fix(deps): update toniblyx/prowler docker tag to v5.20.0

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Update	Change
toniblyx/prowler	minor	5.2.0 → 5.20.0

---

Release Notes

prowler-cloud/prowler (toniblyx/prowler)

v5.20.0: Prowler 5.20.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🏛️ AWS Organizations Improvements

[!NOTE]
Available exclusively in Prowler Cloud.

• We've improved the AWS Organizations onboarding wizard making it easier to deploy the required CloudFormation templates.
• Findings now include Organizational Unit ID and name across all output formats (ASFF, OCSF, CSV), giving you full visibility into which OU each account belongs to — Thanks to @​raajheshkannaa!
• Cloud Providers page shows your AWS Organizations hierarchy tree with organizational units and accounts.

🕸️ Attack Paths Improvements

• APOC to standard openCypher migration: Network exposure queries now use standard openCypher instead of APOC procedures, making them use better open standards
• Cartography upgrade: Upgraded from 0.129.0 to 0.132.0, fixing exposed_internet not being set on ELB/ELBv2 nodes
• Custom query endpoint: Cypher blocklist, input validation, rate limiting, and Helm lockdown for hardening its security
• Security hardening — Cypher blocklist, input validation, rate limiting, and Helm lockdown for the custom query endpoint
• Better error handling: Server errors (5xx) and network failures now show user-friendly messages instead of raw internal errors
• Improved logging: Query execution and scan error handling now log properly
• Several UX improvements in the Attack Paths page

🏛️ Google Workspace - API Only

Google Workspace is now fully integrated with the Prowler API. After being introduced as a CLI-only provider in v5.19.0, you can now connect and scan your Google Workspace environment directly from the API. Full App support will be included in the next release.

Read more in our Google Workspace documentation.

Explore all Google Workspace checks at Prowler Hub.

☁️ OpenStack — Object Storage Service

OpenStack continues to expand with a brand new Object Storage service adding 7 security checks covering container access control, versioning, encryption, metadata hygiene, and lifecycle management.

Read more in our OpenStack documentation.

Explore all OpenStack checks at Prowler Hub.

🔍 New Checks

AWS

• guardduty_delegated_admin_enabled_all_regions - Verify that a delegated administrator account is configured for GuardDuty - Thanks to @​m-wentz!
• opensearch_service_domains_not_publicly_accessible - Now supports a trusted_ips configuration option. If your OpenSearch domain has a resource policy restricting access to known IPs, you no longer get a false positive on the public accessibility check — Thanks to @​codename470!

Explore all AWS checks at Prowler Hub.

Microsoft 365

• entra_conditional_access_policy_approved_client_app_required_for_mobile — Requires approved client apps on mobile devices
• entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required — Requires compliant/hybrid-joined device or MFA

Explore all M365 checks at Prowler Hub.

🐞 Bug Fixes

We've added several bug fixes to improve the user experience across the application.

⛵ Community Helm Chart

Prowler now has an official community-maintained Helm chart for self-hosted deployments on Kubernetes. The chart is published as an OCI artifact to oci://ghcr.io/prowler-cloud/charts/prowler on every release.

Check it on https://ghcr.io/prowler-cloud/charts/prowler

Thanks to @​Ca-moes and @​Utwo for building and maintaining this chart!

🙌 Community Contributors

• @​m-wentz — guardduty_delegated_admin_enabled_all_regions check for AWS (#​9867)
• @​codename470 — trusted_ips config for OpenSearch check (#​8631)
• @​raajheshkannaa — AWS Organizations OU metadata in outputs (#​10283)
• @​Ca-moes @​Utwo — Helm Continuous Deployment (#​10079)

---

UI

🔄 Changed

• Attack Paths: Improved error handling for server errors (5xx) and network failures with user-friendly messages instead of raw internal errors and layout changes (#​10249)
• Refactor simple providers with new components and styles (#​10259)
• Providers page redesigned with cloud organization hierarchy, HeroUI-to-shadcn migration, organization and account group filters, and row selection for bulk actions (#​10292)
• AWS Organizations onboarding now uses a clearer 3-step flow: deploy the ProwlerScan role in the management account via CloudFormation Stack, deploy to member accounts via StackSet with a copyable template URL, and confirm with the Role ARN (#​10274)

🐞 Fixed

• Provider wizard now closes after updating credentials instead of incorrectly advancing to the Launch Scan step, which caused API errors for providers with existing scheduled scans (#​10278)
• Attack Paths query builder sending stale parameters from previous query selections due to validation schema and default values being recreated on every render (#​10306)
• Finding detail drawer crashing when resource, scan, or provider relationships are missing from the API response (#​10314)

🔐 Security

• npm transitive dependencies patched to resolve 11 Dependabot alerts (6 HIGH, 4 MEDIUM, 1 LOW): hono, @​hono/node-server, fast-xml-parser, serialize-javascript, minimatch (#​10267)

API

🔄 Changed

• Attack Paths: Migrate network exposure queries from APOC to standard openCypher for Neo4j and Neptune compatibility (#​10266)
• POST /api/v1/providers returns 409 Conflict if already exists (#​10293)

🐞 Fixed

• Attack Paths: Security hardening for custom query endpoint (Cypher blocklist, input validation, rate limiting, Helm lockdown) (#​10238)
• Attack Paths: Missing logging for query execution and exception details in scan error handling (#​10269)
• Attack Paths: Upgrade Cartography from 0.129.0 to 0.132.0, fixing exposed_internet not set on ELB/ELBv2 nodes (#​10272)

SDK

🚀 Added

• entra_conditional_access_policy_approved_client_app_required_for_mobile check for M365 provider (#​10216)
• entra_conditional_access_policy_compliant_device_hybrid_joined_device_mfa_required check for M365 provider (#​10197)
• trusted_ips configurable option for opensearch_service_domains_not_publicly_accessible check to reduce false positives on IP-restricted policies (#​8631)
• guardduty_delegated_admin_enabled_all_regions check for AWS provider (#​9867)
• OpenStack object storage service with 7 checks (#​10258)
• AWS Organizations OU metadata (OU ID, OU path) in ASFF, OCSF and CSV outputs (#​10283)

🔄 Changed

• Update Kubernetes API server checks metadata to new format (#​9674)
• Update Kubernetes Controller Manager service metadata to new format (#​9675)
• Update Kubernetes Core service metadata to new format (#​9676)
• Update Kubernetes Kubelet service metadata to new format (#​9677)
• Update Kubernetes RBAC service metadata to new format (#​9678)
• Update Kubernetes Scheduler service metadata to new format (#​9679)
• Update MongoDB Atlas Organizations service metadata to new format (#​9658)
• Update MongoDB Atlas clusters service metadata to new format (#​9657)
• Update GitHub Repository service metadata to new format (#​9659)
• Update GitHub Organization service metadata to new format (#​10273)
• Update Oracle Cloud Compute Engine service metadata to new format (#​9371)
• Update Oracle Cloud Database service metadata to new format (#​9372)
• Update Oracle Cloud File Storage service metadata to new format (#​9374)
• Update Oracle Cloud Integration service metadata to new format (#​9376)
• Update Oracle Cloud KMS service metadata to new format (#​9377)
• Update Oracle Cloud Network service metadata to new format (#​9378)
• Update Oracle Cloud Object Storage service metadata to new format (#​9379)
• Update Oracle Cloud Events service metadata to new format (#​9373)
• Update Oracle Cloud Identity service metadata to new format (#​9375)
• Update Alibaba Cloud services metadata to new format (#​10289)
• Update M365 Admin Center service metadata to new format (#​9680)
• Update M365 Defender service metadata to new format (#​9681)
• Update M365 Purview service metadata to new format (#​9092)

v5.19.0: Prowler 5.19.0

Compare Source

✨ New features to highlight in this version

Enjoy them all now like a Pro at https://cloud.prowler.com

🏛️ AWS Organizations Onboarding

[!NOTE]
Available exclusively in Prowler Cloud.

Connect multiple AWS accounts from your Organization in a single flow. Select accounts from your AWS Organization hierarchy and onboard them all at once — no more adding accounts one by one.

Read more in our AWS Organizations in Prowler Cloud documentation.

📤 Import Findings

[!NOTE]
Available exclusively in Prowler Cloud.

Scan results can now be imported into Prowler Cloud for centralized visibility and correlation. Available via:

• CLI — --push-to-cloud flag uploads findings in OCSF directly
• API — POST /api/v1/ingestions endpoint for CI/CD and automation workflows

Read more in our import findings documentation. Thanks to @​sonofagl1tch for their contribution and continued support!

☁️ OpenStack — Multi-Region & New Services

OpenStack support matures with:

• Multiple regions scanned from a single provider configuration
• 7 new Compute security checks covering instance, network, and security group configurations
• 6 new Networking security checks covering security groups, port security, DHCP, and network state
• 7 new Block Storage security checks covering volume encryption, sensitive metadata, backups, and resource hygiene
• 6 new Image security checks covering visibility, signature verification, deletion protection, encryption, and Secure Boot
• Full App integration — OpenStack providers can now be managed from the UI

Read more in our OpenStack documentation.

Explore all OpenStack checks at Prowler Hub.

🐳 Container Image Scanning

A brand new Image provider powered by Trivy brings container image security scanning to Prowler. Scan individual images or entire registries for vulnerabilities:

• Single image mode: Scan any container image by tag or digest
• Registry scan mode: Enumerate and scan all images from OCI-standard registries, Docker Hub, and Amazon ECR
• Available via CLI and API — full App support coming in the next release

Read more in our Image provider documentation.

Explore all Image checks at Prowler Hub.

🏢 Google Workspace Provider - CLI

A new Google Workspace provider brings organizational security visibility to Prowler, starting with the Directory service.

It's the 1st provider in Prowler for @​lydiavilchez 🙌

Explore all Google Workspace checks at Prowler Hub

☁️ Cloudflare — Now in the App

After being introduced in the CLI in v5.17.0, Cloudflare now has full App support in the Prowler App with 29 security checks covering:

• TLS/SSL
• DNS
• Email security
• WAF
• Bot protection
• Zone configuration.

Read more in our Cloudflare documentation.

Explore all CloudFlare checks at Prowler Hub.

🕸️ Attack Paths — Major Upgrades

The Attack Paths feature receives significant enhancements in this release:

• Full query library from pathfinding.cloud — comprehensive set of privilege escalation and lateral movement detection queries
• Query descriptions and source links — each query now includes a detailed description and a link to its source at pathfinding.cloud
• Cartography upgrade — from fork 0.126.1 to upstream 0.129.0, with Neo4j driver upgraded from 5.x to 6.x
• Read-only query execution — queries now run in read-only mode for safety
• Provider-scoped results — query results are filtered by provider, preventing cross-tenant and cross-provider data leakage
• Improved reliability — orphaned Neo4j databases are cleaned up on scan failure, and provider deletion no longer causes DatabaseError

🤖 Attack Paths in Prowler MCP Server

The Prowler MCP Server now includes Attack Paths tools, enabling AI agents to query and analyze privilege escalation and lateral movement paths directly. Connect your AI assistant at mcp.prowler.com/mcp.

📚 New Compliance Frameworks

CSA CCM 4.0

The Cloud Security Alliance Cloud Controls Matrix v4.0 is now available across five providers: AWS, Azure, GCP, Oracle Cloud, and Alibaba Cloud.

CIS 6.0 for AWS

The latest CIS Amazon Web Services Foundations Benchmark v6.0 is now available, bringing updated security controls aligned with current AWS best practices.

SecNumCloud for AWS

The ANSSI SecNumCloud qualification framework is now available for AWS, covering French cloud security requirements.

🔗 Unified Provider Wizard

The provider connection flow has been completely redesigned into a modal wizard with a unified experience across all provider types.

🔍 New Checks

Microsoft 365

12 new security checks covering Entra ID, Defender for Identity, Defender XDR, and email protection.

• entra_conditional_access_policy_app_enforced_restrictions — App enforced restrictions
• entra_app_registration_no_unused_privileged_permissions — Unused privileged permissions
• entra_seamless_sso_disabled — Seamless SSO disabled
• entra_conditional_access_policy_require_mfa_for_management_api — MFA for management API
• defenderidentity_health_issues_no_open — Defender for Identity health
• defenderxdr_endpoint_privileged_user_exposed_credentials — Exposed credentials detection
• defenderxdr_critical_asset_management_pending_approvals — Critical asset management
• defender_safe_attachments_policy_enabled — Safe Attachments policy
• defender_safelinks_policy_enabled — Safe Links policy
• entra_default_app_management_policy_enabled — Default app management policy enabled
• entra_authentication_method_sms_voice_disabled - Disable SMS and voice authentication
• entra_break_glass_account_fido2_security_key_registered - Break glass accounts should have a FIDO2 security key

Explore all M365 checks at Prowler Hub.

AWS

Enhanced IAM privilege escalation detection with patterns from the pathfinding.cloud library

Explore all AWS checks at Prowler Hub.

OpenStack

26 new security checks across four services:

Compute (7 checks)

• compute_instance_config_drive_enabled — Config drive for secure metadata delivery
• compute_instance_isolated_private_network — Network isolation (private-only IPs)
• compute_instance_key_based_authentication — SSH key-based auth configuration
• compute_instance_locked_status_enabled — Instance lock status protection
• compute_instance_metadata_sensitive_data — Secrets in instance metadata
• compute_instance_public_ip_exposed — Publicly exposed instances
• compute_instance_trusted_image_certificates — Image signature verification

Networking (6 checks)

• networking_security_group_allows_ssh_from_internet — SSH (port 22) exposed to the internet
• networking_security_group_allows_rdp_from_internet — RDP (port 3389) exposed to the internet
• networking_security_group_allows_all_ingress_from_internet — Security groups allowing all ingress from the internet
• networking_port_security_disabled — Networks/ports allowing MAC/IP spoofing attacks
• networking_subnet_dhcp_disabled — Subnets without DHCP auto-configuration
• networking_admin_state_down — Administratively disabled networks

Block Storage (7 checks)

• blockstorage_volume_encryption_enabled — Volumes without encryption enabled
• blockstorage_volume_metadata_sensitive_data — Sensitive data in volume metadata
• blockstorage_snapshot_metadata_sensitive_data — Sensitive data in snapshot metadata
• blockstorage_volume_backup_exists — Volumes without any backups
• blockstorage_volume_multiattach_disabled — Volumes with multi-attach enabled
• blockstorage_volume_not_unattached — Orphaned volumes with no attachments
• blockstorage_snapshot_not_orphaned — Snapshots referencing non-existent source volumes

Image (6 checks)

• image_not_publicly_visible — Publicly visible images exposing OS configs and credentials
• image_not_shared_with_multiple_projects — Images shared with too many projects
• image_signature_verification_enabled — Images without cryptographic signature verification
• image_protected_status_enabled — Images without deletion protection
• image_encryption_enabled — Images without guest memory encryption (AMD SEV)
• image_secure_boot_enabled — Images without Secure Boot required

Explore all OpenStack checks at Prowler Hub.

GitHub

• organization_verified_badge — Verified badge on GitHub organizations — thanks to @​kushpatel321!

Explore all Github checks at Prowler Hub.

🔐 Security Updates

• py-ocsf-models 0.8.1 and cryptography 44.0.3
• Pillow 12.1.1 (CVE-2021-25289)
• azure-core 1.38.x removing CVE-2026-21226 safety ignore
• npm dependencies updated resolving 20 Dependabot alerts (2 CRITICAL, 7 HIGH, 9 MEDIUM, 2 LOW)
• defusedxml XXE vulnerability fix for Alibaba Cloud OSS — thanks to @​sandiyochristan!

🔒 CI Security Hardening

GitHub Actions workflows have been audited and hardened using zizmor, which is now integrated into CI. Fixes include expression injection prevention, credential persistence controls, and overall workflow hardening in (#​10200) (#​10207) (#​10208)

🙌 Community Contributors

• @​sonofagl1tch — Import Findings to Prowler Cloud support
• @​kushpatel321 — organization_verified_badge check for GitHub provider (#​10033)
• @​HarshCasper — Respect AWS_ENDPOINT_URL for STS session creation (#​10228)
• @​anthonytwh — Apply provider/account filters to Findings Severity Over Time chart (#​10103)
• @​sandiyochristan — defusedxml XXE vulnerability fix for Alibaba Cloud OSS (#​9999)
• @​sbldevnet - For testing CloudFlare provider thoroughly

---

UI

🚀 Added

• OpenStack provider support in the UI (#​10046)
• PDF report available for the CSA CCM compliance framework (#​10088)
• Cloudflare provider support (#​9910)
• CSV and PDF download buttons in compliance views (#​10093)
• Add SecNumCloud compliance framework (#​10117)
• Attack Paths tools added to Lighthouse AI workflow allowed list (#​10175)

🔄 Changed

• Attack Paths: Query list now shows their name and short description, when one is selected it also shows a longer description and an attribution if it has it (#​9983)
• Updated GitHub provider form placeholder to clarify both username and organization names are valid inputs (#​9830)
• CSA CCM detailed view and small fix related with Top Failed Sections width (#​10018)
• Attack Paths: Show scan data availability status with badges and tooltips, allow selecting scans for querying while a new scan is in progress (#​10089)
• Attack Paths: Catches not found and permissions (for read only queries) errors (#​10140)
• Provider connection flow was unified into a modal wizard with AWS Organizations bulk onboarding, safer secret retry handling, and more stable E2E coverage (#​10153) (#​10154) (#​10155) (#​10156) (#​10157) (#​10158)

🐞 Fixed

• Findings Severity Over Time chart on Overview not responding to provider and account filters, and chart clipping at Y-axis maximum values (#​10103)

🔐 Security

• npm dependencies updated to resolve 11 Dependabot alerts (4 HIGH, 7 MEDIUM): fast-xml-parser, @​modelcontextprotocol/sdk, tar, @​isaacs/brace-expansion, hono, lodash, lodash-es (#​10052)
• npm transitive dependencies patched to resolve 9 Dependabot alerts (2 CRITICAL, 3 HIGH, 2 MEDIUM, 2 LOW): fast-xml-parser, rollup, minimatch, ajv, hono, qs (#​10187)

API

🚀 Added

• Finding group summaries and resources endpoints for hierarchical findings views (#​9961)
• OpenStack provider support (#​10003)
• PDF report for the CSA CCM compliance framework (#​10088)
• image provider support for container image scanning (#​10128)
• Attack Paths: Custom query and Cartography schema endpoints (temporarily blocked) (#​10149)

🔄 Changed

• Attack Paths: Queries definition now has short description and attribution (#​9983)
• Attack Paths: Internet node is created while scan (#​9992)
• Attack Paths: Add full paths set from pathfinding.cloud (#​10008)
• Attack Paths: Mark attack Paths scan as failed when Celery task fails outside job error handling (#​10065)
• Attack Paths: Remove legacy per-scan graph_database and is_graph_database_deleted fields from AttackPathsScan model (#​10077)
• Attack Paths: Add graph_data_ready field to decouple query availability from scan state (#​10089)
• Attack Paths: Upgrade Cartography from fork 0.126.1 to upstream 0.129.0 and Neo4j driver from 5.x to 6.x (#​10110)
• Attack Paths: Query results now filtered by provider, preventing future cross-tenant and cross-provider data leakage (#​10118)
• Attack Paths: Add private labels and properties in Attack Paths graphs for avoiding future overlapping with Cartography's ones (#​10124)
• Attack Paths: Query endpoint executes them in read only mode (#​10140)
• Attack Paths: Accept header query endpoints also accepts text/plain, supporting compact plain-text format for LLM consumption (#​10162)
• Bump Trivy from 0.69.1 to 0.69.2 (#​10210)

🐞 Fixed

• Attack Paths: Orphaned temporary Neo4j databases are now cleaned up on scan failure and provider deletion (#​10101)
• Attack Paths: scan no longer raises DatabaseError when provider is deleted mid-scan (#​10116)
• Tenant compliance summaries recalculated after provider deletion (#​10172)
• Security Hub export retries transient replica conflicts without failing integrations (#​10144)

🔐 Security

• Bump Pillow to 12.1.1 (CVE-2021-25289) (#​10027)
• Remove safety ignore for CVE-2026-21226 (84420), fixed via azure-core 1.38.x (#​10110)

SDK

🚀 Added

• entra_authentication_method_sms_voice_disabled check for M365 provider (#​10212)
• Google Workspace provider support with Directory service including 1 security check (#​10022)
• entra_conditional_access_policy_app_enforced_restrictions check for M365 provider (#​10058)
• entra_app_registration_no_unused_privileged_permissions check for M365 provider (#​10080)
• defenderidentity_health_issues_no_open check for M365 provider (#​10087)
• organization_verified_badge check for GitHub provider (#​10033)
• OpenStack provider clouds_yaml_content parameter for API integration (#​10003)
• defender_safe_attachments_policy_enabled check for M365 provider (#​9833)
• defender_safelinks_policy_enabled check for M365 provider (#​9832)
• CSA CCM 4.0 for the AWS provider (#​10018)
• CSA CCM 4.0 for the GCP provider (#​10042)
• CSA CCM 4.0 for the Azure provider (#​10039)
• CSA CCM 4.0 for the Oracle Cloud provider (#​10057)
• OCI regions updater script and CI workflow (#​10020)
• image provider for container image scanning with Trivy integration (#​9984)
• CSA CCM 4.0 for the Alibaba Cloud provider (#​10061)
• ECS Exec (ECS-006) privilege escalation detection via ecs:ExecuteCommand + ecs:DescribeTasks (#​10066)
• --export-ocsf CLI flag to upload OCSF scan results to Prowler Cloud (#​10095)
• scan_id field in OCSF unmapped output for ingestion correlation (#​10095)
• defenderxdr_endpoint_privileged_user_exposed_credentials check for M365 provider (#​10084)
• defenderxdr_critical_asset_management_pending_approvals check for M365 provider (#​10085)
• entra_seamless_sso_disabled check for M365 provider (#​10086)
• Registry scan mode for image provider: enumerate and scan all images from OCI standard, Docker Hub, and ECR (#​9985)
• File descriptor limits (ulimits) for Docker Compose worker services to prevent Too many open files errors (#​10107)
• SecNumCloud compliance framework for the AWS provider (#​10117)
• CIS 6.0 for the AWS provider (#​10127)
• entra_conditional_access_policy_require_mfa_for_management_api check for M365 provider (#​10150)
• OpenStack provider multiple regions support (#​10135)
• entra_break_glass_account_fido2_security_key_registered check for M365 provider (#​10213)
• entra_default_app_management_policy_enabled check for M365 provider (#​9898)
• OpenStack networking service with 6 security checks (#​9970)
• OpenStack block storage service with 7 security checks (#​10120)
• OpenStack compute service with 7 security checks (#​9944)
• OpenStack image service with 6 security checks (#​10096)
• --provider-uid CLI flag for IaC provider, used as cloud.account.uid in OCSF output and required with --export-ocsf (#​10233)
• unmapped.provider_uid field in OCSF output to match CLI scan results with API provider entities during ingestion (#​10231)
• unmapped.provider field in OCSF output for provider name availability in non-cloud providers like Kubernetes (#​10240)

🔄 Changed

• Update Azure Monitor service metadata to new format (#​9622)
• GitHub provider enhanced documentation and repository_branch_delete_on_merge_enabled logic (#​9830)
• Parallelize Cloudflare zone API calls with threading to improve scan performance (#​9982)
• Update GCP API Keys service metadata to new format (#​9637)
• Update GCP BigQuery service metadata to new format (#​9638)
• Update GCP Cloud SQL service metadata to new format (#​9639)
• Update GCP Cloud Storage service metadata to new format (#​9640)
• Update GCP Compute Engine service metadata to new format (#​9641)
• Update GCP Dataproc service metadata to new format (#​9642)
• Update GCP DNS service metadata to new format (#​9643)
• Update GCP GCR service metadata to new format (#​9644)
• Update GCP GKE service metadata to new format (#​9645)
• Update GCP IAM service metadata to new format (#​9646)
• Update GCP KMS service metadata to new format (#​9647)
• Update GCP Logging service metadata to new format (#​9648)
• Update Azure Key Vault service metadata to new format (#​9621)
• Update Azure Entra ID service metadata to new format (#​9619)
• Update Azure Virtual Machines service metadata to new format (#​9629)
• Cloudflare provider credential validation with specific exceptions (#​9910)
• Enhance AWS IAM privilege escalation detection with patterns from pathfinding.cloud library (#​9922)
• Bump Trivy from 0.66.0 to 0.69.2 (#​10210)
• Standardize GitHub and M365 provider account UIDs for consistent OCSF output (#​10226)
• Standardize Cloudflare account and resource UIDs to prevent None values in findings (#​10227)

🐞 Fixed

• Update AWS checks metadata URLs to replace deprecated Trend Micro CloudOne Conformity (EOL July 2026) with Vision One and remove docs.prowler.com references (#​10068)
• Standardize resource_id values across Azure checks to use actual Azure resource IDs and prevent duplicate resource entries (#​9994)
• VPC endpoint service collection filtering third-party services that caused AccessDenied errors on DescribeVpcEndpointServicePermissions (#​10152)
• Handle serialization errors in OCSF output for non-serializable resource metadata (#​10129)
• Respect AWS_ENDPOINT_URL environment variable for STS session creation (#​10228)
• Help text and typos in CLI flags (#​10040)
• elbv2_insecure_ssl_ciphers false positive on AWS post-quantum (PQ) TLS policies like ELBSecurityPolicy-TLS13-1-2-PQ-2025-09 (#​10219)

🔐 Security

• Bumped py-ocsf-models to 0.8.1 and cryptography to 44.0.3 (#​10059)
• Harden GitHub Actions workflows against expression injection, add persist-credentials: false to checkout steps, and configure dependabot cooldown (#​10200)

MCP

🚀 Added

• Attack Paths tools to list scans, discover queries, and run Cypher queries against Neo4j (#​10145)

v5.18.3: Prowler 5.18.3

Compare Source

UI

🐞 Fixed

• Dropdown selects in the "Send to Jira" modal and other dialogs not responding to clicks (#​10097)
• Update credentials for the Alibaba Cloud provider (#​10098)

API

🐞 Fixed

• GCP provider UID validation regex to allow domain prefixes (#​10078)

SDK

🐞 Fixed

• pip install prowler failing on systems without C compiler due to netifaces transitive dependency from openstacksdk (#​10055)
• kms_key_not_publicly_accessible false negative for specific KMS actions (e.g., kms:DescribeKey, kms:Decrypt) with unrestricted principals (#​10071)
• Remove account_id and location for manual requirements in M365CIS (#​10105)

v5.18.2: Prowler 5.18.2

Compare Source

UI

🐞 Fixed

• ProviderTypeSelector crashing when an unknown provider type is missing from PROVIDER_DATA (#​9991)
• Infinite memory loop when opening modals from table row action dropdowns due to HeroUI and Radix Dialog overlay conflict (#​9996)
• Filter changes not coordinating with Suspense boundaries in ProviderTypeSelector, AccountsSelector, and muted findings checkbox (#​10013)
• Scans page pagination not refreshing table data after page change (#​10013)
• Duplicate filter[search] parameter in findings and scans API calls (#​10013)
• Filters on /findings silently reverting on first click in production (#​10034)

API

🐞 Fixed

• SAML role mapping now prevents removing the last MANAGE_ACCOUNT user (#​10007)

SDK

🐞 Fixed

• --repository and --organization flags combined interaction in GitHub provider, qualifying unqualified repository names with organization (#​10001)
• HPACK library logging tokens in debug mode for Azure, M365, and Cloudflare providers (#​10010)

v5.18.1: Prowler 5.18.1

Compare Source

UI

🐞 Fixed

• Scans page polling now only refreshes scan table data instead of re-rendering the entire server component tree, eliminating redundant API calls to providers, findings, and compliance endpoints every 5 seconds (#​9976)

v5.18.0: Prowler 5.18.0

Compare Source

✨ New features to highlight in this version

Enjoy these features and more at https://cloud.prowler.com

☁️ OpenStack Provider - CLI only

Prowler now supports OpenStack as a new cloud provider! This release introduces initial coverage with the Compute service and includes the first security check. This opens the door to assessing private cloud environments built on OpenStack.

Check the OpenStack documentation and all checks on Prowler Hub.

🔍 CloudTrail Timeline - Resource History Tracking - API only

A new CloudTrail Timeline abstraction enables querying resource modification history directly from the API. The new endpoint GET /resources/{id}/events retrieves AWS resource modification events from CloudTrail, giving you visibility into who changed what and when.

🕸️ Attack Paths Enhancements

• New privilege escalation queries for Bedrock Code Interpreter and AttachRolePolicy patterns
• Cartography upgraded to 0.126.1 with expanded AWS scans covering SageMaker, CloudFront, and Bedrock
• Neo4j database per tenant architecture for improved isolation and performance

🛡️ CodeBreach Vulnerability Detection

New check codebuild_project_webhook_filters_use_anchored_patterns helps detect the CodeBreach vulnerability in AWS CodeBuild projects by verifying webhook filters use properly anchored patterns.

📋 New Security Checks

• AWS: rds_instance_extended_support - Detect RDS instances using extended support
• M365: defender_zap_for_teams_enabled, exchange_shared_mailbox_sign_in_disabled
• GCP: compute_instance_suspended_without_persistent_disks

🏛️ HIPAA for Azure

The HIPAA compliance framework is now available for the Azure provider, helping healthcare organizations assess their Azure infrastructure against HIPAA requirements.

⚡ Performance Improvements

• Azure Key Vault parallelization - Vaults and contents retrieval now runs in parallel for faster
  scans
• Lazy-load providers and compliance data - Reduced API/worker startup memory and time
• Memory optimizations for large compliance report generation
• Partial database index on findings for faster new failed findings queries

🎨 UI Improvements

• Redesigned Resources view with an improved resource detail drawer
• Launch Scan page now displays all providers without pagination limits
• Next.js 16.1 upgrade with ESLint 9 flat config migration

⚙️ Cloudflare Enhancements

• New --account-id filter argument for Cloudflare CLI
• Cloudflare provider credentials now supported as constructor parameters for SDK usage

🛠️ AWS Cross-Account Configuration

Cross-account checks are now configurable through the trusted_account_ids config parameter, giving you control over which accounts are considered trusted for cross-account access patterns.

🐛 Bug Fixes

• Jira integration: Fixed summary truncation to 255 characters preventing INVALID_INPUT errors with long resource UIDs
• Azure: Fixed duplicated findings in entra_user_with_vm_access_has_mfa when users have multiple VM access roles

🙏 Community Contribution

Special thanks to @​AlienwareSec for contributing the fix for CSV/XLSX download failures in the Dashboard #​9946

---

UI

🔄 Changed

• Restyle resources view with improved resource detail drawer (#​9864)
• Launch Scan page now displays all providers without pagination limit (#​9700)
• Upgrade Next.js from 15.5.9 to 16.1.3 with ESLint 9 flat config migration (#​9826)

🔐 Security

• React from 19.2.3 to 19.2.4 and Next.js from 16.1.3 to 16.1.6, patching DoS vulnerability in React Server Components (GHSA-83fc-fqcc-2hmg) (#​9917)

API

🚀 Added

• Cloudflare provider support (#​9907)
• Attack Paths: Bedrock Code Interpreter and AttachRolePolicy privilege escalation queries (#​9885)
• provider_id and provider_id__in filters for resources endpoints (GET /resources and GET /resources/metadata/latest) (#​9864)
• Added memory optimizations for large compliance report generation (#​9444)
• GET /api/v1/resources/{id}/events endpoint to retrieve AWS resource modification history from CloudTrail (#​9101)
• Partial index on findings to speed up new failed findings queries (#​9904)

🔄 Changed

• Lazy-load providers and compliance data to reduce API/worker startup memory and time (#​9857)
• Attack Paths: Pinned Cartography to version 0.126.1, adding AWS scans for SageMaker, CloudFront and Bedrock (#​9893)
• Remove unused indexes (#​9904)
• Attack Paths: Modified the behaviour of the Cartography scans to use the same Neo4j database per tenant, instead of individual databases per scans (#​9955)

🐞 Fixed

• Attack Paths: aws-security-groups-open-internet-facing query returning no results due to incorrect relationship matching (#​9892)

SDK

🚀 Added

• defender_zap_for_teams_enabled check for M365 provider (#​9838)
• compute_instance_suspended_without_persistent_disks check for GCP provider (#​9747)
• codebuild_project_webhook_filters_use_anchored_patterns check for AWS provider to detect CodeBreach vulnerability (#​9840)
• exchange_shared_mailbox_sign_in_disabled check for M365 provider (#​9828)
• CloudTrail Timeline abstraction for querying resource modification history (#​9101)
• Cloudflare --account-id filter argument (#​9894)
• rds_instance_extended_support check for AWS provider (#​9865)
• OpenStack provider support with Compute service including 1 security check (#​9811)
• OpenStack documentation for the support in the CLI (#​9848)
• Add HIPAA compliance framework for the Azure provider (#​9957)
• Cloudflare provider credentials as constructor parameters (api_token, api_key, api_email) (#​9907)

🔄 Changed

• Update Azure App Service service metadata to new format (#​9613)
• Update Azure Application Insights service metadata to new format (#​9614)
• Update Azure Container Registry service metadata to new format (#​9615)
• Update Azure Cosmos DB service metadata to new format (#​9616)
• Update Azure Databricks service metadata to new format (#​9617)
• Parallelize Azure Key Vault vaults and vaults contents retrieval to improve performance (#​9876)
• Update Azure IAM service metadata to new format (#​9620)
• Update Azure Policy service metadata to new format (#​9625)
• Update Azure MySQL service metadata to new format (#​9623)
• Update Azure Defender service metadata to new format (#​9618)
• Make AWS cross-account checks configurable through trusted_account_ids config parameter (#​9692)
• Update Azure PostgreSQL service metadata to new format (#​9626)
• Update Azure SQL Server service metadata to new format (#​9627)
• Update Azure Network service metadata to new format (#​9624)
• Update Azure Storage service metadata to new format (#​9628)

🐛 Fixed

• Duplicated findings in entra_user_with_vm_access_has_mfa check when user has multiple VM access roles (#​9914)
• Jira integration failing with INVALID_INPUT error when sending fin

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks