fix(deps): update toniblyx/prowler docker tag to v5.12.2

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Update	Change
toniblyx/prowler	minor	5.2.0 -> 5.12.2

---

Release Notes

prowler-cloud/prowler (toniblyx/prowler)

v5.12.2: Prowler 5.12.2

Compare Source

UI

🐞 Fixed

• Handle 4XX errors consistently and 204 responses properly (#​8722)

API

🔄 Changed

• Renamed compliance overview task queue to compliance (#​8755)

🔒 Security

• Django updated to the latest 5.1 security release, 5.1.12, due to problems with potential SQL injection in FilteredRelation column aliases (#​8693)

v5.12.1: Prowler 5.12.1

Compare Source

UI

🐞 Fixed

• Field-level email validation message (#​8698)
• POST method on auth form (#​8699)

SDK

🐞 Fixed

• Replaced old check id with new ones for compliance files (#​8682)
• firehose_stream_encrypted_at_rest check false positives and new api call in kafka service (#​8599)
• Replace defender rules policies key to use old name (#​8702)

v5.12.0: Prowler 5.12.0

Compare Source

New features to highlight in this version

🛠️ JIRA Integration: Streamlined Issue Management

You can now send findings directly from Prowler into your JIRA projects. This integration helps security and engineering teams work in the same place where issues are tracked and resolved.

• Send findings straight into any configured JIRA project.
• Align security alerts with existing development workflows.
• Ensure findings are prioritized, tracked, and resolved without leaving JIRA.

jira.integration.mov

This feature bridges the gap between security and development, keeping everyone on the same page.

[!WARNING]
The integration only works with the Task Jira work item and for projects where there are no custom required fields.

📊 Findings Overview API: Filter by Status

The GET /overviews/findings_severity endpoint now supports filtering by status. This enhancement allows you to refine aggregated results by specific outcomes like FAIL or PASS.

🔒 Token API Throttling

We've introduced throttling support for the token endpoint, giving you greater control over authentication traffic.

• Prevent overload and abuse of token requests.
• Adjust limits to match your organization’s needs.

Big thanks to @​josemazo for joining the Prowler team and contributing to making cloud security even better! 🚀

⚡️ MongoDB Atlas Provider (Beta)

We're excited to announce that Prowler now includes MongoDB Atlas as a supported provider!

We added support in the CLI with 10 checks to scan Clusters, Projets and Organizations:

prowler mongodb-atlas --list-checks

• clusters_authentication_enabled - Ensure clusters have authentication enabled
• clusters_backup_enabled - Ensure clusters have backup enabled
• clusters_encryption_at_rest_enabled - Ensure clusters have encryption at rest enabled
• clusters_tls_enabled - Ensure clusters have TLS authentication required
• organizations_api_access_list_required - Ensure organization requires API access list
• organizations_mfa_required - Ensure organization requires MFA
• organizations_security_contact_defined - Ensure organization has security contact defined
• organizations_service_account_secrets_expiration - Ensure organization has maximum period expiration for service account secrets
• projects_auditing_enabled - Ensure database auditing is enabled
• projects_network_access_list_exposed_to_internet - Ensure project network access list is not exposed to internet

This addition strengthens Prowler's position as the go-to multi-cloud security tool, now covering AWS, Azure, GCP, Kubernetes, Microsoft 365, GitHub, and MongoDB Atlas.

---

UI

🚀 Added

• Jira integration(#​8640),(#​8649)

🔄 Changed

• Overview chart "Findings by Severity" now shows only failing findings (defaults to status=FAIL) and chart links open the Findings page pre-filtered to fails per severity (#​8186)
• Handle API responses and errors consistently across the app (#​8621)
• No-permission message on the scan page (#​8624)
• Markdown rendering in finding details page (#​8604)

🐞 Fixed

• Scan page shows NoProvidersAdded when no providers (#​8626)
• XML field in SAML configuration form validation (#​8638)
• Social login buttons in sign-up page (#​8673)

API

🚀 Added

• Integration with JIRA, enabling sending findings to a JIRA project (#​8622), (#​8637)
• GET /overviews/findings_severity now supports filter[status] and filter[status__in] to aggregate by specific statuses (FAIL, PASS)(#​8186)
• Throttling options for /api/v1/tokens using the DJANGO_THROTTLE_TOKEN_OBTAIN environment variable (#​8647)

SDK

🚀 Added

• Add more fields for the Jira ticket and handle custom fields errors (#​8601)
• Support labels on Jira tickets (#​8603)
• Add finding url and tenant info inside Jira tickets (#​8607)
• Get Jira Project's metadata (#​8630)
• Get Jira projects from test_connection (#​8634)
• AdditionalUrls field in CheckMetadata (#​8590)
• Support color for MANUAL finidngs in Jira tickets (#​8642)
• --excluded-checks-file flag (#​8301)
• Send finding in Jira integration with the needed values (#​8648)
• Add language enforcement for Jira requests (#​8674)
• MongoDB Atlas provider with 10 security checks (#​8312)
  • clusters_authentication_enabled - Ensure clusters have authentication enabled
  • clusters_backup_enabled - Ensure clusters have backup enabled
  • clusters_encryption_at_rest_enabled - Ensure clusters have encryption at rest enabled
  • clusters_tls_enabled - Ensure clusters have TLS authentication required
  • organizations_api_access_list_required - Ensure organization requires API access list
  • organizations_mfa_required - Ensure organization requires MFA
  • organizations_security_contact_defined - Ensure organization has security contact defined
  • organizations_service_account_secrets_expiration - Ensure organization has maximum period expiration for service account secrets
  • projects_auditing_enabled - Ensure database auditing is enabled
  • projects_network_access_list_exposed_to_internet - Ensure project network access list is not exposed to internet

🔄 Changed

• Rename ftp and mongo checks to follow pattern ec2_securitygroup_allow_ingress_from_internet_to_tcp_port_* (#​8293)

🐞 Fixed

• Renamed AdditionalUrls to AdditionalURLs field in CheckMetadata (#​8639)
• TypeError from Python 3.9 in Security Hub module by updating type annotations (#​8619)
• KeyError when SecurityGroups field is missing in MemoryDB check (#​8666)
• NoneType error in Opensearch, Firehose and Cognito checks (#​8670)

v5.11.0: Prowler 5.11.0

Compare Source

New features to highlight in this version

🔒 AWS Security Hub Integration: Centralized Management of Prowler Findings

We are pleased to announce the integration of Prowler with AWS Security Hub, enabling you to seamlessly send your security findings directly to Security Hub for centralized administration and enhanced visibility.

• Effortless integration: Automatically forward Prowler findings to AWS Security Hub, simplifying the process of consolidating and managing security alerts.
• Flexible authentication: Choose between authenticating with your provider credentials or supplying custom credentials, ensuring compatibility with diverse operational requirements.
• Purpose-built for AWS: This integration is designed specifically for AWS providers, supporting robust security management within your AWS environment.

Take advantage of the new AWS Security Hub integration to streamline your security operations and improve the efficiency of your cloud security posture management.

💡 Lighthouse AI now supports OpenAI GPT-5

We've added support for OpenAI GPT-5 in Lighthouse AI — unlocking enhanced AI-driven analysis, faster results, and broader compatibility for your automated workflows.

⛓️‍💥 Better AWS IAM Privilege Escalation Coverage

Following the latest research, we updated our privilege escalation checks to cover newly discovered patterns and reduce false positives.

✅ New Checks

We’ve introduced 4 new security checks to enhance your Cloud posture.

AWS

• eks_cluster_deletion_protection_enabled - Detect EKS clusters without deletion protection enabled.

Azure

• apim_threat_detection_llm_jacking - Monitors 25+ LLM API endpoints across major AI providers.
• vm_sufficient_daily_backup_retention_period - Ensures that all VMs have a daily backup policy with a retention period meeting or exceeding the configured minimum.
• vm_jit_access_enabled - Ensures that all VMs are configured to use Just-in-Time (JIT) access, reducing the attack surface for management ports.

---

UI

🚀 Added

• Security Hub integration (#​8552)
• Cloud Provider type filter to providers page (#​8473)
• New menu item under Configuration section for quick access to the Mutelist (#​8444)
• Resource agent to Lighthouse for querying resource information (#​8509)
• Lighthouse support for OpenAI GPT-5 (#​8527)
• Link to the configured S3 bucket and folder in each integration (#​8554)

🔄 Changed

• Disable See Compliance button until scan completes (#​8487)
• Provider connection filter now shows "Connected/Disconnected" instead of "true/false" for better UX (#​8520)
• Provider Uid filter on scan page to list all UIDs regardless of connection status [(#​8375)] (#​8375)

🐞 Fixed

• Default value inside credentials form in AWS Provider add workflow properly set (#​8553)
• Auth callback route checking working as expected (#​8556)
• DataTable column headers set to single-line (#​8480)

API

Added

• Lighthouse support for OpenAI GPT-5 (#​8527)
• Integration with Amazon Security Hub, enabling sending findings to Security Hub (#​8365)
• Generate ASFF output for AWS providers with SecurityHub integration enabled (#​8569)

Fixed

• GitHub provider always scans user instead of organization when using provider UID (#​8587)

SDK

Added

• Certificate authentication for M365 provider (#​8404)
• vm_sufficient_daily_backup_retention_period check for Azure provider (#​8200)
• vm_jit_access_enabled check for Azure provider (#​8202)
• Bedrock AgentCore privilege escalation combination for AWS provider (#​8526)
• Add User Email and APP name/installations information in GitHub provider (#​8501)
• Remove standalone iam:PassRole from privesc detection and add missing patterns (#​8530)
• Support session/profile/role/static credentials in Security Hub integration (#​8539)
• eks_cluster_deletion_protection_enabled check for AWS provider (#​8536)
• ECS privilege escalation patterns (StartTask and RunTask) for AWS provider (#​8541)
• Resource Explorer enumeration v2 API actions in cloudtrail_threat_detection_enumeration check (#​8557)
• apim_threat_detection_llm_jacking check for Azure provider (#​8571)
• GCP --skip-api-check command line flag (#​8575)

Changed

• Refine kisa isms-p compliance mapping (#​8479)
• Improve AWS Security Hub region check using multiple threads (#​8365)

Fixed

• Resource metadata error in s3_bucket_shadow_resource_vulnerability check (#​8572)
• GitHub App authentication through API fails with auth_method validation error (#​8587)
• AWS resource-arn filtering (#​8533)
• GitHub App authentication for GitHub provider (#​8529)
• List all accessible organizations in GitHub provider (#​8535)
• Only evaluate enabled accounts in entra_users_mfa_capable check (#​8544)
• GitHub Personal Access Token authentication fails without user:email scope (#​8580)

v5.10.2: Prowler 5.10.2

Compare Source

SDK

🐞 Fixed

• Order requirements by ID in Prowler ThreatScore AWS compliance framework (#​8495)
• Add explicit resource name to GCP and Azure Defender checks (#​8352)
• Validation errors in Azure and M365 providers (#​8353)
• Azure app_http_logs_enabled check false positives (#​8507)
• Azure storage_geo_redundant_enabled check false positives (#​8504)
• AWS kafka_cluster_is_public check false positives (#​8514)
• List all accessible repositories in GitHub (#​8522)
• GitHub CIS 1.0 Compliance Reports (#​8519)

v5.10.1: Prowler 5.10.1

Compare Source

UI

🐞 Fixed

• Field for Assume Role in AWS role credentials form shown again (#​8484)
• GitHub submenu to High Risk Findings (#​8488)
• Improved Overview chart Findings by Severity spacing (#​8491)

SDK

🐞 Fixed

• Remove invalid requirements from CIS 1.0 for GitHub provider (#​8472)

v5.10.0: Prowler 5.10.0

Compare Source

New features to highlight in this version

🗂️ Amazon S3 Integration

We're excited to introduce seamless integration with Amazon S3, giving you full control over where your scan reports are delivered. With this new feature, automatically send scan reports to any configured S3 bucket.

• Fully customizable: Configure one or multiple S3 buckets as destinations for scan reports, with no restrictions on provider or bucket combinations.
• Streamlined workflows: Integrate report delivery into existing data pipelines and storage strategies without limitation.
• No boundaries: There are no constraints tying specific providers to specific buckets, offering maximum flexibility for multi-cloud and hybrid environments.

Start leveraging the power of Amazon S3 integration today and make report management simpler and more adaptable than ever before.

📄 GitHub Provider

Prowler App now supports GitHub as cloud provider, enabling you to assess the security posture of your GitHub organization and repositories with ease.

• Analyze GitHub configuration and permissions to identify security gaps.
• Detect common misconfigurations and potential risks across your repositories.
• Authenticate using Personal Access Tokens, OAuth App Tokens, or GitHub Apps, depending on your organization’s setup.

This integration brings GitHub into the same powerful security framework you already use with AWS, Azure, and other providers—helping you stay secure across all your environments.

Start scanning your GitHub environment today to gain full visibility and actionable insights.

Scopped Scannings - CLI-Only

We’ve added support for repository and organization scoping in the GitHub provider to enable more targeted security assessments.
Instead of scanning all accessible repositories and organizations, you can now define exactly what to scan using two new CLI flags:

• --repository — Specify one or more repositories to scan, e.g.: --repository acme/app acme/lib
• --organization — Limit scans to specific organizations, e.g.: --organization acme-org other-org

These can also be combined to narrow the scope even further. This update makes it easier to audit specific parts of your GitHub footprint—particularly useful for large organizations or multi-team environments.

[!NOTE]
This will be available in the Prowler App in upcoming versions, along with full support for the corresponding CLI arguments.

🔦 Lighthouse Improvements: Enhanced Insights + New Banner

We've made several improvements to Lighthouse:

• Resolved multiple issues for smoother performance and more accurate results.
• Lighthouse is now featured directly on the Overview dashboard.

✅ New Checks

We’ve introduced 5 new security checks to enhance your Cloud posture.

AWS

• bedrock_api_key_no_administrative_privileges — Ensures Bedrock API keys don’t have excessive permissions.
• bedrock_api_key_no_long_term_credentials — Detects long-lived credentials in Bedrock API keys.
• s3_bucket_shadow_resource_vulnerability — Flags shadow resources in S3 buckets that may introduce risk.

Azure

• vm_desired_sku_size — Validates that VMs are configured with the desired SKU size.
• vm_scaleset_not_empty — Ensures VM Scale Sets are not empty, reducing configuration drift.

📘 Compliance Update

Prowler now supports the CIS Microsoft Azure Foundations Benchmark v4.0, bringing your compliance checks in line with the latest industry best practices for securing Azure environments.

---

UI

🚀 Added

• Lighthouse banner (#​8259)
• Amazon AWS S3 integration (#​8391)
• Github provider support (#​8405)
• XML validation for SAML metadata in the UI (#​8429)
• Default Mutelist placeholder in the UI (#​8455)
• Help link in the SAML configuration modal (#​8461)

🔄 Changed

• Rename Memberships to Organization in the sidebar (#​8415)

🐞 Fixed

• Display error messages and allow editing last message in Lighthouse (#​8358)

❌ Removed

• Removed Browse all resources from the sidebar, sidebar now shows a single Resources entry (#​8418)
• Removed Misconfigurations from the Top Failed Findings section in the sidebar (#​8426)

API

🚀 Added

• Github provider support (#​8271)
• Integration with Amazon S3, enabling storage and retrieval of scan data via S3 buckets (#​8056)

🐞 Fixed

• Avoid sending errors to Sentry in M365 provider when user authentication fails (#​8420)

SDK

🚀 Added

• bedrock_api_key_no_administrative_privileges check for AWS provider (#​8321)
• bedrock_api_key_no_long_term_credentials check for AWS provider (#​8396)
• Support App Key Content in GitHub provider (#​8271)
• CIS 4.0 for the Azure provider (#​7782)
• vm_desired_sku_size check for Azure provider (#​8191)
• vm_scaleset_not_empty check for Azure provider (#​8192)
• GitHub repository and organization scoping support with --repository/respositories and --organization/organizations flags (#​8329)
• GCP provider retry configuration (#​8412)
• s3_bucket_shadow_resource_vulnerability check for AWS provider (#​8398)

🔄 Changed

• Handle some AWS errors as warnings instead of errors (#​8347)
• Revert import of checkov python library (#​8385)
• Updated policy mapping in ISMS-P compliance file for improved alignment (#​8367)

🐞 Fixed

• False positives in SQS encryption check for ephemeral queues (#​8330)
• Add protocol validation check in security group checks to ensure proper protocol matching (#​8374)
• Add missing audit evidence for controls 1.1.4 and 2.5.5 for ISMS-P compliance. (#​8386)
• Use the correct @​staticmethod decorator for set_identity and set_session_config methods in AwsProvider (#​8056)
• Use the correct default value for role_session_name and session_duration in AwsSetUpSession (#​8056)
• Use the correct default value for role_session_name and session_duration in S3 (#​8417)
• GitHub App authentication fails to generate output files and HTML header sections (#​8423)
• S3 test_connection uses AWS S3 API HeadBucket instead of GetBucketLocation (#​8456)
• Add more validations to Azure Storage models when some values are None to avoid serialization issues (#​8325)
• sns_topics_not_publicly_accessible false positive with aws:SourceArn conditions (#​8326)
• Remove typo from description req 1.2.3 - Prowler ThreatScore m365 (#​8384)
• Way of counting FAILED/PASS reqs from kisa_isms_p_2023_aws table (#​8382)
• Use default tenant domain instead of first domain in list for Azure and M365 providers (#​8402)
• Avoid multiple module error calls in M365 provider (#​8353)
• Avoid sending errors to Sentry in M365 provider when user authentication fails (#​8420)
• Tweaks from Prowler ThreatScore in order to handle the correct reqs (#​8401)
• Make setup_assumed_session static for the AWS provider (#​8419)

v5.9.2: Prowler 5.9.2

Compare Source

API

Changed

• Optimized queries for resources views (#​8336)

SDK

Fixed

• Use the correct resource name in defender_domain_dkim_enabled check (#​8334)

v5.9.1: Prowler 5.9.1

Compare Source

API

Fixed

• Calculate failed findings during scans to prevent heavy database queries (#​8322)

Full Changelog: prowler-cloud/prowler@5.9.0...5.9.1

v5.9.0: Prowler 5.9.0

Compare Source

New features to highlight in this version

🔇 Mutelist Support

Easily mute findings through a flexible and fully configurable setup.

• Mute findings seamlessly either from the interface or through API calls, no extra effort required.
• Instantly toggle the visibility of muted findings across all visualizations and tables.
• The mute reason is clearly displayed in finding details and listing views for full transparency.

[!NOTE]
🔜 Support for muting findings based on filters, bulk selection, and adding custom mute details directly from the UI.

🔐 Single Sign-On (SSO) with SAML: Seamless and Secure Access

We are pleased to introduce Single Sign-On (SSO) with SAML, a significant step forward in making your authentication experience both smoother and more secure. With SAML-based SSO, you can now log in to Prowler using your organization's identity provider, such as Okta, without needing to remember another set of credentials.

• Effortless Access: Simply use your existing corporate account to sign in, reducing password fatigue and streamlining your daily workflow.
• Enhanced Security: Authentication is managed by your trusted identity provider, ensuring that access policies and multi-factor authentication requirements are enforced consistently.
• Consistent Experience: The login process is now fully integrated with your organization's security standards, providing a familiar and reliable experience every time you access Prowler.
• Broad Compatibility: Our SAML integration supports leading providers like Okta and any other SAML-compatible service, making onboarding straightforward for organizations of all sizes.

To get started, look for the new "Sign in with SSO" option on the login page. For detailed configuration instructions, please refer to the "SSO with SAML" section in our documentation.

🧩 Resource View: A unified overview of your assets

Introducing a brand-new Resource View, a central place to explore and understand your resources in depth.

• Browse all resources in your environment with a clean and organized layout.
• Each resource comes with its tags clearly displayed, making classification and filtering effortless.
• Quickly assess security posture by viewing findings directly linked to each resource — no need to navigate away.
• Get full visibility into resource details, provider info, and metadata.

[!NOTE]
All findings are sorted by the number of the associated FAIL findings. This feature works from v5.9 onwards, so after your next scan all your resources will be sorted by that.

⚡️ Smoother, Faster Experience

We've made several improvements behind the scenes to make Prowler feel faster and more responsive.

• Resource and overview pages now load quicker, even in large environments.
• Filtering across findings and resources using the search bar is now accurate and noticeably faster.
• Interacting with data — whether through the UI or API — feels more fluid and efficient.
• New backend optimizations reduce wait times and improve overall performance across the platform.

🔒 Enhanced Password Security

We've improved account security by introducing stronger password requirements. Passwords must now be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. A real-time strength indicator helps users meet these criteria as they type, ensuring more secure account creation. These enhancements align with best practices to better protect user data and prevent unauthorized access.

[!WARNING]
These changes apply only to new sign-ups. Existing passwords are not affected, but we strongly recommend updating your password to meet the new standards for improved security.

✅ New Checks!

We've added 8 new security checks across multiple cloud providers and services to help you stay ahead of evolving risks:

• entra_intune_enrollment_sign_in_frequency_every_time for M365.
• The following 7 checks for Azure:
  • storage_smb_channel_encryption_with_secure_algorithm
  • storage_smb_protocol_version_is_latest
  • vm_backup_enabled
  • vm_linux_enforce_ssh_authentication
  • vm_ensure_using_approved_images
  • vm_scaleset_associated_load_balancer
  • defender_attack_path_notifications_properly_configured

🛠️ IaC Provider now supports remote Git repositories

The IaC provider just got more powerful! You can now scan Infrastructure-as-Code files directly from remote Git repositories.

• Supports both public and private repos
• Authenticate via CLI flags or environment variables
• Perfect for integrating into CI/CD pipelines and automated workflows
• Continue scanning Terraform, CloudFormation, Kubernetes YAML, and more

[!NOTE]
Try it out with:
prowler iac --scan-repository-url https://github.com/user/repo.git

---

UI

🚀 Added

• Mutelist configuration form (#​8190)
• SAML login integration (#​8203)
• Resource view (#​7760)
• Navigation link in Scans view to access Compliance Overview (#​8251)
• Status column for findings table in the Compliance Detail view (#​8244)
• Allow to restrict routes access based on user permissions (#​8287)

🔒 Security

• Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers (#​8225)

🔄 Changed

• Upgrade to Next.js 14.2.30 and lock TypeScript to 5.5.4 for ESLint compatibility (#​8189)

🐞 Fixed

• Error message when launching a scan if user has no permissions (#​8280)
• Include compliance in the download button tooltip (#​8307)

API

🚀 Added

• SSO with SAML support (#​8175)
• GET /resources/metadata, GET /resources/metadata/latest and GET /resources/latest to expose resource metadata and latest scan results (#​8112)

🔄 Changed

• /processors endpoints to post-process findings. Currently, only the Mutelist processor is supported to allow to mute findings.
• Optimized the underlying queries for resources endpoints (#​8112)
• Optimized include parameters for resources view (#​8229)
• Optimized overview background tasks (#​8300)
• POST /schedules/daily returns a 409 CONFLICT if already created (#​8258)

🐞 Fixed

• Search filter for findings and resources (#​8112)
• RBAC is now applied to GET /overviews/providers (#​8277)

🔒 Security

• Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers (#​8225)

SDK

🚀 Added

• storage_smb_channel_encryption_with_secure_algorithm check for Azure provider (#​8123)
• storage_smb_protocol_version_is_latest check for Azure provider (#​8128)
• vm_backup_enabled check for Azure provider (#​8182)
• vm_linux_enforce_ssh_authentication check for Azure provider (#​8149)
• vm_ensure_using_approved_images check for Azure provider (#​8168)
• vm_scaleset_associated_load_balancer check for Azure provider (#​8181)
• defender_attack_path_notifications_properly_configured check for Azure provider (#​8245)
• entra_intune_enrollment_sign_in_frequency_every_time check for M365 provider (#​8223)
• Support for remote repository scanning in IaC provider (#​8193)
• Add test_connection method to GitHub provider (#​8248)

🔄 Changed

• Refactor the Azure Defender get security contact configuration method to use the API REST endpoint instead of the SDK (#​8241)

🐞 Fixed

• Title & description wording for iam_user_accesskey_unused check for AWS provider (#​8233)
• Add GitHub provider to lateral panel in documentation and change -h environment variable output (#​8246)
• Show m365_identity_type and m365_identity_id in cloud reports (#​8247)
• Ensure is_service_role only returns True for service roles (#​8274)
• Update DynamoDB check metadata to fix broken link (#​8273)
• Show correct count of findings in Dashboard Security Posture page (#​8270)
• Add Check's metadata service name validator (#​8289)
• Use subscription ID in Azure mutelist (#​8290)
• ServiceName field in Network Firewall checks metadata (#​8280)
• Update entra_users_mfa_capable check to use the correct resource name and ID (#​8288)
• Handle multiple services and severities while listing checks (#​8302)
• Handle tenant_id for M365 Mutelist (#​8306)

v5.8.1: Prowler 5.8.1

Compare Source

UI

🔄 Changed

• Latest new failed findings now use GET /findings/latest (#​8219)

🗑️ Removed

• Validation of the provider's secret type during updates (#​8197)

API

🚀 Added

• Custom exception for provider connection errors during scans (#​8234)

🔄 Changed

• Summary and overview tasks now use a dedicated queue and no longer propagate errors to compliance tasks (#​8214)

🐞 Fixed

• Scan with no resources will not trigger legacy code for findings metadata (#​8183)
• Invitation email comparison case-insensitive (#​8206)

🗑️ Removed

• Validation of the provider's secret type during updates (#​8197)

SDK

🐞 Fixed

• Detect wildcarded ARNs in sts:AssumeRole policy resources (#​8164)
• List all streams and firehose_stream_encrypted_at_rest logic (#​8213)
• Allow empty values for http_endpoint in templates (#​8184)
• Convert all Azure Storage models to Pydantic models to avoid serialization issues (#​8222)

Full Changelog: prowler-cloud/prowler@5.8.0...5.8.1

v5.8.0: Prowler 5.8.0

Compare Source

New features to highlight in this version

📘 Detailed Views for All Supported Compliance Standards

You asked for more clarity—we delivered. Now every supported compliance framework (like ENS-RD2022, CIS, ISO, NIST, etc.) includes a fully detailed view to help your team understand, prioritize, and act faster.

🔍 What’s New:

• Interactive Pie Chart: quickly assess pass, fail, and manual statuses across all requirements.
• Top Failed Sections: instantly identify where most issues occur, broken down by type, if any.
• Failure Heatmap: visualize section-level failure rates to prioritize efforts.
• Per-Category Drilldown: view grouped sections, with their findings, with expandable breakdowns per compliance framework.

Now live across all frameworks in your Compliance tab!

[!WARNING]
The detailed views are only available for new scans from v5.8.0 onwards. Therefore, all the compliance overviews from previous scans are not available.

🤖 Introducing Prowler Lighthouse — Your AI Cloud Security Analyst

Say hello to Prowler Lighthouse, your always-on, AI-powered cloud security assistant.

Designed for teams with or without dedicated security resources, Lighthouse helps you:

• Understand your compliance status
• Prioritize failed and manual security checks
• Remediate vulnerabilities and misconfigurations
• Ask questions in natural language like “What is the CIS 1.10 compliance status of my Kubernetes cluster?”

⚙️ Customizable & Secure

In the Lighthouse Configuration Panel, you can:

• Choose your preferred LLM (e.g., GPT-4o Mini)
• Set your secure API Key
• Provide business-specific context to tailor responses

It not only summarizes your security posture but also highlights where to focus your attention.

Now available in the Lighthouse tab. Start chatting today!

🚀 User Profile

We've revamped the User Profile interface to provide a cleaner, more actionable view of your account:

• Organization Info: instantly view your Organization ID, join date, and email identity at the top.
• Active Roles: clear breakdown of user permissions.
• Organization Membership: Quickly see which organization you're part of and your role within it.
• Quick Actions: Copy your Organization ID with a click and update organization names directly from the interface.

✨ Try it out by visiting your Profile page and experience the streamlined design!

📌 Affected Resource Name in Findings

Quickly pinpoint misconfigurations with the new "Resource name" column in the findings table!

• Instantly identify the specific resource affected by each finding.
• No more digging—this small but powerful update improves triage and remediation workflows.

🔐 GCP Service Account Key Authentication

You can now connect your Google Cloud Platform account by simply pasting your Service Account Key JSON.

• No need for CLI setup or external tooling
• Just paste your key and click Next
• Fast and secure onboarding

This makes it easier than ever to authenticate and start scanning your GCP environment.

🔑 M365 Authentication App-Only (Service Principal) Authentication

Prowler now supports Microsoft 365 app-only (service principal) authentication via OAuth 2.0 client-credentials: just register an Azure AD app, grant it the necessary application-level permissions, grant admin consent, and supply your tenant ID, client ID and secret.

This lets Prowler run fully unattended scans against Exchange Online, SharePoint, Teams, etc., simplifies CI/CD integration and enforces least-privilege access.

🙌 Special thanks to @​silverhack for their support and guidance in resolving key Microsoft 365 authentication issues.

Your contributions help make Prowler stronger for everyone! 💜

🆕 Checks

We’ve added 21 new security checks across multiple cloud providers and services to help you stay ahead of evolving risks:

• AWS: 1 new check
• Azure: 11 new checks
• Microsoft 365: 3 new checks
• GitHub: 6 new checks

🧪 Run a scan now to see how your environment stacks up!

🛡️ Baseline NIS 2 Compliance

We’ve added baseline NIS 2 compliance support for AWS, Azure, and GCP, aligning with the EU 2022/2555 directive annex.

This update includes:

• Core risk management measures
• Incident handling and response criteria
• Applicability for both essential and important cloud service providers

Start assessing your NIS 2 readiness directly from the Compliance tab today.

🆕 Compliance Frameworks

We've expanded our compliance coverage to include three major standards:

• CIS 4.0 for GCP — Updated benchmarks for Google Cloud environments
• CIS 1.11 for Kubernetes — Latest hardening guidance for K8s clusters
• ISO 27001 for Microsoft 365 — Security controls mapped to M365 services

Run a scan now to assess your posture against the latest industry benchmarks.

🛠️ IaC Provider powered by checkov

Prowler now supports Infrastructure-as-Code (IaC) scanning using Checkov!

Simply point it at your local files and catch security issues before you deploy:

• Supports Terraform, CloudFormation, ARM, Kubernetes YAML, and more
• Detects misconfigurations and compliance drift pre-deployment
• Seamlessly integrates into your CI/CD or local workflows

Shift left with IaC scanning—now available in Prowler!

[!NOTE]
Try it out now with prowler iac

---

UI

🚀 Added

• New profile page with details about the user and their roles (#​7780)
• Improved SnippetChip component and show resource name in new findings table (#​7813)
• Possibility to edit the organization name (#​7829)
• GCP credential method (Account Service Key) (#​7872)
• Compliance detail view: ENS (#​7853)
• Compliance detail view: ISO (#​7897)
• Compliance detail view: CIS (#​7913)
• Compliance detail view: AWS Well-Architected Framework (#​7925)
• Compliance detail view: KISA (#​7965)
• Compliance detail view: ProwlerThreatScore (#​7979)
• Compliance detail view: Generic (rest of the compliances) (#​7990)
• Compliance detail view: MITRE ATTACK (#​8002)
• Improve Scan ID filter by adding more context and enhancing the UI/UX (#​8046)
• Lighthouse chat interface (#​7878)
• Google Tag Manager integration (#​8058)

🔄 Changed

• Provider UID filter to scans page (#​7820)
• Aligned Next.js version to v14.2.29 across Prowler and Cloud environments for consistency and improved maintainability (#​7962)
• Refactor credentials forms with reusable components and error handling (#​7988)
• Updated the provider details section in Scan and Findings detail pages (#​7968)
• Make user and password fields optional but mutually required for M365 cloud provider (#​8044)
• Improve filter behaviour and relationships between filters in findings page (#​8046)
• Set filters panel to be always open by default (#​8085)
• Updated "Sign in"/"Sign up" capitalization for consistency (#​8136)
• Duplicate API base URL as an env var to make it accessible in client components (#​8131)

🐞 Fixed

• Sync between filter buttons and URL when filters change (#​7928)
• Improve heatmap perfomance (#​7934)
• SelectScanProvider warning fixed with empty alias (#​7998)
• Prevent console warnings for accessibility and SVG(#​8019)

API

🚀 Added

• Support GCP Service Account key (#​7824)
• GET /compliance-overviews endpoints to retrieve compliance metadata and specific requirements statuses (#​7877)
• Lighthouse configuration support (#​7848)

🔄 Changed

• Reworked GET /compliance-overviews to return proper requirement metrics (#​7877)
• Optional user and password for M365 provider [(#​7992)](https://redirect.github.com/prowler-cloud/prowler/pull/7992

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks