fix(deps): update toniblyx/prowler docker tag to v5.35.0#76
Open
renovate[bot] wants to merge 1 commit into
Open
fix(deps): update toniblyx/prowler docker tag to v5.35.0#76renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
Contributor
Author
Branch automerge failureThis PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.
|
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
from
January 30, 2025 05:10
8238903 to
37bfb6d
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
from
January 30, 2025 18:36
37bfb6d to
ce2f27e
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
7 times, most recently
from
February 8, 2025 01:25
d2a4abc to
f06c9ed
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
3 times, most recently
from
February 10, 2025 14:10
0558c00 to
ff99ee4
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
6 times, most recently
from
February 18, 2025 01:44
fa775f0 to
1967a23
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
8 times, most recently
from
February 25, 2025 12:55
da539fb to
2b69680
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
4 times, most recently
from
March 15, 2025 21:18
91269de to
48c03c7
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
3 times, most recently
from
March 20, 2025 15:43
59c0042 to
432cab4
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
3 times, most recently
from
March 24, 2025 05:51
9dc50c7 to
da11635
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
11 times, most recently
from
March 30, 2025 22:53
8ac9a46 to
3b37972
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
4 times, most recently
from
April 2, 2025 23:00
cd60360 to
d72cb90
Compare
renovate
Bot
force-pushed
the
renovate/toniblyx-prowler-5.x
branch
from
April 3, 2025 15:19
d72cb90 to
aa3f405
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.2.0→5.35.0Release Notes
prowler-cloud/prowler (toniblyx/prowler)
v5.35.0: Prowler 5.35.0Compare Source
✨ New features to highlight in this version
Enjoy them all now for free at https://cloud.prowler.com
💬 Lighthouse AI - Side Chat
Lighthouse AI now lives in a side panel you can open from anywhere in the app. Ask about the findings you are looking at without leaving the page, and expand to the full-page chat at any time: your draft, messages, and streaming response come along. Finding and resource details share the same panel, with tabs to switch between Details and Lighthouse AI.
Read more in our Lighthouse AI documentation.
🤖 Lighthouse AI - Take Action
Lighthouse AI is no longer read-only. Ask it to do things and it will: connect or remove providers, trigger a scan, schedule daily scans, update scan settings, and manage your mutelist and mute rules, straight from the chat. Every action is gated by RBAC: Lighthouse can only do what the user asking could do themselves.
Read more in our Lighthouse AI capabilities.
☁️ One-step AWS Organizations onboarding
Onboarding an entire AWS Organization is now a single step. One CloudFormation quick-create link deploys the management account role and a service-managed StackSet that rolls the role out to every member account, replacing the manual StackSet console setup. Target the whole organization or a specific Organizational Unit or Root ID, and deploy from the management account or a delegated administrator. The S3 integration quick-create link also pre-fills the bucket owner account ID, preventing a stack validation error.
Built on the full-organization CloudFormation template contributed by @jchrisfarris — thanks!
Read more in our AWS Organizations documentation.
🎯 Scan configurations: exclude checks and services
Scan configurations now accept
excluded_checksandexcluded_servicesto narrow the execution scope. Skip individual checks or entire services per provider, and the scan does not run them at all: less noise, faster scans, and no findings you would mute anyway.Read more in our Scan Configuration documentation.
🧭 Redesigned sidebar navigation
The sidebar was redesigned around how you actually work: grouped sections for security, settings, and help, a Home/Chat switch at the top, collapsible configuration entries, clearer active states, and a responsive mobile overlay.
🔌 Prowler MCP tools renamed to
prowler_*Core Prowler tools in Prowler MCP moved from the
prowler_app_*prefix to the shorterprowler_*namespace, and the MCP documentation was restructured around it. Legacyprowler_app_*names keep working in Lighthouse AI, so existing setups are not broken.Read more in our Prowler MCP tools reference.
🔐 Security
pnpm auditon the UI (3 high, 9 moderate, 1 low) are resolved with patched versions ofhono,ws,vite,dompurify,js-yaml,@opentelemetry/core, and@babel/core, includinghonoCVE-2026-59896.🙌 External Contributors
No external contributors in this release.
Special mention to @jchrisfarris, whose full-organization CloudFormation template from v5.34.0 powers the new one-step AWS Organizations onboarding (#10403).
UI
🔄 Changed
prowler_*namespace while preserving legacyprowler_app_*compatibility (#12017)🐞 Fixed
Scan IDfilter on the Findings page now shows the active scan when opening findings from a scan'sView Findingsaction (#11997)🔐 Security
js-yamlto 4.3.0,@sentry/nextjsto 10.65.0 withimport-in-the-middle3.3.1, and transitivehono,dompurify,ws,vite,@babel/coreand@opentelemetry/coreto patched versions, resolving 13 npm audit advisories (3 high, 9 moderate, 1 low) plushonoCVE-2026-59896, published on NVD but not yet in the npm audit feed (#12029)API
🐞 Fixed
attack-paths-scan-performCelery tasks now use the configurable long-task time limits instead of the six-hour defaults (#12009)🔐 Security
SDK
🚀 Added
excluded_checksandexcluded_servicesin scan configurations to narrow the execution scope (#12028)🔐 Security
MCP
🔄 Changed
prowler_app_*prefix toprowler_*(#12017)v5.34.0: Prowler 5.34.0Compare Source
✨ New features to highlight in this version
Enjoy them all now for free at https://cloud.prowler.com
🏷️ New product names
The Prowler family has grown, and the names now say what each product is. Same products, clearer names:
Prowler products:
Open source projects:
See the full family in the Prowler products documentation.
🧭 Cross-Provider Compliance
One framework, every cloud, a single answer. The new Cross-provider tab in Compliance takes the most recent completed scan of every compatible provider and rolls them up into a single compliance posture per framework, with a per-provider breakdown and a combined executive PDF report. Requirement status follows strict precedence (FAIL > PASS > MANUAL), so one failing provider is enough to flag a requirement across your whole estate.
Three universal frameworks support it today:
Filter by provider type, account, or provider group, drill into each framework's requirements, and export the combined PDF.
Read more in our Cross-Provider Compliance documentation.
🏢 New Provider — E2E Networks
Prowler now scans E2E Networks, with 27 checks spanning compute nodes, networking, security groups, load balancers, block and file storage, and managed databases. Thanks to @deepak7093 for their 1st provider in Prowler!
Available in the Prowler CLI:
Read more in our E2E Networks documentation.
Explore all E2E Networks checks at Prowler Hub.
🔐 Security
User role relationship updates in the API are now limited to the active tenant, preserving the role assignments the same user holds in other tenants.
🔍 Checks
AWS
ec2_ami_account_block_public_access— verifies AMI block public access is enabled at the account level in each Region, so AMIs cannot be shared publicly. Thanks to @goutham-hari!datapipeline_pipeline_no_secrets_in_definition— scans Data Pipeline object fields, parameter objects, and parameter values for hardcoded secrets with Kingfisher. Thanks to @YinkaMetrics!elbv2_listener_pqc_tls_enabled— verifies ELBv2 HTTPS/TLS listeners use post-quantum TLS security policies with TLS 1.2 or higher, helping reduce harvest-now-decrypt-later exposure.amplify_app_no_secrets_in_environment— scans Amplify app and branch environment variables and build settings (buildSpec) for hardcoded secrets with Kingfisher. Thanks to @Deep070203!Read more in our AWS documentation.
Explore all AWS checks at Prowler Hub.
Azure
app_function_ensure_http_is_redirected_to_https— verifies that Function Apps enforce HTTPS-only traffic. Thanks to @amandalal007!Read more in our Azure documentation.
Explore all Azure checks at Prowler Hub.
Kubernetes
core_minimize_hostpath_volume_mounts— detects Pods that usehostPathvolumes. Thanks to @0xTaoZ!core_readonly_root_filesystem_enabled— verifies that every container in each Pod explicitly setsreadOnlyRootFilesystem: truein its security context. Thanks to @Weedle02!Read more in our Kubernetes documentation.
Explore all Kubernetes checks at Prowler Hub.
STACKIT
iaas_server_public_ip_attached— flags IaaS servers that have a public IP address directly attached to a network interface. Thanks to @johannes-engler-mw!Read more in our STACKIT documentation.
Explore all STACKIT checks at Prowler Hub.
🙌 External Contributors
Thank you to our community contributors for this release!
ec2_ami_account_block_public_accesscheck (#11828)datapipeline_pipeline_no_secrets_in_definitioncheck (#11821)app_function_ensure_http_is_redirected_to_httpscheck (#11929)core_minimize_hostpath_volume_mountscheck (#11837)core_readonly_root_filesystem_enabledcheck (#11835)iaas_server_public_ip_attachedcheck (#11549)amplify_app_no_secrets_in_environmentcheck (#11825)UI
🚀 Added
🔄 Changed
UI_SENTRY_ENABLE→UI_SENTRY_ENABLED,UI_GOOGLE_TAG_MANAGER_ENABLE→UI_GOOGLE_TAG_MANAGER_ENABLED,UI_POSTHOG_ENABLE→UI_POSTHOG_ENABLED; deployments that set the former names must update them (#11917)🐞 Fixed
API
🐞 Fixed
rls_transactionnow falls back directly to the primary DB for connection-level mid-query read replica failures viaexecute_wrapper, reducing non-streaming read crashes during replica recovery (#10379)attack-paths-cleanup-stale-scansnow retries worker pings and checks recent scan activity before failing scans and removing temporary databases (#11986)🔐 Security
libxml2runtime package and scopes theCVE-2026-13221Trivy exception to unaffected Perl 5.36 packages (#11991)SDK
🚀 Added
elbv2_listener_pqc_tls_enabledcheck for AWS provider, verifying that ELBv2 listeners use post-quantum TLS policies (#11254)iaas_server_public_ip_attachedcheck for STACKIT provider, flagging IaaS servers that have a public IP address directly attached to a network interface (#11549)datapipeline_pipeline_no_secrets_in_definitioncheck for AWS provider, scanning Data Pipeline object fields, parameter objects, and parameter values for hardcoded secrets with Kingfisher (#11821)amplify_app_no_secrets_in_environmentcheck for AWS provider, scanning Amplify app and branch environment variables and build settings for hardcoded secrets (#11825)ec2_ami_account_block_public_accesscheck for AWS provider, verifying AMI block public access is enabled at the account level in each Region so AMIs cannot be shared publicly (#11828)core_readonly_root_filesystem_enabledcheck for Kubernetes provider, verifying that every container in each Pod explicitly setsreadOnlyRootFilesystem: truein its security context (#11835)core_minimize_hostpath_volume_mountscheck for Kubernetes provider, detecting Pods that usehostPathvolumes (#11837)app_function_ensure_http_is_redirected_to_httpscheck for Azure provider, verifying that Function Apps enforce HTTPS-only traffic (#11929)🔄 Changed
v5.33.2: Prowler 5.33.2Compare Source
API
🐞 Fixed
scan-summaryaggregation now upserts summaries in deterministic conflict-key order, preventing PostgreSQL deadlocks during concurrent reaggregation (#11971)SDK
🐞 Fixed
ec2_instance_account_imdsv2_enabledfindings now use regional resource ARNs, preventing findings from different AWS Regions from collapsing into one resource (#11966)v5.33.1: Prowler 5.33.1Compare Source
UI
🔄 Changed
🐞 Fixed
API
🐞 Fixed
Aggregation column contains implicit grouping expressions(#11939)🔐 Security
LIGHTHOUSE_AI_OPENAI_COMPATIBLE_ALLOWED_HOSTSenvironment variable to allow internal hosts as OpenAI-compatible Lighthouse AI base URLs (#11942)SDK
🐞 Fixed
dlm_ebs_snapshot_lifecycle_policy_existsno longer initializes the full EC2 inventory just to detect EBS snapshots, avoiding slow scans when checking DLM lifecycle policies (#11900)dms_instance_no_public_accessno longer initializes the full EC2 service when there are no DMS replication instances (#11902)organizations_scp_check_deny_regionsno longer reports falseFAILfor AWS Organizations that restrict regions with Allow-based SCPs; the Allow path now checks the statementEffectinstead of an always-false comparison that made it unreachable (#11915)v5.33.0: Prowler 5.33.0Compare Source
✨ New features to highlight in this version
Enjoy them all now for free at https://cloud.prowler.com
🤖 Lighthouse AI — The Agentic Cloud Defender
Lighthouse AI is now a full agentic assistant wired to the Prowler Cloud backend. Ask it about your findings, your compliance posture, or your riskiest resources, and watch it work: the agent discovers and runs the Prowler tools it needs to answer, with every tool call visible in the new agentic view. It reads your security data through read-only tools, so it can never touch secrets or modify your tenant.
The chat experience is rebuilt around persistent sessions: conversations stream in real time, stay in your session history, can be archived, and a sidebar chat mode lets you ask questions from any page in the app without losing your place.
You control the brain behind it. Configure one or more LLM providers — OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint (OpenRouter, Ollama) — with connection testing built into the setup and per-provider model selection. Prowler Cloud defaults to GPT-5.5. Add a shared business context (your security goals, compliance needs, organizational priorities) and every session uses it to give answers that fit your environment.
Read more in our Lighthouse AI documentation and the multiple LLM providers guide.
📄 Compliance PDF Reports Without Credentials
Compliance PDF reports no longer require the provider's credentials to be present. Findings are now enriched from the provider metadata stored in the database, so a report still generates even after the provider secret has been deleted or its credentials have become invalid.
Read more in our compliance documentation.
⏳ Scan Queueing
Overlapping scans for the same provider now queue behind the active one instead of dispatching concurrent scan workers. Launch a manual scan while a scheduled one is running and it waits its turn. No more duplicated work or racing scans.
🔐 Security
The Kubernetes provider credentials now reject kubeconfigs using
execauthentication in Prowler Cloud, at the API and in the credential form, preventing user-supplied commands from running on Cloud workers.Read more in the Kubernetes provider authentication documentation.
🙌 External Contributors
Thank you to our community contributors for this release!
postgresql_flexible_server_log_retention_days_greater_3Flexible Server log retention fix (#11761)KeyError: 'MANUAL'crash fix in the compliance summary table, shipped early in v5.32.1 (#11823)UI
🚀 Added
🔄 Changed
UI_*config only when the matching enable flag (UI_SENTRY_ENABLE/UI_GOOGLE_TAG_MANAGER_ENABLE/UI_POSTHOG_ENABLE) is"true"(default off); the deprecated legacy names (NEXT_PUBLIC_*,POSTHOG_KEY/POSTHOG_HOST) still activate without the flag (#11682)API
🚀 Added
🐞 Fixed
SDK
🐞 Fixed
postgresql_flexible_server_log_retention_days_greater_3check now queries thelogfiles.retention_daysconfiguration parameter instead oflog_retention_days(which only exists on the retired Single Server), fixing falseFAILresults on every Flexible Server regardless of the actual retention value (#11761)v5.32.1: Prowler 5.32.1Compare Source
UI
🐞 Fixed
API
🐞 Fixed
is_migratedandsink_backendsoscan-perform-scheduledinserts survive deploy skew (#11826)🔐 Security
SDK
🐞 Fixed
KeyError: 'MANUAL'crash while rendering the compliance summary table (e.g. CIS Microsoft 365) when a framework has manual, checks-less requirements with a Level 1/Level 2 profile;MANUALfindings are now skipped in the PASS/FAIL section tally instead of raising (#11822)v5.32.0: Prowler 5.32.0Compare Source
✨ New features to highlight in this version
Enjoy them all now for free at https://cloud.prowler.com
🔎 Findings Triage
Triage findings straight from the Findings view. Each finding gets a triage status you can move through its lifecycle:
Open → Under Review → Remediating → Risk Accepted → False Positive → Resolved
Add a triage note to record the decision, mute a finding, all from the row's actions menu. The current status shows inline on every finding row, so you keep track of what has been reviewed and stop re-checking the same issues scan after scan.
The status also follows the finding automatically across scans: when a finding flips from
FAILtoPASSon the next scan it moves to Resolved, and when it flips fromPASSback toFAILit moves to Reopened. You always know whether an issue is genuinely fixed or has regressed, without touching it by hand.Read more in our Findings Triage documentation.
⚙️ Scan Configuration
Create named, reusable scan configurations from a dedicated Scans / Configuration page. Each configuration is YAML that follows the structure of
prowler/config/config.yaml, so you only include the keys you want to override; the rest fall back to the built-in defaults. Values are validated on save against a per-provider, type-safe configuration schema that range-checks each field and rejects unknown keys, so a malformed config is caught before it ever reaches a scan. Attach a configuration to one or more providers so it applies on their next scan, or save it now and attach providers later.From the Providers view you can pick which configuration a provider uses (
Defaultor any of your saved ones) without leaving the page. No more passing config files around by hand.Read more in our Scan Configuration documentation.
✅ Per-Requirement Configuration Validation
Compliance frameworks can now declare
ConfigRequirementson a requirement, so it's reported as FAIL when its mapped checks ran under a configuration too loose to satisfy it. Even if every individual finding PASSed. This applies across all compliance outputs: CSV, OCSF, and console tables, and is the engine behind Scan Configuration's "marked as FAIL" behavior described above.Read more in our Configuration File documentation.
⏱️ Okta — Request Throttling & Retries
Prowler now proactively throttles Okta API requests to stay under rate limits, with reactive retries on HTTP 429 as a safety net. Both are set in the scan configuration (or their equivalent CLI flags):
okta_requests_per_second(config file) /--okta-requests-per-second(CLI) — cap the request rate. Default: 4 req/s.okta_max_retries(config file) /--okta-retries-max-attempts(CLI) — bound retry attempts. Default: 5.This makes large Okta scans more reliable and less likely to be rate-limited.
Read more in our Okta rate limit documentation.
📉 AWS — Cap Resources Scanned per Service
Large AWS accounts can now cap how many resources Prowler analyzes for the highest-volume services, keeping scan time and cost under control. Set a global limit with
max_scanned_resources_per_service, or override it per service:max_ebs_snapshots)max_backup_recovery_points)max_cloudwatch_log_groups)max_lambda_functions)max_ecs_task_definitions)max_codeartifact_packages)Limits are disabled by default (
0= unlimited); only positive values cap the analyzed resources.Read more in our configuration file documentation.
🏷️ Azure — Filter by Resource Group
Azure scans can now be scoped to one or more resource groups with the new
--azure-resource-group/--azure-resource-groupsoption. This lets you run focused assessments against specific environments, teams, or workloads instead of scanning every accessible resource in the subscription.Prowler validates the requested resource groups across accessible subscriptions and applies the scope across supported Azure services, making targeted Azure scans faster, cleaner, and easier to review.
Examples:
prowler azure --az-cli-auth --azure-resource-group rg-prodprowler azure --az-cli-auth --azure-resource-group rg-prod1 rg-prod2Read more in our Azure Resource Groups documentation.
Thanks to @Legin-ML for contributing this feature!
🧭 Provider Group Filter
Filter the Overview, Findings, Resources, Scans, and Providers views by provider group. Scope the whole app to a team, an environment, or a business unit in one click instead of filtering provider by provider.
Read more about managing provider groups in our RBAC documentation.
🔬 API — Timestamp Precision in Findings Filters
The
/api/v1/findingsendpoint now accepts full timestamps on theinserted_atandupdated_atfilters (filter[inserted_at__gte],filter[inserted_at__lte], and theupdated_atvariants), so you can query narrow time windows instead of whole days. Date-only filtering keeps working, so existing integrations are unaffected.Findings inserted within a precise timestamp window
curl --globoff \ '[http://localhost:8080/api/v1/findings?filter[inserted_at__gte]=2026-07-01T06:12:18Z&filter[inserted_at__lte]=2026-07-02T19:25:55Z](http://localhost:8080/api/v1/findings?filter[inserted_at__gte]=2026-07-01T06:12:18Z&filter[inserted_at__lte]=2026-07-02T19:25:55Z)' \ -H 'Authorization: Bearer <YOUR_TOKEN>' \ -H 'Accept: application/vnd.api+json'Combine inserted_at and updated_at windows in a single request
🕸️ Attack Paths — Neptune as a persistent sink
Attack Paths can now persist its graph in AWS Neptune in addition to Neo4j, selectable via
ATTACK_PATHS_SINK_DATABASE=neptune(defaultneo4j). Cartography's per-scan ingest database stays on Neo4j. The scan task preflights the ingest database and the configured sink before ingestion, and provider graph cleanup now deletes relationships in directed batches before deleting nodes.This is the groundwork for scale: a managed graph database lets Attack Paths hold much larger graphs, extend coverage to more providers, and link resources across them so an attack path can cross provider boundaries instead of stopping at one cloud's edge.
Read more in the Attack Paths documentation.
🔐 New Secret-Scanning Engine — Kingfisher
Prowler's secret-scanning checks now run on Kingfisher instead of
detect-secrets. Scans run fully offline by default, and obvious placeholder values (e.g.password123,changeme) are no longer reported, cutting down false positives.Opt in to live validation with the new
--scan-secrets-validateflag (or theaws.secrets_validateconfig option): Prowler checks discovered secrets against the provider APIs, and any secret confirmed to be live is reported as critical, so you can prioritize the credentials that actually work.Read more in our secret detection documentation.
🔍 Checks
AWS
stepfunctions_statemachine_encrypted_with_cmk— Step Functions state machines use a customer-managed KMS key for encryption at rest instead of the default AWS-owned key. Thanks to @Sid-0602!waf_regional_webacl_logging_enabled— AWS WAF Classic Regional Web ACLs have logging enabled to a Kinesis Data Firehose stream. Thanks to @Sid-0602!apigateway_restapi_no_secrets_in_stage_variables- Scans API Gateway REST API stage variables for hardcoded passwords, API keys, and tokens. Thanks to @chirag1206!awslambda_function_no_secrets_in_code— This check now supports asecrets_ignore_filesaudit-config option to skip files inside the deployment package by glob pattern (e.g.*.deps.json), suppressing .NET dependency-manifest false positives without masking real secrets.s3_bucket_object_public— spot-checks a configurable sample of object ACLs in each bucket and flags objects granted to theAllUsersorAuthenticatedUsersgroups. Disabled by default; opt in via thes3_bucket_object_public_enabledconfiguration option. Thanks to @Synchx00!Read more in our AWS documentation.
Explore all AWS checks at Prowler Hub.
Microsoft 365
New Conditional Access hardening checks:
entra_conditional_access_policy_explicitly_targets_azure_devops— at least one enabled policy explicitly includes the Azure DevOps cloud application, rather than relying on a broad "All cloud apps" policy. Thanks to @mzl2233!entra_conditional_access_policy_no_exclusion_gaps— every user, group, role, or application excluded from an enabled policy stays in scope of another enabled policy. Thanks to @UTKARSH698 with @arieleli01212 as co-author!entra_conditional_access_policy_groups_management_restricted— every security group referenced by an enabled or report-only policy is management-restricted or role-assignable. Thanks to @SAMurai-16!exchange_application_access_policy_restricts_mailbox_apps— every service principal with Microsoft Graph application-level Exchange mailbox permissions is restricted by an Exchange Online Application Access Policy. Thanks to @VasistAcharya!Read more in our Microsoft 365 documentation.
Explore all Microsoft 365 checks at Prowler Hub.
Compliance
🧩 CIS Benchmark Refresh — Six New Versions
Prowler ships a coordinated refresh of the CIS Benchmarks across six providers:
Read more in our compliance documentation.
Explore the full compliance catalog at Prowler Hub.
🌐 CIS Controls v8.1 — Universal Framework
A new universal (cross-provider) compliance framework mapping existing checks across 18 providers — AWS, Azure, GCP, Kubernetes, M365, GitHub, AlibabaCloud, OracleCloud, GoogleWorkspace, Okta, Cloudflare, Vercel, MongoDB Atlas, OpenStack, Linode, StackIT, NHN, and Scaleway — to the 18 CIS Critical Security Controls and their Safeguards. Ships with a dedicated detail view and report mapping in the UI.
Read more in our compliance documentation.
Explore the full compliance catalog at Prowler Hub.
🙌 External Contributors
Thank you to our community contributors for this release!
apigateway_restapi_no_secrets_in_stage_variablescheck (#11188)stepfunctions_statemachine_encrypted_with_cmk(#11538) andwaf_regional_webacl_logging_enabled(#11539) checksentra_conditional_access_policy_explicitly_targets_azure_devopscheck (#11182)entra_conditional_access_policy_no_exclusion_gapscheck (#11577)entra_conditional_access_policy_groups_management_restrictedcheck (#11342)keyvault_logging_enabledAuditEventcategory fix (#11660)exchange_application_access_policy_restricts_mailbox_apps(#11247)s3_bucket_object_publiccheck (#9517)UI
🚀 Added
API
🚀 Added
/api/v1/findingsinserted_atandupdated_atfilters (#11754)🔄 Changed
ATTACK_PATHS_SINK_DATABASE=neptune(defaultneo4j), Cartography's (bumped to 0.138.1) per-scan ingest database stays on Neo4j (#11524)🐞 Fixed
scan-performno longer reports an error when a provider is deleted during a running scan (#11696)SDK
🚀 Added
exchange_application_access_policy_restricts_mailbox_appscheck for M365 provider, verifying every service principal with Microsoft Graph application-level Exchange mailbox permissions is restricted by an Exchange Online Application Access Policy, preventing tenant-wide mailbox access by unscoped applications (#11247)ConfigRequirements, so a requirement is reported as FAIL when its configurable checks ran with a configuration too loose to satisfy it (applied across all compliance outputs: CSV, OCSF, and console tables) (#11669)entra_conditional_access_policy_explicitly_targets_azure_devopscheck for M365 provider, verifying at least one enabled Conditional Access policy explicitly includes the Azure DevOps cloud application instead of relying on a broad "All cloud apps" policy (#11182)entra_conditional_access_policy_no_exclusion_gapscheck for M365 provider, verifying every user, group, role, or application excluded from an enabled Conditional Access policy stays in scope of another enabled policy (#11577)entra_conditional_access_policy_groups_management_restrictedcheck for M365 provider, verifying every security group referenced by an enabled or report-only Conditional Access policy is management-restricted or role-assignable (#11342)stepfunctions_statemachine_encrypted_with_cmkcheck for AWS provider, verifying that each Step Functions state machine uses a customer-managed KMS key for encryption at rest rather than the default AWS-owned key [(#11538)](https://redirect.github.com/prowler-cloud/prowler/puConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.