects.using(MainRouter.admin_db).create(
+            email_domain="unique1.com",
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant,
+        )
+
+        config = SAMLConfiguration(
+            email_domain="unique2.com",
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config.clean()
+
+        errors = exc_info.value.message_dict
+        assert "tenant" in errors
+        assert (
+            "A SAML configuration already exists for this tenant."
+            in errors["tenant"][0]
+        )
+
+    def test_invalid_metadata_xml_fails(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+        config = SAMLConfiguration(
+            email_domain="brokenxml.com",
+            metadata_xml="<bad<xml>",
+            tenant=tenant,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config._parse_metadata()
+
+        errors = exc_info.value.message_dict
+        assert "metadata_xml" in errors
+        assert "Invalid XML" in errors["metadata_xml"][0]
+        assert "not well-formed" in errors["metadata_xml"][0]
+
+    def test_metadata_missing_sso_fails(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+        xml = """<md:EntityDescriptor entityID="x" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+                <md:IDPSSODescriptor></md:IDPSSODescriptor>
+                </md:EntityDescriptor>"""
+        config = SAMLConfiguration(
+            email_domain="nosso.com",
+            metadata_xml=xml,
+            tenant=tenant,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config._parse_metadata()
+
+        errors = exc_info.value.message_dict
+        assert "metadata_xml" in errors
+        assert "Missing SingleSignOnService" in errors["metadata_xml"][0]
+
+    def test_metadata_missing_certificate_fails(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+        xml = """<md:EntityDescriptor entityID="x" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
+                    <md:IDPSSODescriptor>
+                        <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://example.com/sso"/>
+                    </md:IDPSSODescriptor>
+                </md:EntityDescriptor>"""
+        config = SAMLConfiguration(
+            email_domain="nocert.com",
+            metadata_xml=xml,
+            tenant=tenant,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config._parse_metadata()
+
+        errors = exc_info.value.message_dict
+        assert "metadata_xml" in errors
+        assert "X509Certificate" in errors["metadata_xml"][0]
+
+    def test_deletes_saml_configuration_and_related_objects(self, tenants_fixture):
+        tenant = tenants_fixture[0]
+        email_domain = "deleteme.com"
+
+        # Create the configuration
+        config = SAMLConfiguration.objects.using(MainRouter.admin_db).create(
+            email_domain=email_domain,
+            metadata_xml=TestSAMLConfigurationModel.VALID_METADATA,
+            tenant=tenant,
+        )
+
+        # Verify that the SocialApp and SAMLDomainIndex exist
+        assert SocialApp.objects.filter(client_id=email_domain).exists()
+        assert (
+            SAMLDomainIndex.objects.using(MainRouter.admin_db)
+            .filter(email_domain=email_domain)
+            .exists()
+        )
+
+        # Delete the configuration
+        config.delete()
+
+        # Verify that the configuration and its related objects are deleted
+        assert (
+            not SAMLConfiguration.objects.using(MainRouter.admin_db)
+            .filter(pk=config.pk)
+            .exists()
+        )
+        assert not SocialApp.objects.filter(client_id=email_domain).exists()
+        assert (
+            not SAMLDomainIndex.objects.using(MainRouter.admin_db)
+            .filter(email_domain=email_domain)
+            .exists()
+        )
+
+    def test_duplicate_entity_id_fails_on_creation(self, tenants_fixture):
+        tenant1, tenant2, *_ = tenants_fixture
+        SAMLConfiguration.objects.using(MainRouter.admin_db).create(
+            email_domain="first.com",
+            metadata_xml=self.VALID_METADATA,
+            tenant=tenant1,
+        )
+
+        config = SAMLConfiguration(
+            email_domain="second.com",
+            metadata_xml=self.VALID_METADATA,
+            tenant=tenant2,
+        )
+
+        with pytest.raises(ValidationError) as exc_info:
+            config.save()
+
+        errors = exc_info.value.message_dict
+        assert "metadata_xml" in errors
+        assert "There is a problem with your metadata." in errors["metadata_xml"][0]
--- a/api/src/backend/api/tests/test_rbac.py
+++ b/api/src/backend/api/tests/test_rbac.py
@@ -1,6 +1,8 @@
+import json
 from unittest.mock import ANY, Mock, patch

 import pytest
+from conftest import TODAY
 from django.urls import reverse
 from rest_framework import status

@@ -60,7 +62,7 @@ class TestUserViewSet:
    def test_create_user_with_all_permissions(self, authenticated_client_rbac):
        valid_user_payload = {
            "name": "test",
-            "password": "newpassword123",
+            "password": "Newpassword123@",
            "email": "new_user@test.com",
        }
        response = authenticated_client_rbac.post(
@@ -74,7 +76,7 @@ class TestUserViewSet:
    ):
        valid_user_payload = {
            "name": "test",
-            "password": "newpassword123",
+            "password": "Newpassword123@",
            "email": "new_user@test.com",
        }
        response = authenticated_client_no_permissions_rbac.post(
@@ -150,6 +152,221 @@ class TestUserViewSet:
        assert response.status_code == status.HTTP_200_OK
        assert response.json()["data"]["attributes"]["email"] == "rbac_limited@rbac.com"

+    def test_me_shows_own_roles_and_memberships_without_manage_account(
+        self, authenticated_client_no_permissions_rbac
+    ):
+        response = authenticated_client_no_permissions_rbac.get(reverse("user-me"))
+        assert response.status_code == status.HTTP_200_OK
+
+        rels = response.json()["data"]["relationships"]
+
+        # Self should see own roles and memberships even without manage_account
+        assert isinstance(rels["roles"]["data"], list)
+        assert rels["memberships"]["meta"]["count"] == 1
+
+    def test_me_shows_roles_and_memberships_with_manage_account(
+        self, authenticated_client_rbac
+    ):
+        response = authenticated_client_rbac.get(reverse("user-me"))
+        assert response.status_code == status.HTTP_200_OK
+
+        rels = response.json()["data"]["relationships"]
+
+        # Roles should have data when manage_account is True
+        assert len(rels["roles"]["data"]) > 0
+
+        # Memberships should be present and count > 0
+        assert rels["memberships"]["meta"]["count"] > 0
+
+    def test_me_include_roles_and_memberships_included_block(
+        self, authenticated_client_rbac
+    ):
+        # Request current user info including roles and memberships
+        response = authenticated_client_rbac.get(
+            reverse("user-me"), {"include": "roles,memberships"}
+        )
+        assert response.status_code == status.HTTP_200_OK
+        payload = response.json()
+
+        # Included must contain memberships corresponding to relationships data
+        rel_memberships = payload["data"]["relationships"]["memberships"]
+        ids_in_relationship = {item["id"] for item in rel_memberships["data"]}
+
+        included = payload["included"]
+        included_membership_ids = {
+            item["id"] for item in included if item["type"] == "memberships"
+        }
+
+        # If there are memberships in relationships, they must be present in included
+        if ids_in_relationship:
+            assert ids_in_relationship.issubset(included_membership_ids)
+        else:
+            # At minimum, included should contain the user's membership when requested
+            # (count should align with meta count)
+            assert rel_memberships["meta"]["count"] == len(included_membership_ids)
+
+    def test_list_users_with_manage_account_only_forbidden(
+        self, authenticated_client_rbac_manage_account
+    ):
+        response = authenticated_client_rbac_manage_account.get(reverse("user-list"))
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_retrieve_other_user_with_manage_account_only_forbidden(
+        self, authenticated_client_rbac_manage_account, create_test_user
+    ):
+        response = authenticated_client_rbac_manage_account.get(
+            reverse("user-detail", kwargs={"pk": create_test_user.id})
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+    def test_list_users_with_manage_users_only_hides_relationships(
+        self, authenticated_client_rbac_manage_users_only
+    ):
+        # Ensure there is at least one other user in the same tenant
+        mu_user = authenticated_client_rbac_manage_users_only.user
+        mu_membership = Membership.objects.filter(user=mu_user).first()
+        tenant = mu_membership.tenant
+
+        other_user = User.objects.create_user(
+            name="other_in_tenant",
+            email="other_in_tenant@rbac.com",
+            password="Password123@",
+        )
+        Membership.objects.create(user=other_user, tenant=tenant)
+
+        response = authenticated_client_rbac_manage_users_only.get(reverse("user-list"))
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()["data"]
+        assert isinstance(data, list)
+
+        current_user_id = str(mu_user.id)
+        assert any(item["id"] == current_user_id for item in data)
+
+        for item in data:
+            rels = item["relationships"]
+            if item["id"] == current_user_id:
+                # Self should see own relationships
+                assert isinstance(rels["roles"]["data"], list)
+                assert rels["memberships"]["meta"].get("count", 0) >= 1
+            else:
+                # Others should be hidden without manage_account
+                assert rels["roles"]["data"] == []
+                assert rels["memberships"]["data"] == []
+                assert rels["memberships"]["meta"]["count"] == 0
+
+    def test_include_roles_hidden_without_manage_account(
+        self, authenticated_client_rbac_manage_users_only
+    ):
+        # Arrange: ensure another user in the same tenant with its own role
+        mu_user = authenticated_client_rbac_manage_users_only.user
+        mu_membership = Membership.objects.filter(user=mu_user).first()
+        tenant = mu_membership.tenant
+
+        other_user = User.objects.create_user(
+            name="other_in_tenant_inc",
+            email="other_in_tenant_inc@rbac.com",
+            password="Password123@",
+        )
+        Membership.objects.create(user=other_user, tenant=tenant)
+        other_role = Role.objects.create(
+            name="other_inc_role",
+            tenant_id=tenant.id,
+            manage_users=False,
+            manage_account=False,
+        )
+        UserRoleRelationship.objects.create(
+            user=other_user, role=other_role, tenant_id=tenant.id
+        )
+
+        response = authenticated_client_rbac_manage_users_only.get(
+            reverse("user-list"), {"include": "roles"}
+        )
+        assert response.status_code == status.HTTP_200_OK
+        payload = response.json()
+
+        # Assert: included must not contain the other user's role
+        included = payload.get("included", [])
+        included_role_ids = {
+            item["id"] for item in included if item.get("type") == "roles"
+        }
+        assert str(other_role.id) not in included_role_ids
+
+        # Relationships for other user should be empty
+        for item in payload["data"]:
+            if item["id"] == str(other_user.id):
+                rels = item["relationships"]
+                assert rels["roles"]["data"] == []
+
+    def test_include_roles_visible_with_manage_account(
+        self, authenticated_client_rbac, tenants_fixture
+    ):
+        # Arrange: another user in tenant[0] with its role
+        tenant = tenants_fixture[0]
+        other_user = User.objects.create_user(
+            name="other_with_role",
+            email="other_with_role@rbac.com",
+            password="Password123@",
+        )
+        Membership.objects.create(user=other_user, tenant=tenant)
+        other_role = Role.objects.create(
+            name="other_visible_role",
+            tenant_id=tenant.id,
+            manage_users=False,
+            manage_account=False,
+        )
+        UserRoleRelationship.objects.create(
+            user=other_user, role=other_role, tenant_id=tenant.id
+        )
+
+        response = authenticated_client_rbac.get(
+            reverse("user-list"), {"include": "roles"}
+        )
+        assert response.status_code == status.HTTP_200_OK
+        payload = response.json()
+
+        # Assert: included must contain the other user's role
+        included = payload.get("included", [])
+        included_role_ids = {
+            item["id"] for item in included if item.get("type") == "roles"
+        }
+        assert str(other_role.id) in included_role_ids
+
+    def test_retrieve_user_with_manage_users_only_hides_relationships(
+        self, authenticated_client_rbac_manage_users_only
+    ):
+        # Create a target user in the same tenant to ensure visibility
+        mu_user = authenticated_client_rbac_manage_users_only.user
+        mu_membership = Membership.objects.filter(user=mu_user).first()
+        tenant = mu_membership.tenant
+
+        target_user = User.objects.create_user(
+            name="target_same_tenant",
+            email="target_same_tenant@rbac.com",
+            password="Password123@",
+        )
+        Membership.objects.create(user=target_user, tenant=tenant)
+
+        response = authenticated_client_rbac_manage_users_only.get(
+            reverse("user-detail", kwargs={"pk": target_user.id})
+        )
+        assert response.status_code == status.HTTP_200_OK
+        rels = response.json()["data"]["relationships"]
+        assert rels["roles"]["data"] == []
+        assert rels["memberships"]["data"] == []
+        assert rels["memberships"]["meta"]["count"] == 0
+
+    def test_list_users_with_all_permissions_shows_relationships(
+        self, authenticated_client_rbac
+    ):
+        response = authenticated_client_rbac.get(reverse("user-list"))
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()["data"]
+        assert isinstance(data, list)
+
+        rels = data[0]["relationships"]
+        assert len(rels["roles"]["data"]) >= 0
+        assert rels["memberships"]["meta"]["count"] >= 0
+

@pytest.mark.django_db
 class TestProviderViewSet:
@@ -321,7 +538,7 @@ class TestProviderViewSet:
@pytest.mark.django_db
 class TestLimitedVisibility:
    TEST_EMAIL = "rbac@rbac.com"
-    TEST_PASSWORD = "thisisapassword123"
+    TEST_PASSWORD = "Thisisapassword123@"

    @pytest.fixture
    def limited_admin_user(
@@ -409,3 +626,207 @@ class TestLimitedVisibility:
        assert (
            response.json()["data"]["relationships"]["providers"]["meta"]["count"] == 1
        )
+
+    def test_overviews_providers(
+        self,
+        authenticated_client_rbac_limited,
+        scan_summaries_fixture,
+        providers_fixture,
+    ):
+        # By default, the associated provider is the one which has the overview data
+        response = authenticated_client_rbac_limited.get(reverse("overview-providers"))
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) > 0
+
+        # Changing the provider visibility, no data should be returned
+        # Only the associated provider to that group is changed
+        new_provider = providers_fixture[1]
+        ProviderGroupMembership.objects.all().update(provider=new_provider)
+
+        response = authenticated_client_rbac_limited.get(reverse("overview-providers"))
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 0
+
+    @pytest.mark.parametrize(
+        "endpoint_name",
+        [
+            "findings",
+            "findings_severity",
+        ],
+    )
+    def test_overviews_findings(
+        self,
+        endpoint_name,
+        authenticated_client_rbac_limited,
+        scan_summaries_fixture,
+        providers_fixture,
+    ):
+        # By default, the associated provider is the one which has the overview data
+        response = authenticated_client_rbac_limited.get(
+            reverse(f"overview-{endpoint_name}")
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        values = response.json()["data"]["attributes"].values()
+        assert any(value > 0 for value in values)
+
+        # Changing the provider visibility, no data should be returned
+        # Only the associated provider to that group is changed
+        new_provider = providers_fixture[1]
+        ProviderGroupMembership.objects.all().update(provider=new_provider)
+
+        response = authenticated_client_rbac_limited.get(
+            reverse(f"overview-{endpoint_name}")
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        data = response.json()["data"]["attributes"].values()
+        assert all(value == 0 for value in data)
+
+    def test_overviews_services(
+        self,
+        authenticated_client_rbac_limited,
+        scan_summaries_fixture,
+        providers_fixture,
+    ):
+        # By default, the associated provider is the one which has the overview data
+        response = authenticated_client_rbac_limited.get(
+            reverse("overview-services"), {"filter[inserted_at]": TODAY}
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) > 0
+
+        # Changing the provider visibility, no data should be returned
+        # Only the associated provider to that group is changed
+        new_provider = providers_fixture[1]
+        ProviderGroupMembership.objects.all().update(provider=new_provider)
+
+        response = authenticated_client_rbac_limited.get(
+            reverse("overview-services"), {"filter[inserted_at]": TODAY}
+        )
+
+        assert response.status_code == status.HTTP_200_OK
+        assert len(response.json()["data"]) == 0
+
+
+@pytest.mark.django_db
+class TestRolePermissions:
+    def test_role_create_with_manage_account_only_allowed(
+        self, authenticated_client_rbac_manage_account
+    ):
+        data = {
+            "data": {
+                "type": "roles",
+                "attributes": {
+                    "name": "Role Manage Account Only",
+                    "manage_users": "false",
+                    "manage_account": "true",
+                    "manage_providers": "false",
+                    "manage_scans": "false",
+                    "unlimited_visibility": "false",
+                },
+                "relationships": {"provider_groups": {"data": []}},
+            }
+        }
+        response = authenticated_client_rbac_manage_account.post(
+            reverse("role-list"),
+            data=json.dumps(data),
+            content_type="application/vnd.api+json",
+        )
+        assert response.status_code == status.HTTP_201_CREATED
+
+    def test_role_create_with_manage_users_only_forbidden(
+        self, authenticated_client_rbac_manage_users_only
+    ):
+        data = {
+            "data": {
+                "type": "roles",
+                "attributes": {
+                    "name": "Role Manage Users Only",
+                    "manage_users": "true",
+                    "manage_account": "false",
+                    "manage_providers": "false",
+                    "manage_scans": "false",
+                    "unlimited_visibility": "false",
+                },
+                "relationships": {"provider_groups": {"data": []}},
+            }
+        }
+        response = authenticated_client_rbac_manage_users_only.post(
+            reverse("role-list"),
+            data=json.dumps(data),
+            content_type="application/vnd.api+json",
+        )
+        assert response.status_code == status.HTTP_403_FORBIDDEN
+
+
+@pytest.mark.django_db
+class TestUserRoleLinkPermissions:
+    def test_link_user_roles_with_manage_account_only_allowed(
+        self, authenticated_client_rbac_manage_account
+    ):
+        # Arrange: create a second user in the same tenant as the manage_account user
+        ma_user = authenticated_client_rbac_manage_account.user
+        ma_membership = Membership.objects.filter(user=ma_user).first()
+        tenant = ma_membership.tenant
+
+        user2 = User.objects.create_user(
+            name="target_user",
+            email="target_user_ma@rbac.com",
+            password="Password123@",
+        )
+        Membership.objects.create(user=user2, tenant=tenant)
+
+        # Create a role in the same tenant
+        role = Role.objects.create(
+            name="linkable_role",
+            tenant_id=tenant.id,
+            manage_users=False,
+            manage_account=False,
+        )
+
+        data = {"data": [{"type": "roles", "id": str(role.id)}]}
+
+        # Act
+        response = authenticated_client_rbac_manage_account.post(
+            reverse("user-roles-relationship", kwargs={"pk": user2.id}),
+            data=data,
+            content_type="application/vnd.api+json",
+        )
+
+        # Assert
+        assert response.status_code == status.HTTP_204_NO_CONTENT
+
+    def test_link_user_roles_with_manage_users_only_forbidden(
+        self, authenticated_client_rbac_manage_users_only
+    ):
+        mu_user = authenticated_client_rbac_manage_users_only.user
+        mu_membership = Membership.objects.filter(user=mu_user).first()
+        tenant = mu_membership.tenant
+
+        user2 = User.objects.create_user(
+            name="target_user2",
+            email="target_user_mu@rbac.com",
+            password="Password123@",
+        )
+        Membership.objects.create(user=user2, tenant=tenant)
+
+        role = Role.objects.create(
+            name="linkable_role_mu",
+            tenant_id=tenant.id,
+            manage_users=False,
+            manage_account=False,
+        )
+
+        data = {"data": [{"type": "roles", "id": str(role.id)}]}
+
+        response = authenticated_client_rbac_manage_users_only.post(
+            reverse("user-roles-relationship", kwargs={"pk": user2.id}),
+            data=data,
+            content_type="application/vnd.api+json",
+        )
+
+        assert response.status_code == status.HTTP_403_FORBIDDEN
--- a/Show More
+++ b/Show More