Skip to content

fix(deps): update toniblyx/prowler docker tag to v5.35.0#76

Open
renovate[bot] wants to merge 1 commit into
devfrom
renovate/toniblyx-prowler-5.x
Open

fix(deps): update toniblyx/prowler docker tag to v5.35.0#76
renovate[bot] wants to merge 1 commit into
devfrom
renovate/toniblyx-prowler-5.x

Conversation

@renovate

@renovate renovate Bot commented Jan 29, 2025

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
toniblyx/prowler minor 5.2.05.35.0

Release Notes

prowler-cloud/prowler (toniblyx/prowler)

v5.35.0: Prowler 5.35.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

💬 Lighthouse AI - Side Chat

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Private Cloud with a subscription.

Lighthouse AI now lives in a side panel you can open from anywhere in the app. Ask about the findings you are looking at without leaving the page, and expand to the full-page chat at any time: your draft, messages, and streaming response come along. Finding and resource details share the same panel, with tabs to switch between Details and Lighthouse AI.

lighthouse-ai-side-chat

Read more in our Lighthouse AI documentation.

🤖 Lighthouse AI - Take Action

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Private Cloud with a subscription.

Lighthouse AI is no longer read-only. Ask it to do things and it will: connect or remove providers, trigger a scan, schedule daily scans, update scan settings, and manage your mutelist and mute rules, straight from the chat. Every action is gated by RBAC: Lighthouse can only do what the user asking could do themselves.

Read more in our Lighthouse AI capabilities.

☁️ One-step AWS Organizations onboarding

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Private Cloud with a subscription.

Onboarding an entire AWS Organization is now a single step. One CloudFormation quick-create link deploys the management account role and a service-managed StackSet that rolls the role out to every member account, replacing the manual StackSet console setup. Target the whole organization or a specific Organizational Unit or Root ID, and deploy from the management account or a delegated administrator. The S3 integration quick-create link also pre-fills the bucket owner account ID, preventing a stack validation error.

aws-orgs-wizard

Built on the full-organization CloudFormation template contributed by @​jchrisfarris — thanks!

Read more in our AWS Organizations documentation.

🎯 Scan configurations: exclude checks and services

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Private Cloud with a subscription.

Scan configurations now accept excluded_checks and excluded_services to narrow the execution scope. Skip individual checks or entire services per provider, and the scan does not run them at all: less noise, faster scans, and no findings you would mute anyway.

Read more in our Scan Configuration documentation.

🧭 Redesigned sidebar navigation

The sidebar was redesigned around how you actually work: grouped sections for security, settings, and help, a Home/Chat switch at the top, collapsible configuration entries, clearer active states, and a responsive mobile overlay.

new-menu

🔌 Prowler MCP tools renamed to prowler_*

Core Prowler tools in Prowler MCP moved from the prowler_app_* prefix to the shorter prowler_* namespace, and the MCP documentation was restructured around it. Legacy prowler_app_* names keep working in Lighthouse AI, so existing setups are not broken.

Read more in our Prowler MCP tools reference.

🔐 Security

  • Jira integration credentials now only accept bare Atlassian site names (letters, numbers, and hyphens), and Jira tenant information requests validate site names and no longer follow redirects.
  • Social account linking now requires a verified matching email from both the identity provider and the existing user account, and account connection notification emails are disabled.
  • 13 advisories reported by pnpm audit on the UI (3 high, 9 moderate, 1 low) are resolved with patched versions of hono, ws, vite, dompurify, js-yaml, @opentelemetry/core, and @babel/core, including hono CVE-2026-59896.

🙌 External Contributors

No external contributors in this release.

Special mention to @​jchrisfarris, whose full-organization CloudFormation template from v5.34.0 powers the new one-step AWS Organizations onboarding (#​10403).


UI

🔄 Changed
  • AWS Organizations onboarding now deploys the management account role and the member-account StackSet from a single CloudFormation stack, replacing the manual StackSet console step (#​11927)
  • Dynamic providers can now be renamed and deleted from the Providers table (#​11957)
  • Sidebar navigation with grouped sections, clearer active states, and a responsive mobile overlay (#​11994)
  • Core Prowler tools in Lighthouse use the prowler_* namespace while preserving legacy prowler_app_* compatibility (#​12017)
🐞 Fixed
  • The AWS S3 integration CloudFormation quick-create link now sets the bucket owner account ID, preventing a stack validation error when S3 integration is enabled (#​11927)
  • Scan ID filter on the Findings page now shows the active scan when opening findings from a scan's View Findings action (#​11997)
🔐 Security
  • js-yaml to 4.3.0, @sentry/nextjs to 10.65.0 with import-in-the-middle 3.3.1, and transitive hono, dompurify, ws, vite, @babel/core and @opentelemetry/core to patched versions, resolving 13 npm audit advisories (3 high, 9 moderate, 1 low) plus hono CVE-2026-59896, published on NVD but not yet in the npm audit feed (#​12029)

API

🐞 Fixed
  • attack-paths-scan-perform Celery tasks now use the configurable long-task time limits instead of the six-hour defaults (#​12009)
  • Attack Paths scans handle provider deletion races cleanly, detect stale tasks after 16 hours, use backend-specific graph synchronization batches, and report exhausted Neptune write retries with the original database error (#​12019)
🔐 Security
  • Jira integration credentials only accept bare Atlassian site names containing letters, numbers, and hyphens (#​12012)
  • Social account linking requires a verified matching email from both the identity provider and the existing user account without sending account connection notifications (#​12013)

SDK

🚀 Added
  • excluded_checks and excluded_services in scan configurations to narrow the execution scope (#​12028)
🔐 Security
  • Jira tenant information requests validate site names and do not follow redirects (#​12012)

MCP

🔄 Changed
  • Core Prowler tool namespace from the prowler_app_* prefix to prowler_* (#​12017)

v5.34.0: Prowler 5.34.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🏷️ New product names

The Prowler family has grown, and the names now say what each product is. Same products, clearer names:

Prowler products:

  • Prowler Cloud — the managed cloud security platform operated by the Prowler team.
  • Prowler Private Cloud (formerly Prowler Enterprise) — the self-hosted deployment of Prowler Cloud in your own environment.
  • Prowler Hub — the free public library of versioned checks, cloud service artifacts, and compliance frameworks.
  • Prowler Lighthouse AI — The Agentic Cloud Defender in Prowler Cloud and Prowler Private Cloud.
  • Prowler MCP — the MCP server that connects AI assistants and agents to Prowler, including the IDE plugins.

Open source projects:

  • Prowler CLI — the command-line scanner for all supported providers.
  • Prowler Local Server (formerly Prowler App) — the self-hosted web application and API to run scans, visualize findings, and manage providers.
  • Prowler Local Dashboard — the web dashboard for visualizing Prowler CLI scan results, distributed with the CLI.
  • Prowler SDK — the Python library behind Prowler CLI and Prowler Local Server.

See the full family in the Prowler products documentation.

🧭 Cross-Provider Compliance

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Private Cloud with a subscription.

One framework, every cloud, a single answer. The new Cross-provider tab in Compliance takes the most recent completed scan of every compatible provider and rolls them up into a single compliance posture per framework, with a per-provider breakdown and a combined executive PDF report. Requirement status follows strict precedence (FAIL > PASS > MANUAL), so one failing provider is enough to flag a requirement across your whole estate.

Screenshot 2026-07-15 at 17 18 25

Three universal frameworks support it today:

  • CIS Controls 8.1 — AWS, Azure, Google Cloud, Microsoft 365, Kubernetes, GitHub, Google Workspace, Okta, Oracle Cloud, Alibaba Cloud, Cloudflare, MongoDB Atlas, OpenStack, and Vercel.
  • CSA CCM 4.0 — AWS, Azure, Google Cloud, Alibaba Cloud, and Oracle Cloud.
  • DORA 2022/2554 — AWS, Azure, Google Cloud, Alibaba Cloud, and Cloudflare.

Filter by provider type, account, or provider group, drill into each framework's requirements, and export the combined PDF.

Screenshot 2026-07-15 at 17 18 32

Read more in our Cross-Provider Compliance documentation.

🏢 New Provider — E2E Networks

Prowler now scans E2E Networks, with 27 checks spanning compute nodes, networking, security groups, load balancers, block and file storage, and managed databases. Thanks to @​deepak7093 for their 1st provider in Prowler!

Available in the Prowler CLI:

export E2E_NETWORKS_API_KEY="your-api-key"
export E2E_NETWORKS_AUTH_TOKEN="your-auth-token"
export E2E_NETWORKS_PROJECT_ID="your-project-id"
prowler e2enetworks

Read more in our E2E Networks documentation.

Explore all E2E Networks checks at Prowler Hub.

🔐 Security

User role relationship updates in the API are now limited to the active tenant, preserving the role assignments the same user holds in other tenants.

🔍 Checks

AWS
  • ec2_ami_account_block_public_access — verifies AMI block public access is enabled at the account level in each Region, so AMIs cannot be shared publicly. Thanks to @​goutham-hari!
  • datapipeline_pipeline_no_secrets_in_definition — scans Data Pipeline object fields, parameter objects, and parameter values for hardcoded secrets with Kingfisher. Thanks to @​YinkaMetrics!
  • elbv2_listener_pqc_tls_enabled — verifies ELBv2 HTTPS/TLS listeners use post-quantum TLS security policies with TLS 1.2 or higher, helping reduce harvest-now-decrypt-later exposure.
  • amplify_app_no_secrets_in_environment — scans Amplify app and branch environment variables and build settings (buildSpec) for hardcoded secrets with Kingfisher. Thanks to @​Deep070203!

Read more in our AWS documentation.

Explore all AWS checks at Prowler Hub.

Azure
  • app_function_ensure_http_is_redirected_to_https — verifies that Function Apps enforce HTTPS-only traffic. Thanks to @​amandalal007!

Read more in our Azure documentation.

Explore all Azure checks at Prowler Hub.

Kubernetes
  • core_minimize_hostpath_volume_mounts — detects Pods that use hostPath volumes. Thanks to @​0xTaoZ!
  • core_readonly_root_filesystem_enabled — verifies that every container in each Pod explicitly sets readOnlyRootFilesystem: true in its security context. Thanks to @​Weedle02!

Read more in our Kubernetes documentation.

Explore all Kubernetes checks at Prowler Hub.

STACKIT
  • iaas_server_public_ip_attached — flags IaaS servers that have a public IP address directly attached to a network interface. Thanks to @​johannes-engler-mw!

Read more in our STACKIT documentation.

Explore all STACKIT checks at Prowler Hub.

🙌 External Contributors

Thank you to our community contributors for this release!


UI

🚀 Added
  • Dynamically registered providers are now listed, filtered, and rendered across the UI, using a generic icon and humanized label when no bespoke assets exist, a "Custom" badge, and read-only handling for non-configurable providers (#​11869)
  • Prowler Local Server branding and contextual Prowler Cloud upgrade prompts across navigation, scans, providers, compliance, findings, alerts, and Lighthouse AI (#​11982)
🔄 Changed
  • UI components migrated from HeroUI to shared shadcn primitives (#​11532)
  • UI integration enable flags renamed to past tense — UI_SENTRY_ENABLEUI_SENTRY_ENABLED, UI_GOOGLE_TAG_MANAGER_ENABLEUI_GOOGLE_TAG_MANAGER_ENABLED, UI_POSTHOG_ENABLEUI_POSTHOG_ENABLED; deployments that set the former names must update them (#​11917)
🐞 Fixed
  • Metronome billing failing to start when PostHog was enabled, caused by a stale reference to the renamed UI_POSTHOG_ENABLED flag (#​11938)
  • Lighthouse AI overview entry now starts a new remediation conversation, and returning to Overview restores app navigation mode (#​11955)

API

🐞 Fixed
  • rls_transaction now falls back directly to the primary DB for connection-level mid-query read replica failures via execute_wrapper, reducing non-streaming read crashes during replica recovery (#​10379)
  • RBAC permission gates now combine permissions from every role assigned to a user in the active tenant (#​11979)
  • attack-paths-cleanup-stale-scans now retries worker pings and checks recent scan activity before failing scans and removing temporary databases (#​11986)
🔐 Security
  • User role relationship updates are limited to the active tenant to preserve role assignments in other tenants (#​11903)
  • Container image removes the unused Debian libxml2 runtime package and scopes the CVE-2026-13221 Trivy exception to unaffected Perl 5.36 packages (#​11991)

SDK

🚀 Added
  • elbv2_listener_pqc_tls_enabled check for AWS provider, verifying that ELBv2 listeners use post-quantum TLS policies (#​11254)
  • iaas_server_public_ip_attached check for STACKIT provider, flagging IaaS servers that have a public IP address directly attached to a network interface (#​11549)
  • Changelog fragment workflow for SDK, API, UI, and MCP Server releases, including PR attribution, fragment validation, release compilation, and preserved section ordering (#​11572)
  • E2E Networks provider with 27 checks across compute nodes, networking, security groups, load balancers, block/file storage, and managed databases (#​11654)
  • datapipeline_pipeline_no_secrets_in_definition check for AWS provider, scanning Data Pipeline object fields, parameter objects, and parameter values for hardcoded secrets with Kingfisher (#​11821)
  • amplify_app_no_secrets_in_environment check for AWS provider, scanning Amplify app and branch environment variables and build settings for hardcoded secrets (#​11825)
  • ec2_ami_account_block_public_access check for AWS provider, verifying AMI block public access is enabled at the account level in each Region so AMIs cannot be shared publicly (#​11828)
  • core_readonly_root_filesystem_enabled check for Kubernetes provider, verifying that every container in each Pod explicitly sets readOnlyRootFilesystem: true in its security context (#​11835)
  • core_minimize_hostpath_volume_mounts check for Kubernetes provider, detecting Pods that use hostPath volumes (#​11837)
  • app_function_ensure_http_is_redirected_to_https check for Azure provider, verifying that Function Apps enforce HTTPS-only traffic (#​11929)
🔄 Changed
  • Missing trailing newlines to compliance, region, and fixture data files for POSIX compliance (#​11765)
  • Oracle Cloud API key authentication now uses an internal bootstrap region when no explicit scan region filter is provided (#​11853)
  • Redesign the local dashboard sidebar and informational pages (#​11972)

v5.33.2: Prowler 5.33.2

Compare Source

API

🐞 Fixed
  • Attack Paths graph mutations now retry transient Neptune concurrency and deadline failures, while Neo4j mutations use managed transaction retries (#​11968)
  • Attack Paths scans now use bounded child node identifiers for normalized list values in Neo4j and Neptune, preventing Neo4j RANGE index key size failures (#​11969)
  • scan-summary aggregation now upserts summaries in deterministic conflict-key order, preventing PostgreSQL deadlocks during concurrent reaggregation (#​11971)

SDK

🐞 Fixed
  • EC2 AMI loading now targets Amazon-owned AMIs used by audited instances, reducing AWS API calls during EC2 scans (#​11958)
  • ec2_instance_account_imdsv2_enabled findings now use regional resource ARNs, preventing findings from different AWS Regions from collapsing into one resource (#​11966)

v5.33.1: Prowler 5.33.1

Compare Source

UI

🔄 Changed
  • RBAC role forms now explain Unlimited Visibility inside the Visibility section and keep the setting visible while group selection is hidden (#​11890)
🐞 Fixed
  • CIS Level 1 and Level 2 compliance filters now match profiles prefixed with a license tier (e.g. "E3 Level 1"), so M365 CIS requirements are no longer hidden (#​11924)
  • Jira dispatch polling now reports failed issue creation tasks instead of treating partial failures as successful (#​11925)

API

🐞 Fixed
  • Session tokens are rejected after account password updates (#​11914)
  • Jira dispatch task results now surface user-facing Jira failure messages (#​11925)
  • AWS Attack Paths privilege escalation queries no longer fail on Neo4j with Aggregation column contains implicit grouping expressions (#​11939)
🔐 Security
  • OpenAI-compatible Lighthouse provider base URLs are restricted before connection checks (#​11940)
  • LIGHTHOUSE_AI_OPENAI_COMPATIBLE_ALLOWED_HOSTS environment variable to allow internal hosts as OpenAI-compatible Lighthouse AI base URLs (#​11942)

SDK

🐞 Fixed
  • ECS task definition resource limits now select the latest task definitions by registration date instead of relying on ARN ordering (#​11891)
  • dlm_ebs_snapshot_lifecycle_policy_exists no longer initializes the full EC2 inventory just to detect EBS snapshots, avoiding slow scans when checking DLM lifecycle policies (#​11900)
  • dms_instance_no_public_access no longer initializes the full EC2 service when there are no DMS replication instances (#​11902)
  • organizations_scp_check_deny_regions no longer reports false FAIL for AWS Organizations that restrict regions with Allow-based SCPs; the Allow path now checks the statement Effect instead of an always-false comparison that made it unreachable (#​11915)
  • Jira issue creation failures now preserve safe structured response details from Jira (#​11925)
  • Azure Function App optional permission failures now log as warnings, and Function App environment variable fields use the correct spelling internally (#​11926)

v5.33.0: Prowler 5.33.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🤖 Lighthouse AI — The Agentic Cloud Defender

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Enterprise with a subscription.

Lighthouse AI is now a full agentic assistant wired to the Prowler Cloud backend. Ask it about your findings, your compliance posture, or your riskiest resources, and watch it work: the agent discovers and runs the Prowler tools it needs to answer, with every tool call visible in the new agentic view. It reads your security data through read-only tools, so it can never touch secrets or modify your tenant.

lighthouse-ai-1

The chat experience is rebuilt around persistent sessions: conversations stream in real time, stay in your session history, can be archived, and a sidebar chat mode lets you ask questions from any page in the app without losing your place.

lighthouse-ai-2

You control the brain behind it. Configure one or more LLM providers — OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint (OpenRouter, Ollama) — with connection testing built into the setup and per-provider model selection. Prowler Cloud defaults to GPT-5.5. Add a shared business context (your security goals, compliance needs, organizational priorities) and every session uses it to give answers that fit your environment.

lighthouse-ai-3

Read more in our Lighthouse AI documentation and the multiple LLM providers guide.

📄 Compliance PDF Reports Without Credentials

Compliance PDF reports no longer require the provider's credentials to be present. Findings are now enriched from the provider metadata stored in the database, so a report still generates even after the provider secret has been deleted or its credentials have become invalid.

Read more in our compliance documentation.

⏳ Scan Queueing

Overlapping scans for the same provider now queue behind the active one instead of dispatching concurrent scan workers. Launch a manual scan while a scheduled one is running and it waits its turn. No more duplicated work or racing scans.

🔐 Security

The Kubernetes provider credentials now reject kubeconfigs using exec authentication in Prowler Cloud, at the API and in the credential form, preventing user-supplied commands from running on Cloud workers.

Read more in the Kubernetes provider authentication documentation.

🙌 External Contributors

Thank you to our community contributors for this release!


UI
🚀 Added
  • Owners can delete their last organization from the profile page (#​11864)
🔄 Changed
  • Organization row actions in the profile page are aligned in fixed columns and the Active indicator now sits next to the organization name (#​11864)
  • Sentry, Google Tag Manager, and PostHog now load their UI_* config only when the matching enable flag (UI_SENTRY_ENABLE / UI_GOOGLE_TAG_MANAGER_ENABLE / UI_POSTHOG_ENABLE) is "true" (default off); the deprecated legacy names (NEXT_PUBLIC_*, POSTHOG_KEY/POSTHOG_HOST) still activate without the flag (#​11682)
API
🚀 Added
  • Compliance PDF reports no longer require provider credentials: findings are enriched from the provider metadata stored in the database, so reports generate even after the provider secret is deleted or its credentials become invalid (#​11845)
🐞 Fixed
  • Provider scans now queue behind active provider scans instead of dispatching concurrently, and resource failed-finding counters retry database conflicts with stable row locking (#​11848)
SDK
🐞 Fixed
  • Azure resource group scoped scans now keep subscription entries when scoped resource listing fails, clarify helper documentation and test organization, and align the resource group documentation example with the described values (#​11796)
  • Azure postgresql_flexible_server_log_retention_days_greater_3 check now queries the logfiles.retention_days configuration parameter instead of log_retention_days (which only exists on the retired Single Server), fixing false FAIL results on every Flexible Server regardless of the actual retention value (#​11761)

v5.32.1: Prowler 5.32.1

Compare Source

UI

🐞 Fixed
  • Invitation callback paths are now preserved when invited users continue with Google, GitHub, or SAML authentication (#​11752)

API

🐞 Fixed
  • Attack Paths: Scan rows now have database defaults for is_migrated and sink_backend so scan-perform-scheduled inserts survive deploy skew (#​11826)
  • Invited users now keep their invitation context when completing authentication with Google, GitHub, or SAML, so the invitation is accepted during login (#​11752)
🔐 Security
  • User profile updates now allow users to update their own account while requiring user-management permissions to update other users in the same tenant (#​11792)

SDK

🐞 Fixed
  • KeyError: 'MANUAL' crash while rendering the compliance summary table (e.g. CIS Microsoft 365) when a framework has manual, checks-less requirements with a Level 1/Level 2 profile; MANUAL findings are now skipped in the PASS/FAIL section tally instead of raising (#​11822)

v5.32.0: Prowler 5.32.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🔎 Findings Triage

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Enterprise with a subscription.

Triage findings straight from the Findings view. Each finding gets a triage status you can move through its lifecycle:

Open → Under Review → Remediating → Risk Accepted → False Positive → Resolved

Add a triage note to record the decision, mute a finding, all from the row's actions menu. The current status shows inline on every finding row, so you keep track of what has been reviewed and stop re-checking the same issues scan after scan.

Triage 1

The status also follows the finding automatically across scans: when a finding flips from FAIL to PASS on the next scan it moves to Resolved, and when it flips from PASS back to FAIL it moves to Reopened. You always know whether an issue is genuinely fixed or has regressed, without touching it by hand.

Triage 2

Read more in our Findings Triage documentation.

⚙️ Scan Configuration

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Enterprise with a subscription.

Create named, reusable scan configurations from a dedicated Scans / Configuration page. Each configuration is YAML that follows the structure of prowler/config/config.yaml, so you only include the keys you want to override; the rest fall back to the built-in defaults. Values are validated on save against a per-provider, type-safe configuration schema that range-checks each field and rejects unknown keys, so a malformed config is caught before it ever reaches a scan. Attach a configuration to one or more providers so it applies on their next scan, or save it now and attach providers later.

Config 1

From the Providers view you can pick which configuration a provider uses (Default or any of your saved ones) without leaving the page. No more passing config files around by hand.

Config 2

Read more in our Scan Configuration documentation.

✅ Per-Requirement Configuration Validation

[!NOTE]
This feature is available exclusively in Prowler Cloud and Prowler Enterprise with a subscription.

Compliance frameworks can now declare ConfigRequirements on a requirement, so it's reported as FAIL when its mapped checks ran under a configuration too loose to satisfy it. Even if every individual finding PASSed. This applies across all compliance outputs: CSV, OCSF, and console tables, and is the engine behind Scan Configuration's "marked as FAIL" behavior described above.

compliance 1

Read more in our Configuration File documentation.

⏱️ Okta — Request Throttling & Retries

Prowler now proactively throttles Okta API requests to stay under rate limits, with reactive retries on HTTP 429 as a safety net. Both are set in the scan configuration (or their equivalent CLI flags):

  • okta_requests_per_second (config file) / --okta-requests-per-second (CLI) — cap the request rate. Default: 4 req/s.
  • okta_max_retries (config file) / --okta-retries-max-attempts (CLI) — bound retry attempts. Default: 5.

This makes large Okta scans more reliable and less likely to be rate-limited.

Read more in our Okta rate limit documentation.

📉 AWS — Cap Resources Scanned per Service

Large AWS accounts can now cap how many resources Prowler analyzes for the highest-volume services, keeping scan time and cost under control. Set a global limit with max_scanned_resources_per_service, or override it per service:

  • EBS snapshots (max_ebs_snapshots)
  • Backup recovery points (max_backup_recovery_points)
  • CloudWatch log groups (max_cloudwatch_log_groups)
  • Lambda functions (max_lambda_functions)
  • ECS task definitions (max_ecs_task_definitions)
  • CodeArtifact packages (max_codeartifact_packages)

Limits are disabled by default (0 = unlimited); only positive values cap the analyzed resources.

[!WARNING]
When a positive limit is set, compliance results reflect only the sampled resources, not every matching resource in the account.

Read more in our configuration file documentation.

🏷️ Azure — Filter by Resource Group

Azure scans can now be scoped to one or more resource groups with the new --azure-resource-group / --azure-resource-groups option. This lets you run focused assessments against specific environments, teams, or workloads instead of scanning every accessible resource in the subscription.

Prowler validates the requested resource groups across accessible subscriptions and applies the scope across supported Azure services, making targeted Azure scans faster, cleaner, and easier to review.

Examples:

  • Single resource group: prowler azure --az-cli-auth --azure-resource-group rg-prod
  • Multiple resource groups: prowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2

Read more in our Azure Resource Groups documentation.

Thanks to @​Legin-ML for contributing this feature!

🧭 Provider Group Filter

Filter the Overview, Findings, Resources, Scans, and Providers views by provider group. Scope the whole app to a team, an environment, or a business unit in one click instead of filtering provider by provider.

ProviderGroupFilter 1

Read more about managing provider groups in our RBAC documentation.

🔬 API — Timestamp Precision in Findings Filters

The /api/v1/findings endpoint now accepts full timestamps on the inserted_at and updated_at filters (filter[inserted_at__gte], filter[inserted_at__lte], and the updated_at variants), so you can query narrow time windows instead of whole days. Date-only filtering keeps working, so existing integrations are unaffected.

Findings inserted within a precise timestamp window
curl --globoff \
    
'[http://localhost:8080/api/v1/findings?filter[inserted_at__gte]=2026-07-01T06:12:18Z&filter[inserted_at__lte]=2026-07-02T19:25:55Z](http://localhost:8080/api/v1/findings?filter[inserted_at__gte]=2026-07-01T06:12:18Z&filter[inserted_at__lte]=2026-07-02T19:25:55Z)' \    
-H 'Authorization: Bearer <YOUR_TOKEN>' \    
-H 'Accept: application/vnd.api+json'
Combine inserted_at and updated_at windows in a single request
curl --globoff \
'[http://localhost:8080/api/v1/findings?filter[inserted_at__gte]=2026-07-01T05:12:18Z&filter[inserted_at__lte]=2026-07-02T20:25:55Z&filter[updated_at__gte]=2026-07-01T06:12:18Z&filter[updated_at__lte]=2026-07-02T19:25:55Z](http://localhost:8080/api/v1/findings?filter[inserted_at__gte]=2026-07-01T05:12:18Z&filter[inserted_at__lte]=2026-07-02T20:25:55Z&filter[updated_at__gte]=2026-07-01T06:12:18Z&filter[updated_at__lte]=2026-07-02T19:25:55Z)' \
-H 'Authorization: Bearer <YOUR_TOKEN>' \
-H 'Accept: application/vnd.api+json'

🕸️ Attack Paths — Neptune as a persistent sink

Attack Paths can now persist its graph in AWS Neptune in addition to Neo4j, selectable via ATTACK_PATHS_SINK_DATABASE=neptune (default neo4j). Cartography's per-scan ingest database stays on Neo4j. The scan task preflights the ingest database and the configured sink before ingestion, and provider graph cleanup now deletes relationships in directed batches before deleting nodes.

This is the groundwork for scale: a managed graph database lets Attack Paths hold much larger graphs, extend coverage to more providers, and link resources across them so an attack path can cross provider boundaries instead of stopping at one cloud's edge.

Read more in the Attack Paths documentation.

🔐 New Secret-Scanning Engine — Kingfisher

Prowler's secret-scanning checks now run on Kingfisher instead of detect-secrets. Scans run fully offline by default, and obvious placeholder values (e.g. password123, changeme) are no longer reported, cutting down false positives.

Opt in to live validation with the new --scan-secrets-validate flag (or the aws.secrets_validate config option): Prowler checks discovered secrets against the provider APIs, and any secret confirmed to be live is reported as critical, so you can prioritize the credentials that actually work.

[!NOTE]
The detect_secrets_plugins configuration option has been removed, as it is no longer used by the new engine.

Read more in our secret detection documentation.

🔍 Checks

AWS
  • stepfunctions_statemachine_encrypted_with_cmk — Step Functions state machines use a customer-managed KMS key for encryption at rest instead of the default AWS-owned key. Thanks to @​Sid-0602!
  • waf_regional_webacl_logging_enabled — AWS WAF Classic Regional Web ACLs have logging enabled to a Kinesis Data Firehose stream. Thanks to @​Sid-0602!
  • IAM privilege escalation — the privesc checks now cover AWS Bedrock AgentCore paths across Runtime, Harness, Code Interpreter, and Custom Browser. Thanks to @​MrCloudSec!
  • apigateway_restapi_no_secrets_in_stage_variables - Scans API Gateway REST API stage variables for hardcoded passwords, API keys, and tokens. Thanks to @​chirag1206!
  • awslambda_function_no_secrets_in_code — This check now supports a secrets_ignore_files audit-config option to skip files inside the deployment package by glob pattern (e.g. *.deps.json), suppressing .NET dependency-manifest false positives without masking real secrets.
  • s3_bucket_object_public — spot-checks a configurable sample of object ACLs in each bucket and flags objects granted to the AllUsers or AuthenticatedUsers groups. Disabled by default; opt in via the s3_bucket_object_public_enabled configuration option. Thanks to @​Synchx00!

Read more in our AWS documentation.

Explore all AWS checks at Prowler Hub.

Microsoft 365

New Conditional Access hardening checks:

  • entra_conditional_access_policy_explicitly_targets_azure_devops — at least one enabled policy explicitly includes the Azure DevOps cloud application, rather than relying on a broad "All cloud apps" policy. Thanks to @​mzl2233!
  • entra_conditional_access_policy_no_exclusion_gaps — every user, group, role, or application excluded from an enabled policy stays in scope of another enabled policy. Thanks to @​UTKARSH698 with @​arieleli01212 as co-author!
  • entra_conditional_access_policy_groups_management_restricted — every security group referenced by an enabled or report-only policy is management-restricted or role-assignable. Thanks to @​SAMurai-16!
  • exchange_application_access_policy_restricts_mailbox_apps — every service principal with Microsoft Graph application-level Exchange mailbox permissions is restricted by an Exchange Online Application Access Policy. Thanks to @​VasistAcharya!

Read more in our Microsoft 365 documentation.

Explore all Microsoft 365 checks at Prowler Hub.

Compliance

🧩 CIS Benchmark Refresh — Six New Versions

Prowler ships a coordinated refresh of the CIS Benchmarks across six providers:

  • AWS — CIS Amazon Web Services Foundations Benchmark v7.0.0, adding the new Organizations section (2.1.1-2.1.6), resource policy (2.21), web front-end access logging (4.10), and VPC Endpoints (6.8) recommendations.
  • Azure — CIS Microsoft Azure Foundations Benchmark v6.0.0.
  • GCP — CIS Google Cloud Platform Foundation Benchmark v5.0.0.
  • Kubernetes — CIS Kubernetes Benchmark v2.0.1.
  • GitHub — CIS GitHub Benchmark v1.2.0.
  • Microsoft 365 — CIS Microsoft 365 Foundations Benchmark v7.0.0.

Read more in our compliance documentation.

Explore the full compliance catalog at Prowler Hub.

🌐 CIS Controls v8.1 — Universal Framework

A new universal (cross-provider) compliance framework mapping existing checks across 18 providers — AWS, Azure, GCP, Kubernetes, M365, GitHub, AlibabaCloud, OracleCloud, GoogleWorkspace, Okta, Cloudflare, Vercel, MongoDB Atlas, OpenStack, Linode, StackIT, NHN, and Scaleway — to the 18 CIS Critical Security Controls and their Safeguards. Ships with a dedicated detail view and report mapping in the UI.

Read more in our compliance documentation.

Explore the full compliance catalog at Prowler Hub.

🙌 External Contributors

Thank you to our community contributors for this release!


UI

🚀 Added
  • Filter the Overview, Findings, Resources, Scans, and Providers views by provider group (#​11659)
  • CIS Controls v8.1 compliance support, including its detail view and report mapping (#​11700)

API

🚀 Added
  • Timestamp precision support for /api/v1/findings inserted_at and updated_at filters (#​11754)
🔄 Changed
  • Attack Paths: AWS Neptune is now supported as a persistent sink database, selectable via ATTACK_PATHS_SINK_DATABASE=neptune (default neo4j), Cartography's (bumped to 0.138.1) per-scan ingest database stays on Neo4j (#​11524)
  • Attack Paths: Scan task now checks the ingest Neo4j database and configured graph sink before starting graph ingestion (#​11743)
  • Disable PowerShell telemetry in the API container image (#​11746)
🐞 Fixed
  • Attack Paths: Provider graph cleanup now deletes Neo4j and Neptune relationships in directed batches before deleting nodes (#​11755)
  • scan-perform no longer reports an error when a provider is deleted during a running scan (#​11696)

SDK

🚀 Added
  • exchange_application_access_policy_restricts_mailbox_apps check for M365 provider, verifying every service principal with Microsoft Graph application-level Exchange mailbox permissions is restricted by an Exchange Online Application Access Policy, preventing tenant-wide mailbox access by unscoped applications (#​11247)
  • Per-requirement configuration validation for compliance frameworks via ConfigRequirements, so a requirement is reported as FAIL when its configurable checks ran with a configuration too loose to satisfy it (applied across all compliance outputs: CSV, OCSF, and console tables) (#​11669)
  • entra_conditional_access_policy_explicitly_targets_azure_devops check for M365 provider, verifying at least one enabled Conditional Access policy explicitly includes the Azure DevOps cloud application instead of relying on a broad "All cloud apps" policy (#​11182)
  • entra_conditional_access_policy_no_exclusion_gaps check for M365 provider, verifying every user, group, role, or application excluded from an enabled Conditional Access policy stays in scope of another enabled policy (#​11577)
  • entra_conditional_access_policy_groups_management_restricted check for M365 provider, verifying every security group referenced by an enabled or report-only Conditional Access policy is management-restricted or role-assignable (#​11342)
  • stepfunctions_statemachine_encrypted_with_cmk check for AWS provider, verifying that each Step Functions state machine uses a customer-managed KMS key for encryption at rest rather than the default AWS-owned key [(#​11538)](https://redirect.github.com/prowler-cloud/prowler/pu

Note

PR body was truncated to here.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jan 29, 2025

Copy link
Copy Markdown
Contributor Author

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.


  • Branch has one or more failed status checks

@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch from 8238903 to 37bfb6d Compare January 30, 2025 05:10
@renovate renovate Bot changed the title fix(deps): update toniblyx/prowler docker tag to v5.2.1 fix(deps): update toniblyx/prowler docker tag to v5.2.2 Jan 30, 2025
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch from 37bfb6d to ce2f27e Compare January 30, 2025 18:36
@renovate renovate Bot changed the title fix(deps): update toniblyx/prowler docker tag to v5.2.2 fix(deps): update toniblyx/prowler docker tag to v5.2.3 Feb 1, 2025
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 7 times, most recently from d2a4abc to f06c9ed Compare February 8, 2025 01:25
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 3 times, most recently from 0558c00 to ff99ee4 Compare February 10, 2025 14:10
@renovate renovate Bot changed the title fix(deps): update toniblyx/prowler docker tag to v5.2.3 fix(deps): update toniblyx/prowler docker tag to v5.3.0 Feb 11, 2025
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 6 times, most recently from fa775f0 to 1967a23 Compare February 18, 2025 01:44
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 8 times, most recently from da539fb to 2b69680 Compare February 25, 2025 12:55
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 4 times, most recently from 91269de to 48c03c7 Compare March 15, 2025 21:18
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 3 times, most recently from 59c0042 to 432cab4 Compare March 20, 2025 15:43
@renovate renovate Bot changed the title fix(deps): update toniblyx/prowler docker tag to v5.4.0 fix(deps): update toniblyx/prowler docker tag to v5.4.1 Mar 20, 2025
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 3 times, most recently from 9dc50c7 to da11635 Compare March 24, 2025 05:51
@renovate renovate Bot changed the title fix(deps): update toniblyx/prowler docker tag to v5.4.1 fix(deps): update toniblyx/prowler docker tag to v5.4.2 Mar 24, 2025
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 11 times, most recently from 8ac9a46 to 3b37972 Compare March 30, 2025 22:53
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch 4 times, most recently from cd60360 to d72cb90 Compare April 2, 2025 23:00
@renovate renovate Bot changed the title fix(deps): update toniblyx/prowler docker tag to v5.4.2 fix(deps): update toniblyx/prowler docker tag to v5.4.3 Apr 3, 2025
@renovate
renovate Bot force-pushed the renovate/toniblyx-prowler-5.x branch from d72cb90 to aa3f405 Compare April 3, 2025 15:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants