fix(deps): update toniblyx/prowler docker tag to v5.25.3

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
toniblyx/prowler	minor	5.2.0 → 5.25.3

---

Release Notes

prowler-cloud/prowler (toniblyx/prowler)

v5.25.3: Prowler 5.25.3

Compare Source

UI

🐞 Fixed

• CLI command in the finding drawer no longer renders the line-number gutter, matching the original styled block while removing the leading 1 (#​11059)

SDK

🐞 Fixed

• Oracle Cloud identity scans known or supplied regions to better support non Ashburn tenancies (#​10529)

v5.25.2: Prowler 5.25.2

Compare Source

UI

🔄 Changed

• Compliance cards: progress bar now spans the full card width, the passing-requirements caption sits beside the framework logo under the title, and the ISO 27001 logo asset is recentered within its tile (#​10939)
• Findings expanded resource rows now drop the redundant cube icons, render Service and Region with the same compact label style as Last seen and Failing for, and reorder columns to Status, Resource, Provider, Severity, then field labels (#​10949)

SDK

🐞 Fixed

• route53_dangling_ip_subdomain_takeover now also flags CNAME records pointing to S3 website endpoints whose buckets are missing from the account (#​10920)
• Duplicate Kubernetes RBAC findings when the same User or Group subject appeared in multiple ClusterRoleBindings (#​10242)
• Match K8s RBAC rules by apiGroup (#​10969)
• Return a compact actor name from CloudTrail userIdentity events (#​10986)

v5.25.1: Prowler 5.25.1

Compare Source

UI

🐞 Fixed

• Compliance page export menu now scales on small screens, and frameworks load on first render without requiring a manual scan re-selection (#​10918)

API

🐞 Fixed

• Attack Paths: AWS scans no longer fail when enabled regions cannot be retrieved, and scans stuck in scheduled state are now cleaned up after the stale threshold (#​10917)
• Scan report and compliance downloads now redirect to a presigned S3 URL instead of streaming through the API worker, preventing gunicorn timeouts on large files (#​10927)

SDK

🐞 Fixed

• KeyError when generating compliance outputs after the CLI scan #​10919
• Kubernetes OCSF provider_uid now uses the cluster name in in-cluster mode (so --cluster-name is correctly reflected in findings) and keeps the kubeconfig context in kubeconfig mode (#​10483)

v5.25.0: Prowler 5.25.0

Compare Source

✨ New features to highlight

Enjoy them all now for free at https://cloud.prowler.com/

📦 Official Prowler GitHub Action

prowler-cloud/prowler@5.25 is now an official GitHub Action. Drop it into any workflow to run a Prowler scan, optionally upload SARIF to GitHub Code Scanning, and push results to Prowler Cloud.

- uses: prowler-cloud/prowler@5.25
  with:
    provider: iac
    output-formats: sarif json-ocsf
    upload-sarif: true
    flags: --severity critical high

The action is pinned to the matching release tag, so v5.25 ships with prowler-cloud/prowler@5.25 ready to use.

🐙 GitHub — zizmor Workflow Scanning as a First-Class Service

The GitHub provider gains a new service: GitHub Actions, powered by zizmor for static analysis of workflow files. Prowler now scans .github/workflows/*.yml for the OWASP Top 10 CI/CD risks — script injection, overly permissive GITHUB_TOKEN, untrusted checkouts, dangerous triggers — and ships the findings through the same pipeline as every other GitHub check. This is your first line of defense against supply chain attacks: a poisoned action, a compromised tag, or a workflow that leaks secrets to a forked PR is exactly the kind of footgun zizmor catches before it ships. zizmor v1.24.1 is bundled into the API Docker image, so the service runs out of the box on Prowler Cloud and self-hosted alike.

Read more in our GitHub provider documentation.

Explore all GitHub checks at Prowler Hub.

🛡️ IaC — SARIF Output for GitHub Code Scanning

The IaC provider now emits SARIF via --output-formats sarif. Combined with the new GitHub Action, that means IaC misconfigurations land directly in the Security → Code Scanning tab on every PR — annotated on the offending Terraform, CloudFormation, Dockerfile, or Kubernetes manifest, with severity, remediation, and Prowler check metadata carried through.

Read more in our IaC provider documentation.

🖥️ UI — Compliance Page Redesign

The compliance page has been rebuilt: client-side search across frameworks, a more compact scan selector trigger, and redesigned compliance cards.

🖥️ UI — Resources, Mutelist, and Filter Polish

A coordinated UX pass across the high-traffic surfaces:

• Resources — batch-applied filters, syntax-highlighted metadata JSON, and tighter drawer behavior.
• Mutelist — name and reason search, plus visual count badges on finding targets.
• Shared filter dropdowns — local option search and auto-scroll to the first visible match across table and provider filters.
• View Resource button — easy navigation to resource details directly from finding view.

📧 Google Workspace — Gmail Service

The Google Workspace provider gains a new Gmail service with 9 CIS-aligned checks covering user settings, link safety, end-user access, and spam/phishing controls — pulled directly from the Cloud Identity Policy API at the domain level.

• gmail_mail_delegation_disabled
• gmail_shortener_scanning_enabled
• gmail_external_image_scanning_enabled
• gmail_untrusted_link_warnings_enabled
• gmail_pop_imap_access_disabled
• gmail_auto_forwarding_disabled
• gmail_per_user_outbound_gateway_disabled
• gmail_enhanced_pre_delivery_scanning_enabled
• gmail_comprehensive_mail_storage_enabled

Explore all Google Workspace checks at Prowler Hub.

🏛️ Prowler Cloud — Reports for Imported Scans

[!NOTE]
Available exclusively in Prowler Cloud.

Imported scans (OCSF) now generate the same downloadable artifacts as CLI scans. The new download buttons are wired into both the scans table and the compliance views, so air-gapped, partner, and offline OCSF imports get the same reporting surface as a connected provider.

Read more in our reports documentation.

📊 CIS Benchmark PDF Reports

Compliance for the latest CIS variant of every provider get a Download PDF button, and the API exposes the underlying generator at GET /scans/{id}/cis/{name}/. Only the latest CIS version per provider surfaces the button — the backend rejects PDF generation for older variants — so the report you download always matches the benchmark you'd want to ship to an auditor.

Read more in our compliance documentation.

👥 Tenant User Expulsion

Tenant owners can now remove users from their organizations directly from the UI. Behind the scenes, DELETE /tenants/{tenant_pk}/memberships/{id} deletes the expelled user's account when the removed membership was their last one and blacklists every outstanding refresh token, so existing sessions stop minting new access tokens immediately.

🔍 New Checks

AWS

• secretsmanager_has_restrictive_resource_policy - evaluates resource-based policies for AWS Secrets Manager secrets — thanks to @​kagahd!

GitHub

• repository_default_branch_dismisses_stale_reviews — flags repositories whose default branch protection does not dismiss stale PR approvals when new commits are pushed (CIS 1.1.4) — thanks to @​Mathisdjango!

Explore all GitHub checks at Prowler Hub.

🙌 External Contributors

Thank you to our community contributors for this release!

• @​Mathisdjango -- New GitHub check: dismiss stale PR approvals on default branch (CIS 1.1.4) in #​10569
• @​raajheshkannaa -- --repo-list-file CLI flag for GitHub provider to load repositories from a file in #​10501
• @​grauJavier -- Centralize AI assistant config via symlinks for skills in #​9951
• @​boonchuan -- Nginx reverse proxy configuration in #​10780
• @​kagahd -- New AWS check to evaluate resource-based policies for Secrets Manager secrets in #​6985

---

UI

🚀 Added

• Download PDF button for CIS Benchmark compliance cards, surfaced only on the latest CIS variant per provider to match the backend's latest-only PDF generation (#​10650)
• knip for dead code detection with lint:knip and lint:knip:fix scripts (#​10654)
• Resource button in the findings resource detail drawer to open the related resource page (#​10847)

🔄 Changed

• Redesign compliance page, client-side search for compliance frameworks, compact scan selector trigger, enhanced compliance cards (#​10767)
• Allows tenant owners to expel users from their organizations (#​10787)
• Shared filter dropdowns now support local option search and auto-scroll to the first visible match across table and provider filters (#​10859)
• Backward-compatibility middleware redirect from /sign-up?invitation_token=… to /invitation/accept?invitation_token=…; new invitation emails use /invitation/accept directly (#​10797)
• Mutelist improvements: table now supports name/reason search and visual count badges for finding targets (#​10846)
• Resources now use batch-applied filters, render metadata JSON with syntax highlighting, and more (#​10861)
• Table pagination controls now keep their arrows visible on hover in light theme, and more UI improvements (#​10862)

API

🚀 Added

• CIS Benchmark PDF report generation for scans, exposing the latest CIS version per provider via GET /scans/{id}/cis/{name}/ (#​10650)
• /overviews/resource-groups (resource inventory), /overviews/categories and /overviews/attack-surfaces now reflect newly-muted findings without waiting for the next scan. The post-mute reaggregate-all-finding-group-summaries task now also dispatches aggregate_scan_resource_group_summaries_task, aggregate_scan_category_summaries_task and aggregate_attack_surface_task per latest scan of every (provider, day) pair, rebuilding ScanGroupSummary, ScanCategorySummary and AttackSurfaceOverview alongside the tables already covered in #​10827 (#​10843)
• Install zizmor v1.24.1 in API Docker image for GitHub Actions workflow scanning (#​10607)

🔄 Changed

• Allows tenant owners to expel users from their organizations (#​10787)
• aggregate_findings, aggregate_attack_surface, aggregate_scan_resource_group_summaries and aggregate_scan_category_summaries now upsert via bulk_create(update_conflicts=True, ...) instead of the prior ignore_conflicts=True / plain INSERT / already backfilled short-circuit. Re-runs triggered by the post-mute reaggregation pipeline no longer trip the unique_*_per_scan constraints nor silently drop updates, and are race-safe under concurrent writers (e.g. scan completion overlapping with a fresh mute rule) (#​10843)
• Rename the scan-category and scan-resource-group summary aggregators from backfill_* to aggregate_* (#​10843)

🐞 Fixed

• generate_outputs_task crashing with KeyError for compliance frameworks listed by get_compliance_frameworks but not loadable by Compliance.get_bulk (#​10903)

SDK

🚀 Added

• --repo-list-file CLI flag for GitHub provider to load repositories from a file (#​10501)
• SARIF output format for the IaC provider, enabling GitHub Code Scanning integration via --output-formats sarif (#​10626)
• repository_default_branch_dismisses_stale_reviews check for GitHub provider to ensure stale pull request approvals are dismissed when new commits are pushed (#​10569)
• Official Prowler GitHub Action (prowler-cloud/prowler@5.25) for running scans in GitHub workflows with optional --push-to-cloud and SARIF upload to GitHub Code Scanning (#​10872)
• GitHub Actions service for scanning workflow security issues using zizmor (#​10607)
• secretsmanager_has_restrictive_resource_policy check for AWS provider (#​6985)

🐞 Fixed

• Alibaba Cloud CS service SDK compatibility, harden other services and improve documentation (#​10871)
• AWS Organizations metadata retrieval for delegated administrator scans by using the assumed role session instead of the pre-assume credentials (#​10894)
• admincenter_groups_not_public_visibility check for M365 provider evaluating Security and Distribution groups, now restricted to Microsoft 365 (Unified) groups per CIS M365 Foundations 1.2.1 (#​10899)
• Google Workspace check reports now store the actual domain or account resource subject instead of provider.identity (#​10901)
• entra_users_mfa_capable evaluating disabled guest accounts; CIS 5.2.3.4 only targets enabled member users (#​10785)

v5.24.4: Prowler 5.24.4

Compare Source

UI

🐞 Fixed

• Provider wizard no longer advances to the Launch Scan step when rotating credentials (#​10851)
• Attack Paths scan selector now lists scans from every provider with working pagination, instead of capping the list at the first ten (#​10864)

API

🚀 Added

• DJANGO_SENTRY_TRACES_SAMPLE_RATE env var (default 0.02) enables Sentry performance tracing for the API (#​10873)

🔄 Changed

• Attack Paths: Neo4j driver connection_acquisition_timeout is now configurable via NEO4J_CONN_ACQUISITION_TIMEOUT (default lowered from 120 s to 15 s) (#​10873)

v5.24.3: Prowler 5.24.3

Compare Source

API

🚀 Added

• /overviews/findings, /overviews/findings-severity and /overviews/services now reflect newly-muted findings without waiting for the next scan. The post-mute reaggregate-all-finding-group-summaries task was extended to re-run the same per-scan pipeline that scan completion runs (ScanSummary, DailySeveritySummary, FindingGroupDailySummary) on the latest scan of every (provider, day) pair, keeping the pre-aggregated tables in sync with Finding.muted updates (#​10827)

🐞 Fixed

• Finding groups aggregated status now treats muted findings as resolved: a group is FAIL only while at least one non-muted FAIL remains, otherwise it is PASS (including fully-muted groups). The filter[status] filter and the sort=status ordering share the same semantics, keeping status consistent with fail_count and the orthogonal muted flag (#​10825)
• aggregate_findings is now idempotent: it deletes the scan's existing ScanSummary rows before bulk_create, so re-runs (such as the post-mute reaggregation pipeline) no longer violate the unique_scan_summary constraint and no longer abort the downstream DailySeveritySummary / FindingGroupDailySummary recomputation for the affected scan (#​10827)
• Attack Paths: Findings on AWS were silently dropped during the Neo4j merge for resources whose Cartography node is keyed by a short identifier (e.g. EC2 instances) rather than the full ARN (#​10839)

SDK

🐞 Fixed

• CloudTrail resource timeline uses resource name as fallback in LookupEvents (#​10828)
• Exclude me-south-1 and me-central-1 from default AWS scans to prevent hangs when the host can't reach those regional endpoints (#​10837)

v5.24.2: Prowler 5.24.2

Compare Source

UI

🐞 Fixed

• Default muted filter now applied consistently on the findings page and the finding-group resource drill-down, keeping muted findings hidden unless the "include muted findings" checkbox is opted in (#​10818)

API

🔄 Changed

• Finding groups /resources endpoints now materialize the filtered finding IDs into a Python list before filtering ResourceFindingMapping (#​10816)

🐞 Fixed

• /finding-groups/latest/<check_id>/resources now selects the latest completed scan per provider by -completed_at (then -inserted_at) instead of -inserted_at, matching the /finding-groups/latest summary path and the daily-summary upsert so overlapping scans no longer produce diverging delta/new_count between the two endpoints (#​10802)

v5.24.1: Prowler 5.24.1

Compare Source

UI

🐞 Fixed

• Findings and filter UX fixes: exclude muted findings by default in the resource detail drawer and finding group resource views, show category context label (for example Status: FAIL) on MultiSelect triggers instead of hiding the placeholder, and add a wide width option for filter dropdowns applied to the findings Scan filter to prevent label truncation (#​10734)
• Findings grouped view now handles zero-resource IaC counters, refines drawer loading states, and adds provider indicators to finding groups (#​10736)
• Other Findings for this resource: ordering by severity (#​10778)
• Other Findings for this resource: show delta indicator (#​10778)
• Compliance: requirement findings do not show muted findings (#​10778)
• Latest new findings: link to finding groups order by -severity,-last_seen_at (#​10778)

🔒 Security

• Upgrade React to 19.2.5 and Next.js to 16.2.3 to mitigate CVE-2026-23869 (React2DoS), a high-severity unauthenticated remote DoS vulnerability in the React Flight Protocol's Server Function deserialization (#​10754)

API

🔄 Changed

• Attack Paths: Restore SYNC_BATCH_SIZE and FINDINGS_BATCH_SIZE defaults to 1000, upgrade Cartography to 0.135.0, enable Celery queue priority for cleanup task, rewrite Finding insertion, remove AWS graph cleanup and add timing logs (#​10729)

🐞 Fixed

• Finding group resources endpoints now include findings without associated resources (orphaned IaC findings) as simulated resource rows, and return one row per finding when multiple findings share a resource (#​10708)
• Attack Paths: Missing tenant_id filter while getting related findings after scan completes (#​10722)
• Finding group counters pass_count, fail_count and manual_count now exclude muted findings (#​10753)
• Silent data loss in ResourceFindingMapping bulk insert that left findings orphaned when INSERT ... ON CONFLICT DO NOTHING dropped rows without raising; added explicit unique_fields (#​10724)

SDK

🔄 Changed

• msgraph-sdk from 1.23.0 to 1.55.0 and azure-mgmt-resource from 23.3.0 to 24.0.0, removing marshmallow as is a transitively dev dependency (#​10733)

🐞 Fixed

• Cloudflare account-scoped API tokens failing connection test in the App with CloudflareUserTokenRequiredError (#​10723)
• Google Workspace Calendar checks false FAIL on unconfigured settings with secure Google defaults (#​10726)
• prowler image --registry-list crashes with AttributeError because ImageProvider.__init__ returns early before registering the global provider (#​10691)
• Google Workspace Drive checks false FAIL on unconfigured settings with secure Google defaults (#​10727)
• Cloudflare validate_credentials can hang in an infinite pagination loop when the SDK repeats accounts, blocking connection tests (#​10771)

v5.24.0: Prowler 5.24.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com/

🖥️ Redesigned Resources

The resources detail panel has been rebuilt from the ground up. The new side drawer consolidates resource metadata, associated findings, and events timeline into a cleaner, denser layout — designed to keep you inside the drawer while investigating a resource instead of bouncing back to the list.

🧹 UX and Data Consistency

A large sweep of fixes landed this release targeting the rough edges users actually hit day to day: filter behavior, headers, counters drifting from the underlying data, drawer layouts, and scan/compliance/finding views surfacing stale or mislabeled context.

🆕 AWS Checks

Bedrock Security Hardening

Four new AWS checks tightening the blast radius around Amazon Bedrock and the identities that can reach it:

• bedrock_full_access_policy_attached — flags IAM principals with AmazonBedrockFullAccess or equivalent wildcard Bedrock permissions attached
• iam_role_access_not_stale_to_bedrock and iam_user_access_not_stale_to_bedrock — catch roles and users with Bedrock privileges that haven't been used recently, so dormant GenAI access stops piling up as a standing risk
• bedrock_vpc_endpoints_configured — verifies Bedrock traffic stays on private VPC endpoints instead of traversing the public internet

Explore all AWS Bedrock checks at Prowler Hub.

IAM Marketplace Guardrails

Two new IAM checks to stop the silent path from a compromised identity to a paid marketplace subscription:

• iam_policy_no_wildcard_marketplace_subscribe
• iam_inline_policy_no_wildcard_marketplace_subscribe

Both detect aws-marketplace:Subscribe granted with wildcards on managed and inline policies — a vector that turns an IAM misconfiguration into a billing incident.

Explore all AWS IAM checks at Prowler Hub.

🆕 Microsoft 365 Checks

Entra Conditional Access

• entra_conditional_access_policy_all_apps_all_users — ensures at least one CA policy targets every app and every user
• entra_conditional_access_policy_mfa_enforced_for_guest_users - checks that guest and external users have MFA enforced. Without that compromised external accounts can access tenant resources using only a password
• entra_conditional_access_policy_block_unknown_device_platforms - block access from unknown device platforms
• entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced - enforces sign in for non-corporate devices, without that user sessions may persist indefinitely on unmanaged devices
• entra_conditional_access_policy_directory_sync_account_excluded — validates that the directory sync service account is excluded from restrictive CA policies to prevent sync outages

Explore all M365 Entra checks at Prowler Hub.

Intune

• intune_device_compliance_policy_unassigned_devices_not_compliant_by_default — unassigned devices should not be marked compliant by default by the built-in device policy

Explore all M365 Intune checks at Prowler Hub.

Exchange Online

• exchange_organization_delicensing_resiliency_enabled — keeps mailbox data accessible for 30 days after a license is removed, preventing accidental data loss

Explore all M365 Exchange checks at Prowler Hub.

🆕 Exclude Regions in AWS scans

Prowler now lets you exclude specific AWS regions from scans, so you can keep your scan scope focused on the regions that matter to you. You can configure exclusions with

• --excluded-region
• PROWLER_AWS_DISALLOWED_REGIONS environment variable
• aws.disallowed_regions in config.yaml

See the AWS Regions and Partitions documentation for usage examples.

---

UI

🚀 Added

• Resources side drawer with redesigned detail panel (#​10673)
• Syntax highlighting for remediation code blocks in finding groups drawer with provider-aware auto-detection (Shell, HCL, YAML, Bicep) (#​10698)

🔄 Changed

• Attack Paths scan selection: contextual button labels based on graph availability, tooltips on disabled actions, green dot indicator for selectable scans, and a warning banner when viewing data from a previous scan cycle (#​10685)
• Remove legacy finding detail sheet, row-details wrapper, and resource detail panel; unify findings and resources around new side drawers (#​10692)
• Attack Paths "View Finding" now opens the finding drawer inline over the graph instead of navigating to /findings in a new tab, preserving graph zoom, selection, and filter state
• Attack Paths scan table: replace action buttons with radio buttons, add dedicated Graph column, use info-colored In Progress badge, remove redundant Progress column, and fix info banner variant (#​10704)

🐞 Fixed

• Findings group resource filters now strip unsupported scan parameters, display scan name instead of provider alias in filter badges, migrate mute modal from HeroUI to shadcn, and add searchable accounts/provider type selectors (#​10662)
• Compliance detail page header now reflects the actual provider, alias and UID of the selected scan instead of always defaulting to AWS (#​10674)
• Provider wizard modal moved to a stable page-level host so the providers table refreshes after link, authenticate, and connection check without closing the modal (#​10675)

API

🔄 Changed

• Bump Poetry to 2.3.4 in Dockerfile and pre-commit hooks. Regenerate api/poetry.lock (#​10681)
• Attack Paths: Remove dead cleanup_findings no-op and its supporting prowler_finding_lastupdated index (#​10684)

🐞 Fixed

• Worker-beat race condition on cold start: replaced sleep 15 with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to 8080 (#​10603)
• API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation (#​10646)

🔐 Security

• pytest from 8.2.2 to 9.0.3 to fix CVE-2025-71176 (#​10678)

SDK

🚀 Added

• entra_conditional_access_policy_directory_sync_account_excluded check for M365 provider (#​10620)
• intune_device_compliance_policy_unassigned_devices_not_compliant_by_default check for M365 provider (#​10599)
• entra_conditional_access_policy_all_apps_all_users check for M365 provider (#​10619)
• bedrock_full_access_policy_attached check for AWS provider (#​10577)
• iam_role_access_not_stale_to_bedrock and iam_user_access_not_stale_to_bedrock checks for AWS provider (#​10536)
• iam_policy_no_wildcard_marketplace_subscribe and iam_inline_policy_no_wildcard_marketplace_subscribe checks for AWS provider (#​10525)
• bedrock_vpc_endpoints_configured check for AWS provider (#​10591)
• exchange_organization_delicensing_resiliency_enabled check for M365 provider (#​10608)
• entra_conditional_access_policy_mfa_enforced_for_guest_users check for M365 provider (#​10616)
• entra_conditional_access_policy_corporate_device_sign_in_frequency_enforced check for M365 provider (#​10618)
• entra_conditional_access_policy_block_unknown_device_platforms check for M365 provider (#​10615)
• --excluded-region CLI flag, PROWLER_AWS_DISALLOWED_REGIONS environment variable, and aws.disallowed_regions config entry to skip specific AWS regions during scans (#​10688)

🔄 Changed

• Bump Poetry to 2.3.4 and consolidate SDK workflows onto the setup-python-poetry composite action with opt-in lockfile regeneration (#​10681)
• Normalize Conditional Access platform values in Entra models and simplify platform-based checks (#​10635)

🐞 Fixed

• Vercel firewall config handling for team-scoped projects and current API response shapes (#​10695)

v5.22.0: Prowler 5.22.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

Findings page — Batch filter apply

Selecting filters no longer triggers a page re-render on each change. A new "Apply Filters" button lets you configure multiple filters before executing the query, fixing layout shifts and improving responsiveness.

Attack Paths — Custom queries

Run custom openCypher queries against your Attack Paths graph alongside predefined queries. Use Lighthouse AI to help generate them.

Predefined Attack Paths queries now run faster 🚀

Read more about it in Attack Paths documentation

🙌 Community Contributors

• @​sandiyochristan — Replace stdlib XML parser with defusedxml in SAML metadata parsing to prevent XML bomb (billion laughs) DoS attacks (#​10165)

---

UI

🚀 Added

• Attack Paths custom openCypher queries with Cartography schema guidance and clearer execution errors (#​10397)

🔄 Changed

• Findings filters now use a batch-apply pattern with an Apply Filters button, filter summary strip, and independent filter options instead of triggering API calls on every selection (#​10388)

API

🚀 Added

• Finding groups support check_title substring filtering (#​10377)

🐞 Fixed

• Finding groups latest endpoint now aggregates the latest snapshot per provider before check-level totals, keeping impacted resources aligned across providers (#​10419)
• Mute rule creation now triggers finding-group summary re-aggregation after historical muting, keeping stats in sync after mute operations (#​10419)
• Attack Paths: Deduplicate nodes before ProwlerFinding lookup in Attack Paths Cypher queries, reducing execution time (#​10424)

🔐 Security

• Replace stdlib XML parser with defusedxml in SAML metadata parsing to prevent XML bomb (billion laughs) DoS attacks (#​10165)
• Bump flask to 3.1.3 (CVE-2026-27205) and werkzeug to 3.1.6 (CVE-2026-27199) (#​10430)

SDK

🐞 Fixed

• Azure MySQL flexible server checks now compare configuration values case-insensitively to avoid false negatives when Azure returns lowercase values (#​10396)
• Azure vm_backup_enabled and vm_sufficient_daily_backup_retention_period checks now compare VM names case-insensitively to avoid false negatives when Azure stores backup item names in a different case (#​10395)
• entra_non_privileged_user_has_mfa skips disabled users to avoid false positives (#​10426)

v5.21.1: Prowler 5.21.1

Compare Source

API

🐞 Fixed

• ThreatScore aggregation query to eliminate unnecessary JOINs and COUNT(DISTINCT) overhead (#​10394)

v5.21.0: Prowler 5.21.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🏛️ Google Workspace - Full App Support

Google Workspace provider is now fully integrated with the Prowler App. You can now connect and scan your Google Workspace environment directly from the UI.

Read more in our Google Workspace documentation.

Explore all Google Workspace checks at Prowler Hub.

🤖 Lighthouse AI

We've added a new system to provide AI skills to Lighthouse AI alongside the first one: Attack Path Custom Query. This skill provides the LLM with openCypher syntax guidance and Cartography schema knowledge for writing graph queries against Prowler's data.

This was included alongside a new tool in the Prowler MCP to get the Cartography's scan schema.

📖 Check Metadata

We've completed the check's metadata migration to the new format 🎉 Now all are structured in the same way.

Huge shoutout to the Prowler's Detection&Remediation team for this massive effort!

Read more in our Check Metadata Guidelines

⌛ AWS Resource Timeline

You can now see the last 90 days of AWS CloudTrail events for a given findings!

AWS resource modification history is now visible directly in the App. A new Events tab in Findings and Resource detail cards shows an AWS CloudTrail timeline with expandable event rows, actor details, request/response JSON payloads, and error information. A read-event toggle lets you include or exclude read-only API calls from the timeline.

🐳 Container Image

Container Image provider is now fully integrated with the Prowler App. You can now connect and scan your container registry directly from the UI.

Read more in our Container Image documentation.

🏛️ AWS Organizations Improvements

We've upgraded AWS Organizations management in the Cloud Providers page with greater flexibility and control. You can now edit organization names and credentials, run connection tests across all accounts or scoped to a specific organizational unit, and delete individual organizational units or full organizations.

🕸️ Attack Paths Improvements

We continued improving Attack Paths UX by improving performance and adding more labels to improve filtering when using custom queries.

📄 Compliance

We've improved compliance coverage with the following frameworks:

• SecNumCloud 3.2 for AWS, Azure, GCP, Alibaba and Oracle Cloud
• Reserve Bank of India (RBI) for Azure

🔍 New Checks

Microsoft 365

• entra_conditional_access_policy_device_code_flow_blocked - Conditional Access policy blocks device code flow to prevent phishing attacks
• entra_conditional_access_policy_require_mfa_for_admin_portals - Conditional Access policy requires MFA for Microsoft Admin Portals

Explore all Microsoft 365 checks at Prowler Hub.

Github

• organization_repository_deletion_limited - Organization repository deletion and transfer is restricted to owners - Thanks to @​shalkoda

Explore all Github checks at Prowler Hub.

🙌 Community Contributors

• @​shalkoda — organization_repository_deletion_limited check for Github (#​10185)
• @​AlienwareSec - Route53 dangling IP check false positive when using --region flag (#​9952)
• @​tejas0077 - RBI compliance for the Azure provider (#​10339)
• @​JiwaniZakir - CORS_ALLOWED_ORIGINS configurable via environment variable (#​10355)

---

UI

🚀 Added

• Skill system to Lighthouse AI (#​10322)
• Skill for creating custom queries on Attack Paths (#​10323)

🔄 Changed

• Google Workspace provider support (#​10333)
• Image (Container Registry) provider support in UI: badge icon, credentials form, and provider-type filtering (#​10167)
• Events tab in Findings and Resource detail cards showing an AWS CloudTrail timeline with expandable event rows, actor info, request/response JSON payloads, and error details (#​10320)
• AWS Organization and organizational unit row actions (Edit Name, Update Credentials, Test Connections, Delete) in providers table dropdown (#​10317)

API

🚀 Added

• CORS_ALLOWED_ORIGINS configurable via environment variable (#​10355)
• Attack Paths: Tenant and provider related labels to the nodes so they can be easily filtered on custom queries (#​10308)

🔄 Changed

• Attack Paths: Complete migration to private graph labels and properties, removing deprecated dual-write support (#​10268)
• Attack Paths: Reduce sync and findings memory usage with smaller batches, cursor iteration, and sequential sessions (#​10359)

🐞 Fixed

• Attack Paths: Recover graph_data_ready flag when scan fails during graph swap, preventing query endpoints from staying blocked until the next successful scan (#​10354)

🔐 Security

• Use psycopg2.sql to safely compose DDL in PostgresEnumMigration, preventing SQL injection via f-string interpolation (#​10166)

SDK

🚀 Added

• misconfig scanner as default for Image provider scans (#​10167)
• entra_conditional_access_policy_device_code_flow_blocked check for M365 provider (#​10218)
• RBI compliance for the Azure provider (#​10339)
• entra_conditional_access_policy_require_mfa_for_admin_portals check for Azure provider and update CIS compliance (#​10330)
• CheckMetadata Pydantic validators (#​8583)
• organization_repository_deletion_limited check for GitHub provider (#​10185)
• SecNumCloud 3.2 for the GCP provider (#​10364)
• SecNumCloud 3.2 for the Azure provider (#​10358)
• SecNumCloud 3.2 for the Alibaba Cloud provider (#​10370)
• SecNumCloud 3.2 for the Oracle Cloud provider (#​10371)

🔄 Changed

• Bump pygithub from 2.5.0 to 2.8.0 to use native Organization properties
• Update M365 SharePoint service metadata to new format (#​9684)
• Update M365 Exchange service metadata to new format (#​9683)
• Update M365 Teams service metadata to new format (#​9685)
• Update M365 Entra ID service metadata to new format (#​9682)
• Update ResourceType and Categories for Azure Entra ID service metadata (#​10334)
• Update OCI Regions to include US DoD regions (#​10375)

🐞 Fixed

• Route53 dangling IP check false positive when using --region flag (#​9952)
• RBI compliance framework support on Prowler Dashboard for the Azure provider (#​10360)
• CheckMetadata strict validators rejecting valid external tool provider data (image, iac, llm) (#​10363)

🔐 Security

• Bump multipart to 1.3.1 to fix GHSA-p2m9-wcp5-6qw3 (#​10331)

MCP

🚀 Added

• Attack Path tool to get Neo4j DB schema (#​10321)

v5.20.0: Prowler 5.20.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🏛️ AWS Organizations Improvements

[!NOTE]
Available exclusively in Prowler Cloud.

• We've improved the AWS Organizations onboarding wizard making it easier to deploy the required CloudFormation templates.
• Findings now include Organizational Unit ID and name across all output formats (ASFF, OCSF, CSV), giving you full visibility into which OU each account belongs to — Thanks to @​raajheshkannaa!
• Cloud Providers page shows your AWS Organizations hierarchy tree with organizational units and accounts.

🕸️ Attack Paths Improvements

• APOC to standard openCypher migration: Network exposure queries now use standard openCypher instead of APOC procedures, making them use better open standards
• Cartography upgrade: Upgraded from 0.129.0 to 0.132.0, fixing exposed_internet not being set on ELB/ELBv2 nodes
• Custom query endpoint: Cypher blocklist, input validation, rate limiting, and Helm lockdown for hardening its security
• Security hardening — Cypher blocklist, input validation, rate limiting, and Helm lockdown for the custom query endpoint
• Better error handling: Server errors (5xx) and network failures now show user-friendly messages instead of raw internal errors
• Improved logging: Query execution and scan error handling now log properly
• Several UX improvements in the Attack Paths page

🏛️ Google Workspace - API Only

Google Workspace is now fully integrated with the Prowler API. After being introduced as a CLI-only provider in v5.19.0, you can now connect and scan your Google Workspace environment directly from the API. Full App support will be included in the next release.

Read more in our Google Workspace documentation.

Explore all Google Workspace checks at Prowler Hub.

☁️ OpenStack — Object Storage Service

OpenStack continues to expand with a brand new Object Storage service adding 7 security checks covering container access control, versioning, encryption, metadata hygiene, and lifecycle management.

Read more in our OpenStack documentation.

Explore all OpenStack checks at Prowler Hub.

🔍 New Checks

AWS

• guardduty_delegated_admin_enabled_all_regions - Verify that a delegated administrator account is configured for GuardDuty - Thanks to @​m-wentz!
• opensearch_service_domains_not_publicly_accessible - Now supports a trusted_ips configuration option. If your OpenSearch domain has a resource policy restricting access to known IPs, you no longer get a false positive on the public accessibility check — Thanks to @​codename470!

Explore all AWS checks at Prowler Hub.

Microsoft 365

• entra_conditional_access_policy_approved_client_app_required_for_mobile — Requires approved client apps on mobile devices
• entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required — Requires compliant/hybrid-joined device or MFA

Explore all M365 checks at Prowler Hub.

🐞 Bug Fixes

We've added several bug fixes to improve the user experience across the application.

⛵ Community Helm Chart

Prowler now has an official community-maintained Helm chart for self-hosted deployments on Kubernetes. The chart is published as an OCI artifact to oci://ghcr.io/prowler-cloud/charts/prowler on every release.

Check it on https://ghcr.io/prowler-cloud/charts/prowler

Thanks to @​Ca-moes and @​Utwo for building and maintaining this chart!

🙌 Community Contributors

• @​m-wentz — guardduty_delegated_admin_enabled_all_regions check for AWS (#​9867)
• @​codename470 — trusted_ips config for OpenSearch check (#​8631)
• @​raajheshkannaa — AWS Organizations OU metadata in outputs [(#​10283)](http

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks