chore(deps): update toniblyx/prowler docker tag to v5.29.2

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
toniblyx/prowler	Kustomization	minor	5.7.5 → 5.29.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

prowler-cloud/prowler (toniblyx/prowler)

v5.29.2: Prowler 5.29.2

Compare Source

UI

🔄 Changed

• Account and provider-type selector triggers now show the provider icon, with a non-deduped icon stack (#​11424)

🐞 Fixed

• Add Provider modal now closes without reloading the providers page (#​11424)
• Users page now shows the "Delete User" action only on the current user's row, matching the backend rule that a user can only delete their own account (#​11447)

🔐 Security

• Vitest toolchain upgraded 4.0.18 → 4.1.8 to clear two critical pnpm audit advisories (#​11424)

v5.29.1: Prowler 5.29.1

Compare Source

API

🐞 Fixed

• GET /api/v1/findings N+1 query loading resources__tags when listing findings (#​11420)
• Clean up the scan tmp output directory when scan-report fails so partial files do not accumulate and fill the worker disk (No space left on device) (#​11421)

SDK

🐞 Fixed

• OCSF output writer now re-raises I/O errors (e.g. ENOSPC) instead of logging them per finding and leaving a truncated file (#​11421)

v5.29.0: Prowler 5.29.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🧑‍💼 Google Workspace — 20 new checks to complete CIS 1.3

20 new checks built on the Cloud Identity Policy API:

• Rules service — 8 checks
• Security service — 12 checks

With these checks, Prowler's automated coverage of the CIS Google Workspace Benchmark 1.3 is now complete.

Read more in our Google Workspace documentation.

Explore all checks at Prowler Hub.

🔑 Okta — Application Service

A new application service for Okta with 6 checks covering admin console and dashboard hardening:

• application_admin_console_session_idle_timeout_15min
• application_admin_console_mfa_required
• application_admin_console_phishing_resistant_authentication
• application_dashboard_mfa_required
• application_dashboard_phishing_resistant_authentication
• application_authentication_policy_network_zone_enforced

Read more in our Okta documentation.

Explore all checks at Prowler Hub.

🚀 API - Performance

• Scan ingestion is significantly lighter on the database. The scan hot loop now bulk-resolves Resource/ResourceTag rows, replaces per-mapping SELECT FOR UPDATE with deferred conflict-tolerant bulk inserts, wraps each micro-batch in a single transaction, and raises the batch size to 1000.
• Faster finding-groups/latest aggregation on tenants where one recent scan holds most findings.

🏢 New Provider: StackIT

Prowler now supports StackIT, the German sovereign cloud. Authentication uses a service account key, either as a file path (--stackit-service-account-key-path / STACKIT_SERVICE_ACCOUNT_KEY_PATH) or inline JSON (--stackit-service-account-key / STACKIT_SERVICE_ACCOUNT_KEY).

[!NOTE]
StackIT is not officially supported. For more information, contact us.

Read more in our StackIT documentation.

Explore all checks at Prowler Hub.

Thanks to @​johannes-engler-mw for their 1st provider in Prowler!

📋 Scan Jobs — Redesigned View

The Scan Jobs view in the UI is fully restyled around dedicated tabs, each with columns tailored to its context:

• In Progress — running and queued scans, auto-refreshing while jobs execute.
• Completed — finished scans with quick access to their findings.
• Scheduled — upcoming scans with their schedule.

Launching a scan now happens through a dedicated modal where you pick connected cloud accounts and add optional scan notes.

🌑 Dark Mode — Redesigned

Dark mode has been reworked for clarity and contrast:

• Pure-black canvas and pure-white primary text for maximum legibility.
• Brighter border and input tokens so cards, tables, and inputs separate cleanly instead of blending into the background.

📚 Compliance - AWS AI Security Framework

A new AWS AI Security Framework mapping Prowler checks to AI/ML security guidance.

Read more in our compliance documentation.

🔍 New Checks

Azure

• storage_account_public_network_access_disabled — flags storage accounts that allow public network access

Explore all Azure checks at Prowler Hub.

🔐 Security Updates

UI

• pnpm upgraded to 11 with supply-chain defaults consolidated in pnpm-workspace.yaml and trustPolicyExclude entries pinned to exact versions.
• uuid pinned to 11.1.1 via pnpm-workspace.yaml#overrides to clear GHSA-w5hq-g745-h8pq (missing bounds check in v3/v5/v6 name-based generators with buf) in the transitive tree.

🙌 External Contributors

Thank you to our community contributors for this release!

• @​johannes-engler-mw — Add the StackIT provider with service-account-key authentication in #​9237
• @​Br1an67 — Add Azure authentication for sovereign clouds (China / US Government) in #​10284
• @​OokaToru — Deprecate the s3_bucket_default_encryption check for AWS in #​11230
• @​juampa — Fix the ENS RD 311/2022 VPC compliance mapping for AWS in #​11372

---

UI

🚀 Added

• Restyle Scan Jobs view with specific In Progress, Completed, Scheduled tabs (#​11258)

🔄 Changed

• Dark mode: pure-black canvas, pure-white primary text, and brighter border / input tokens for clearer separation between cards, tables, and inputs (#​11073)
• CI workflows (ui-tests.yml, ui-e2e-tests-v2.yml) now read the Node version from ui/.nvmrc and the pnpm version from package.json#packageManager instead of hardcoded values (#​11225)

🐞 Fixed

• Compliance page now loads the most recent scan when opened from the sidebar instead of showing the "no compliance data available" alert (#​11374)
• Invitation links now show specific expired, no-longer-valid, and invalid-token messages based on API error responses (#​11376)

🔐 Security

• pnpm upgraded to 11 with supply-chain defaults consolidated in pnpm-workspace.yaml and trustPolicyExclude entries pinned to exact versions (#​11225)
• uuid pinned to 11.1.1 via pnpm-workspace.yaml#overrides to clear GHSA-w5hq-g745-h8pq (missing bounds check in v3/v5/v6 name-based generators with buf) in the transitive tree (#​11225)

API

🔄 Changed

• Scan finding ingestion: bulk-resolve Resource/ResourceTag rows, replace per-mapping SELECT FOR UPDATE with deferred ResourceTagMapping.bulk_create(ignore_conflicts=True), wrap each micro-batch in a single rls_transaction, and raise SCAN_DB_BATCH_SIZE to 1000 (#​11249)
• Faster GET /api/v1/finding-groups/latest aggregation on tenants where one recent scan holds most findings (#​11380)

SDK

🚀 Added

• application service for Okta provider with application_admin_console_session_idle_timeout_15min, application_admin_console_mfa_required, application_admin_console_phishing_resistant_authentication, application_dashboard_mfa_required, application_dashboard_phishing_resistant_authentication, and application_authentication_policy_network_zone_enforced checks (#​11358)
• AWS AI Security Framework compliance for AWS provider (#​11353)
• storage_account_public_network_access_disabled check for Azure provider and remapped the Azure CIS "Public Network Access is Disabled" requirements to it (#​11334)
• StackIT provider now authenticates with a service account key, either as a file path (--stackit-service-account-key-path / STACKIT_SERVICE_ACCOUNT_KEY_PATH) or as inline JSON content (--stackit-service-account-key / STACKIT_SERVICE_ACCOUNT_KEY, intended for CI/CD with a secret manager); the StackIT SDK refreshes access tokens internally, replacing the short-lived STACKIT_API_TOKEN flow (#​9237)
• 8 Rules service checks for Google Workspace provider using the Cloud Identity Policy API (#​11379)
• 12 Security service checks for Google Workspace provider using the Cloud Identity Policy API (#​11356)

⚠️ Deprecated

• s3_bucket_default_encryption check for AWS provider since SSE-S3 is automatically applied to all S3 buckets by AWS as of January 5, 2023 and can no longer be disabled (#​11230)

🐞 Fixed

• ENS RD 311/2022 (AWS) compliance mapping: vpc_different_regions was uncorrectly mapped under the mp.com.4 family (Network segregation). That check is now mapped to a new op.cont.2.aws.vpc.1 requirement under the Continuity of Service control (#​11372)
• Compliance CSV row count now matches the UI per requirement by sourcing rows from the framework JSON's requirement.Checks instead of the stale finding.compliance snapshot (#​11370)
• OpenStack provider exception codes moved from the 10000-10999 range, shared with the AlibabaCloud provider, to the free 17000-17999 range to keep error codes unambiguous (#​11382)
• Azure provider now supports authentication against sovereign clouds (AzureChinaCloud, AzureUSGovernment) (#​10284)

v5.28.1: Prowler 5.28.1

Compare Source

UI

🐞 Fixed

• Large scan report ZIP downloads now stream through a Next.js Route Handler instead of buffering the full file in a Server Action (#​11330)
• Compliance requirement findings table now respects the page size selector (#​11365)

API

🐞 Fixed

• finding-groups slow response with finding-level filters such as region; check title and description are now read from the daily summaries, which drops sorting by check_title (#​11326)

SDK

🐞 Fixed

• compute_project_os_login_enabled and compute_project_os_login_2fa_enabled checks for GCP provider no longer false-FAIL on projects where the enable-oslogin / enable-oslogin-2fa metadata is not set explicitly but is inherited automatically from the constraints/compute.requireOsLogin org policy. The policy controller writes the inherited value in lowercase ("true"), but the service-layer parser compared it to the uppercase string literal "TRUE". Comparison is now case-insensitive (#​11341)
• storage_smb_channel_encryption_with_secure_algorithm check for Azure provider no longer passes when a storage account allows a weak SMB channel encryption algorithm (e.g. AES-128-CCM/AES-128-GCM) alongside AES-256-GCM; it now requires every enabled algorithm to be in the recommended list, configurable via azure.recommended_smb_channel_encryption_algorithms (defaults to AES-256-GCM only, as required by CIS) (#​11327)
• Azure and M365 providers crashing with RuntimeError: There is no current event loop on Python 3.12 when called from threads without an active event loop (e.g. Celery workers) (#​11360)

MCP

🐞 Fixed

• Preserve authorization header in HTTP mode (#​11366)

v5.27.0: Prowler 5.27.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🆔 New Provider: Okta (CLI-Only)

Prowler now scans Okta as a first-class provider. Authenticate with OAuth read-only credentials using an application and start auditing your Okta tenant in minutes.

export OKTA_ORG_DOMAIN="your-tenant.okta.com"
export OKTA_CLIENT_ID="0oa1234567890abcdef"
export OKTA_PRIVATE_KEY_FILE="/path/to/prowler-okta.pem"

prowler okta

The release ships with the signon service and one DISA STIG-mapped check:

• signon_global_session_idle_timeout_15min — maps to DISA STIG V-273186 / OKTA-APP-000020: the Default Policy must have a Priority 1 rule (not the built-in Default Rule) that sets Maximum Okta global session idle time to 15 minutes or less.

More services, checks, the STIG v1 Okta compliance framework, and full Prowler API / UI integration are coming in follow-up releases.

Read more in our Okta provider documentation.

Explore all Okta checks at Prowler Hub.

📧 Google Workspace — Chat service

The Google Workspace provider grows again with the new Chat service and 6 CIS-mapped checks landing via the Cloud Identity Policy API:

• chat_apps_installation_disabled — verifies third-party Chat apps cannot be installed by users, blocking unsanctioned access to email, conversation content, and organizational data.
• chat_external_file_sharing_disabled — verifies users cannot share files with people outside the organization via Chat conversations.
• chat_external_messaging_restricted — verifies messaging with users outside the organization is either disabled or restricted to allowlisted domains.
• chat_external_spaces_restricted — verifies external Chat spaces are either disabled or restricted to allowlisted domains.
• chat_incoming_webhooks_disabled — verifies incoming webhooks are disabled so external applications cannot post into Chat spaces.
• chat_internal_file_sharing_disabled — verifies file sharing between internal users in Chat is disabled, for organizations that need to audit all internal file flows.

Read more in our Google Workspace provider documentation.

Explore all Google Workspace checks at Prowler Hub.

🕸️ Attack Paths — Redesigned Graph

The Attack Paths graph in the Prowler App has been rewritten on React Flow, replacing the previous D3 + Dagre implementation. The new graph ships with:

• Improved layout and node clustering
• Smoother pan, zoom, and selection interactions
• Image export
• A minimap for orientation on dense graphs

☁️ AWS — "View in AWS Console"

AWS findings and resource details in the Prowler App now expose a one-click "View in AWS Console" link that opens the resource directly in the AWS Console. Jumping from a finding straight to the offending resource in the source-of-truth console is one click away.

☁️ AWS — IAM checks focus on attached customer-managed policies

AWS IAM customer-managed policy checks now scan only attached policies by default. Unattached customer-managed policies no longer emit a FAIL. They're inert, they're not in any principal's effective permissions, and they were generating findings on accounts that legitimately keep policies around for staged rollouts or break-glass scenarios. To keep auditing unattached policies (and other unused-service surfaces), opt in with --scan-unused-services, matching the existing semantics for the rest of the unused-services scope.

🤖 Lighthouse AI — Finding Groups MCP tools

Lighthouse AI can now reason about Finding Groups end to end. The new Finding Groups MCP tools let Lighthouse AI list, filter and inspect grouped findings, the same lens analysts use to triage at scale, instead of being limited to individual findings.

Read more about it in our Lighthouse AI documentation

📄 PDF Compliance Reports — Performance Improvements

We've introduce two important changes to the Compliance Reports in PDF:

• Only failed findings in the PDF. PDFs now focus on what needs action. PASS findings are no longer written into the report. The CSV and JSON exports remain complete and unfiltered for anyone who needs the full picture.
• Per-check detail tables capped at 100 failed findings. Each check's detail table shows up to 100 failed findings, with an in-PDF banner reading "Showing first 100 of N failed findings" pointing readers to the CSV / JSON exports for the rest.

Read more in our compliance documentation.

🌊 New Provider: Scaleway (Unofficial, CLI-Only)

Prowler now scans Scaleway as a new provider. Point Prowler at your Scaleway organization with a secret key and start auditing IAM:

prowler scaleway

The release ships with the iam service and one check:

• iam_api_keys_no_root_owned — flags Scaleway API keys bound to the account root user. Root-owned API keys bypass IAM policies and grant unrestricted access to every project, resource and billing setting in the organization; rotating them disrupts every automation that depended on root credentials, so they should be replaced with IAM-application-scoped keys.

Read more in our Scaleway provider documentation

⚙️ poetry → uv migration

Both the Prowler API and the Prowler SDK are now on uv as their package manager. Contributors get faster, deterministic installs and a single tool to work across the codebase.

Thank you to @​AOrps for the contribution to migrate it in the API!

🆕 New Checks

AWS

• cloudtrail_bedrock_logging_enabled — verifies at least one actively logging CloudTrail trail records Amazon Bedrock API activity for generative-AI auditability.
• iam_user_access_not_stale_to_sagemaker — flags IAM users whose last SageMaker access exceeds the configured threshold (default 90 days, tunable via max_unused_sagemaker_access_days) or who have never accessed SageMaker.
• sagemaker_domain_sso_configured — verifies SageMaker Domains use IAM Identity Center (SSO) authentication instead of IAM users, so user access is centrally managed. Thanks to @​kimjune01!

M365

• entra_service_principal_no_secrets_for_permanent_tier0_roles — flags service principals that hold credentials for permanent Tier-0 role assignments (Global Admin, Privileged Role Admin, etc.), where any leaked secret is a tenant-wide compromise.

🔐 Security Updates

• UI: npm dependencies updated to patched versions for Next.js, Vite, LangChain, XML parsing, lodash, and related transitive packages.
• API: 4 HIGH severity dependency vulnerabilities resolved on api/uv.lock — lxml 5.3.2 → 6.1.0 (GHSA-vfmq-68hx-4jfw, XXE), urllib3 2.6.3 → 2.7.0 (GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc), microsoft-kiota-* 1.9.2 → 1.9.9 (GHSA-7j59-v9qr-6fq9, via override-dependencies since the SDK hard-pins kiota-abstractions), and xmlsec 1.3.14 → 1.3.17 for libxml2 compatibility with lxml 6.x (#​11192).
• MCP Server: cryptography 46.0.1 → 47.0.0 (transitive) for CVE-2026-39892, CVE-2026-26007 and CVE-2026-34073.
• Supply chain tooling — safety replaced with osv-scanner, which now also scans the UI workspace in addition to the SDK; npm supply-chain hardening landed in the UI workspace; SDK root transitive dependencies pinned to prevent silent drift.

🙌 External Contributors

Thank you to our community contributors for this release!

• @​AOrps — Replace poetry with uv as the Prowler API package manager in #​10775
• @​b-abderrahmane — Surface M365 AuditLog.Read.All permission errors as preventive per-user FAILs instead of mass false positives in #​10907
• @​kimjune01 — Add sagemaker_domain_sso_configured check for AWS provider in #​11094

---

UI

🚀 Added

• Health endpoint at GET /api/health for Docker Compose liveness checks (#​11145)
• AWS findings and resource details now expose a "View in AWS Console" link that opens the resource directly in the AWS Console via the universal /go/view ARN resolver (#​9172)
• Lighthouse AI: Prowler App Finding Groups MCP tools (#​11140)

🔄 Changed

• Trimmed unused npm dependencies (#​11115)
• Faster, stricter pre-commit: prek lints and formats only staged UI files (husky removed), with Prettier and ESLint (--max-warnings 40, stale-disable detection) now covering the full UI workspace, including public/ assets (#​11118)
• Attack Paths graph now uses React Flow with improved layout, interactions, export, minimap, and browser test coverage (#​10686)
• SAML ACS URL is only shown if the email domain is configured (#​11144)
• "View Resource" action in the finding resource detail drawer is now an icon-only link rendered next to the resource name (instead of a text button in the UID row), keeping the "View in AWS Console" link unchanged (#​11193)

🐞 Fixed

• Mute Findings modal now enforces the 100-character limit on the rule name input with a live counter and inline error, matching the existing reason field behaviour (#​11158)
• Finding drawer no longer renders literal backticks around inline code in Risk, Description and Remediation sections (#​11142)
• Launch Scan first-provider wizard continues after provider creation instead of resetting the Scans page (#​11136)
• Attack Paths graph nodes now wrap long resource and finding labels, indicate truncated values with …, and show the full value in an immediate tooltip (#​11197)

🔐 Security

• npm dependencies updated to patched versions for Next.js, Vite, LangChain, XML parsing, lodash, and related transitive packages (#​11173)
• Hardened npm supply chain controls (#​11157)

API

🚀 Added

• GIN index on findings(categories, resource_services, resource_regions, resource_types) to speed up /api/v1/finding-groups array filters (#​11001)
• GET /health/live and GET /health/ready Kubernetes-style probe endpoints following the IETF Health Check Response Format (application/health+json). Readiness verifies PostgreSQL, Valkey and Neo4j connectivity and returns 503 with per-dependency detail when any is unreachable (#​11200)

🔄 Changed

• Replace poetry with uv as package manager (#​10775)
• Remove orphaned gin_resources_search_idx declaration from Resource.Meta.indexes (DB index dropped in 0072_drop_unused_indexes) (#​11001)
• PDF compliance reports cap detail tables at 100 failed findings per check (configurable via DJANGO_PDF_MAX_FINDINGS_PER_CHECK) to bound worker memory on large scans (#​11160)

🐞 Fixed

• perform_scan_task and perform_scheduled_scan_task now short-circuit with a warning and return None when the target provider no longer exists, instead of letting handle_provider_deletion raise ProviderDeletedException. perform_scheduled_scan_task also removes any orphan PeriodicTask it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as FAILURE (#​11185)
• Attack Paths: BEDROCK-001 and BEDROCK-002 now target roles trusting bedrock-agentcore.amazonaws.com instead of bedrock.amazonaws.com, eliminating false positives against regular Bedrock service roles (Agents, Knowledge Bases, model invocation) (#​11141)

SDK

🚀 Added

• 6 Chat file sharing, external messaging, spaces, and apps access checks for Google Workspace provider using the Cloud Identity Policy API (#​11126)
• entra_service_principal_no_secrets_for_permanent_tier0_roles check for M365 provider (#​10788)
• iam_user_access_not_stale_to_sagemaker check for AWS provider with configurable max_unused_sagemaker_access_days (default 90) (#​11000)
• cloudtrail_bedrock_logging_enabled check for AWS provider (#​10858)
• Okta provider with OAuth 2.0 authentication and signon_global_session_idle_timeout_15min check (#​11079)
• sagemaker_domain_sso_configured check for AWS provider (#​11094)
• Scaleway provider with iam_api_keys_no_root_owned check (#​11166)

🔄 Changed

• entra_emergency_access_exclusion check for M365 provider now scopes the exclusion requirement to enabled Conditional Access policies with a Block grant control instead of every enabled policy, focusing on the lockout-relevant policy set (#​10849)
• AWS IAM customer-managed policy checks no longer emit FAIL on unattached policies unless --scan-unused-services is enabled (#​11150)
• Replace poetry with uv as package manager (#​11162)
• Replace safety with osv-scanner for dependency vulnerability scanning in SDK CI and pre-commit (#​11167)

🐞 Fixed

• Google Workspace Directory checks sharing a single resource row, causing the service field to be overwritten by the last check executed (#​11176)
• Google Workspace Calendar and Drive services sharing a single resource row, causing the service field to be overwritten by the last check executed (#​11161)
• zone_waf_enabled check for Cloudflare provider now appends a plan-aware hint to the FAIL status_extended: a possible-false-positive note on paid plans (Pro, Business, Enterprise) where the legacy waf zone setting can read off even though WAF managed rulesets are deployed via the dashboard, and a "not available on the Cloudflare Free plan" note on Free zones (#​9896)
• Google Workspace Gmail checks sharing a single resource row, causing the service field to be overwritten by the last check executed (#​11169)
• Google Workspace Drive and Calendar services missing server-side policy filters (#​11195)
• entra_users_mfa_capable and entra_break_glass_account_fido2_security_key_registered report a preventive FAIL per affected user (with the missing permission named) when the M365 service principal lacks AuditLog.Read.All, instead of mass false positives (#​10907)
• Duplicated GCP CIS requirements IDs (#​11180)
• VercelSession.token is now excluded from serialization and representation to prevent the Vercel API token from leaking through .dict(), .json() or logs (#​11198)

MCP

🚀 Added

• Finding Groups tools (#​11140)

🔐 Security

• cryptography from 46.0.1 to 47.0.0 (transitive) for CVE-2026-39892 and CVE-2026-26007 / CVE-2026-34073 (#​10978)

v5.26.1: Prowler 5.26.1

Compare Source

UI

🐞 Fixed

• Role form Cancel buttons now return to Roles (#​11125)
• Shared select dropdowns stay constrained and scrollable inside modals (#​11125)

API

🐞 Fixed

• POST /api/v1/scans Celery task is now published via transaction.on_commit so the worker cannot read the Scan before the dispatch (#​11122)

SDK

🐞 Fixed

• entra_users_mfa_capable no longer flags disabled guest users by requesting accountEnabled and userType from Microsoft Graph (#​11002)

v5.26.0: Prowler 5.26.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🔔 Alerts

[!NOTE]
Available exclusively in Prowler Cloud.

Wire findings straight into the people who need to know. By default, every organization gets a daily digest of critical findings delivered to the organization owner — auto-provisioned, no setup required, editable or removable any time.

From there, organization admins can define custom alert rules over scan results — scoped by provider, account, severity, status, or any combination — and route them to any user in the organization. A Create Alert shortcut on the Findings page turns the current filter set into an alert rule in one click, so the filters you used to triage become the alert that watches for the same condition tomorrow.

All organization users are confirmed recipients by default (no opt-in confirmation required for now), and every alert email carries a one-click unsubscribe link so nobody is stuck on a list they don't want to be on. The new Manage Alerts RBAC permission keeps configuration gated to the right people.

Read more in the alerts documentation.

🔍 Finding Detail Drawer - Built for Triage

The finding drawer is where security teams actually live during triage, so it has been rebuilt around the question every analyst opens it to answer: what's not good, where, and how do I fix it?

• The verdict comes first. A color-coded status banner sits at the top of the drawer - pass, fail, manual, or muted - so the outcome is the first thing you see, not the last thing you scroll to.
• Remediation gets its own tab. Step-by-step fixes no longer compete with identifiers and metadata for attention; you click one tab and you're in the "what do I do about it" view.
• Resource context is front and center. Account and Resource share the top row with a one-click link straight to the resource page.
• Information hierarchy matches the workflow. Internal identifiers (check_id, finding_id, finding_uid) move to the bottom of the overview - still one click away when you need them for a Jira ticket or a copy-paste, but no longer competing with the answer to "what is this?". The "Other Findings For This Resource" tab is renamed to the more direct Findings for this resource.
• Faster carousel navigation. Stepping through findings inside the drawer no longer flashes empty banners - the status renders immediately from the row you came from while the full record loads in the background.

The net effect: less hunting, fewer clicks between "I have a finding" and "I have a plan."

🎯 Prowler ThreatScore - Compliance View Overhaul

The ThreatScore compliance views get a focused UX pass so the score is something you can act on, not just look at:

• Canonical pillar ordering everywhere - pillars now render in a single canonical order (1. IAM → 2. Attack Surface → 3. Logging and Monitoring → 4. Encryption) across the badge, breakdown card, donut legend, and accordion. Missing pillars no longer disappear from the UI - they render with - / 0% so the full set is always visible.
• Pillars are clickable - clicking a pillar on /compliance now jumps straight to the ThreatScore detail page with the accordion pre-expanded on the pillar you clicked, scrolled into view. No more eyeballing the accordion to find what you just clicked on.
• Top Failed Sections always shows the full pillar set - every canonical pillar shows up on the chart, zero-filled when there are no failures, so you get a true at-a-glance pillar-by-pillar fail rate instead of a partial picture.
• Every donut slice is hoverable - on the Requirements Status donut, the slice you hover over expands slightly so even tiny 1–2% fail or manual segments are easy to target and inspect, instead of being swallowed by the dominant pass slice.

📚 ASD Essential Eight Maturity Model - AWS

The Australian Signals Directorate's Essential Eight Maturity Model (Maturity Level One, Nov 2023) is now a first-class compliance framework for AWS. It plugs into the compliance page with the same detail view, top-failed-sections breakdown, and export support as every other framework. Thanks to @​boonchuan!

Read more in our compliance documentation.

📧 Google Workspace - Gmail Attachment Safety & Spoofing Protection

Eight new Gmail checks land for Google Workspace, covering attachment safety and spoofing protection at the domain level via the Cloud Identity Policy API:

• gmail_anomalous_attachment_protection_enabled
• gmail_domain_spoofing_protection_enabled
• gmail_employee_name_spoofing_protection_enabled
• gmail_encrypted_attachment_protection_enabled
• gmail_groups_spoofing_protection_enabled
• gmail_inbound_domain_spoofing_protection_enabled
• gmail_script_attachment_protection_enabled
• gmail_unauthenticated_email_protection_enabled

Read more in our Google Workspace documentation.

Explore all Google Workspace checks at Prowler Hub.

☁️ AWS - Bedrock Hardening

Three new AWS Bedrock checks land this release to keep generative-AI surface area honest:

• bedrock_guardrails_configured - flags Bedrock deployments that ship without Guardrails configured, the standard AWS-native abuse and content-safety layer.
• bedrock_prompt_management_exists - verifies Prompt Management is in use so prompts are versioned and auditable rather than embedded inline in application code.
• bedrock_prompt_encrypted_with_cmk- verifies that each Prompt is encrypted with CMK.

Read more in our AWS provider documentation.

Explore all AWS checks at Prowler Hub.

🖥️ UI - Providers Wording, Findings Polish

A coordinated UX pass across the high-traffic surfaces:

• Providers wording - "Cloud Providers", "Accounts", and "Account Groups" copy is gone. Everything is now consistently labeled "Providers" across the UI and docs, removing the last of the legacy naming.
• Finding remediation links - the detail drawer now labels remediation actions by destination ("View CVE", "View in Prowler Hub", "View Advisory", "View Reference") instead of a generic "View" everywhere.
• Compliance cards - full-width progress bar, passing-requirements caption next to the framework logo.

🔗 Remediation Links Now Point to the Source

Container image CVE findings and IaC findings now link to official sources for remediation and references - CVE.org, Prowler Hub, and GitHub Security Advisories - instead of a third-party advisory mirror. Trivy-sourced findings also link correctly into Prowler Hub, so the "View" buttons in the finding drawer go where you expect every time.

🔐 Security Updates

• Image provider SSRF - parser-mismatch SSRF in registry auth fixed: crafted bearer-token realms and pagination links could force requests to internal addresses and leak credentials cross-origin.
• cryptography 46.0.6 → 46.0.7 and trivy 0.69.2 → 0.70.0 across SDK, API, and MCP images for CVE-2026-39892 and CVE-2026-33186.
• requests 2.33.1 in the MCP server image to clear advisory 90553.

🙌 External Contributors

Thank you to our community contributors for this release!

• @​boonchuan - Add ASD Essential Eight Maturity Model compliance framework for AWS in #​10808
• @​DannyLyubenov - Batch AWS CodeBuild API calls to prevent throttling-induced false positives in #​10639
• @​davletd) - Tighten Azure Network Watcher flow log checks to require workspace-backed Traffic Analytics in #​10645
• @​davletd - Update Azure Network Watcher flow log compliance text for NSG retirement in #​10937
• @​ivan-necheporenko - Scan every Azure subscription even when display names collide in #​10718
• @​rchotacode - Scan Oracle Cloud identity in known valid regions for non-Ashburn tenancies in #​10529
• @​mohamedsolaiman - Add AWS guide for extending existing services in #​10924
• @​baggers27 - Fix Azure documentation broken link for minimum TLS version in #​10916

---

UI

🚀 Added

• ASD Essential Eight compliance framework support (#​11071)

🔄 Changed

• Standardized "Providers" wording across UI and documentation, replacing legacy "Cloud Providers" / "Accounts" / "Account Groups" copy (#​10971)
• Finding detail drawer now labels remediation actions from finding-level recommendation URLs by destination: "View CVE", "View in Prowler Hub", "View Advisory", or "View Reference", while keeping URL-only remediation cards labeled (#​10853)
• Finding detail drawer reorganized: status-colored banner below the resource info, dedicated Remediation tab, renamed "Findings for this resource" tab, and inline View Resource link next to the resource UID (#​11091)
• ThreatScore compliance views: canonical pillar order across all charts and the accordion, clickable pillars on /compliance that anchor the detail page, Top Failed Sections always shows the full pillar set, and donut tooltip now triggers on every segment (#​10975)

API

🚀 Added

• scan-reset-ephemeral-resources post-scan task zeroes failed_findings_count for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort (#​10929)
• ASD Essential Eight (AWS) compliance framework support (#​10982)

🔐 Security

• trivy binary from 0.69.2 to 0.70.0 and cryptography from 46.0.6 to 46.0.7 (transitive via prowler SDK) in the API image for CVE-2026-33186 and CVE-2026-39892 (#​10978)

SDK

🚀 Added

• bedrock_guardrails_configured check for AWS provider (#​10844)
• Universal compliance with OCSF support (#​10301)
• ASD Essential Eight Maturity Model compliance framework for AWS (Maturity Level One, Nov 2023) (#​10808)
• Vercel checks to return personalized finding status extended depending on billing plan and classify them with billing-plan categories (#​10663)
• bedrock_prompt_management_exists check for AWS provider (#​10878)
• 8 Gmail attachment safety and spoofing protection checks for Google Workspace provider using the Cloud Identity Policy API (#​10980)
• bedrock_prompt_encrypted_with_cmk check for AWS provider (#​10905)

🔄 Changed

• Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for network_flow_log_captured_sent and align metadata with VNet-compatible flow log guidance (#​10645)
• Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs (#​10937)
• AWS CodeBuild service now batches BatchGetProjects and BatchGetBuilds calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in codebuild_project_not_publicly_accessible (#​10639)
• display_compliance_table dispatch switched from substring in checks to startswith to prevent false matches between similarly named frameworks (e.g. cisa vs cis) (#​10301)
• Restore the ec2-imdsv1 category for EC2 IMDS checks to keep Attack Surface and findings filters aligned (#​10998)
• Container image CVE findings and IaC findings now use official CVE, Prowler Hub, or GitHub Security Advisory URLs instead of Aqua advisory URLs in remediation and references; Trivy rule IDs map to Prowler Hub without the AVD- prefix so links resolve (#​10853)

🐞 Fixed

• AWS SDK test isolation: autouse mock_aws fixture and leak detector in conftest.py to prevent tests from hitting real AWS endpoints, with idempotent organization setup for tests calling set_mocked_aws_provider multiple times (#​10605)
• AWS boto user agent extra is now applied to every client (#​10944)
• Image provider connection check no longer fails with a misleading host='https' resolution error when the registry URL includes an http:// or https:// scheme prefix (#​10950)
• Azure subscriptions sharing the same display name are no longer collapsed into a single identity entry, so every subscription is scanned (#​10718)

🔐 Security

• Parser-mismatch SSRF in image provider registry auth where crafted bearer-token realms and pagination links could force requests to internal addresses and leak credentials cross-origin (#​10945)
• cryptography from 46.0.6 to 46.0.7 and trivy binary from 0.69.2 to 0.70.0 in the SDK image for CVE-2026-39892 and CVE-2026-33186 (#​10978)

v5.25.3: Prowler 5.25.3

Compare Source

UI

🐞 Fixed

• CLI command in the finding drawer no longer renders the line-number gutter, matching the original styled block while removing the leading 1 (#​11059)

SDK

🐞 Fixed

• Oracle Cloud identity scans known or supplied regions to better support non Ashburn tenancies (#​10529)

v5.25.2: Prowler 5.25.2

Compare Source

UI

🔄 Changed

• Compliance cards: progress bar now spans the full card width, the passing-requirements caption sits beside the framework logo under the title, and the ISO 27001 logo asset is recentered within its tile (#​10939)
• Findings expanded resource rows now drop the redundant cube icons, render Service and Region with the same compact label style as Last seen and Failing for, and reorder columns to Status, Resource, Provider, Severity, then field labels (#​10949)

SDK

🐞 Fixed

• route53_dangling_ip_subdomain_takeover now also flags CNAME records pointing to S3 website endpoints whose buckets are missing from the account (#​10920)
• Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings (#​10242)
• Match K8s RBAC rules by apiGroup (#​10969)
• Return a compact actor name from CloudTrail userIdentity events (#​10986)

v5.25.1: Prowler 5.25.1

Compare Source

UI

🐞 Fixed

• Compliance page export menu now scales on small screens, and frameworks load on first render without requiring a manual scan re-selection (#​10918)

API

🐞 Fixed

• Attack Paths: AWS scans no longer fail when enabled regions cannot be retrieved, and scans stuck in scheduled state are now cleaned up after the stale threshold (#​10917)
• Scan report and compliance downloads now redirect to a presigned S3 URL instead of streaming through the API worker, preventing gunicorn timeouts on large files (#​10927)

SDK

🐞 Fixed

• KeyError when generating compliance outputs after the CLI scan #​10919
• Kubernetes OCSF provider_uid now uses the cluster name in in-cluster mode (so --cluster-name is correctly reflected in findings) and keeps the kubeconfig context in kubeconfig mode (#​10483)

v5.25.0: Prowler 5.25.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com/

📦 Official Prowler GitHub Action

prowler-cloud/prowler@5.25 is now an official GitHub Action. Drop it into any workflow to run a Prowler scan, optionally upload SARIF to GitHub Code Scanning, and push results to Prowler Cloud.

- uses: prowler-cloud/prowler@5.25
  with:
    provider: iac
    output-formats: sarif json-ocsf
    upload-sarif: true
    flags: --severity critical high

The action is pinned to the matching release tag, so v5.25 ships with prowler-cloud/prowler@5.25 ready to use.

🐙 GitHub — zizmor Workflow Scanning as a First-Class Service

The GitHub provider gains a new service: GitHub Actions, powered by zizmor for static analysis of workflow files. Prowler now scans .github/workflows/*.yml for the OWASP Top 10 CI/CD risks — script injection, overly permissive GITHUB_TOKEN, untrusted checkouts, dangerous triggers — and ships the findings through the same pipeline as every other G

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.