Prowler 5.30.1

UI

🐞 Fixed

• Threat Map no longer shows an empty map for accounts that only have Okta or Google Workspace scans (#11542)
• Compliance attributes requests now pass the selected scan, so multi-provider universal frameworks (e.g. CSA CCM) load the check IDs of the scan's provider and Azure/GCP requirement details show their findings instead of appearing empty (#11546)

API

🐞 Fixed

• compliance-overviews/attributes now resolves the provider from the scan, so multi-provider universal frameworks (e.g. CSA CCM) return the check IDs of the scan's provider and Azure/GCP requirement details show their findings instead of appearing empty (#11546)
• Attack Paths: drop_subgraph now deletes relationships first and then nodes in batches, using less memory on Neo4j when clearing a dense provider graph (#11557)
• OCI scans now use API key credentials with the configured region instead of falling back to /home/prowler/.oci/config (#11558)

Prowler 5.30.0

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🪪 Okta - Complete DISA STIG Support

Okta now supports DISA STIG completely, shipping the DISA Okta Identity as a Service (IDaaS) STIG V1R2 framework.

The provider now covers the entire DISA STIG control set for Okta identity security end to end. This release adds six new services and their checks:

user

• user_inactivity_automation_35d_enabled - disable accounts after 35 days of inactivity

authenticator - password policy and MFA hardening:

• authenticator_password_minimum_length_15 - enforce a 15-character minimum
• authenticator_password_history_5 - block reuse of the last 5 passwords
• authenticator_password_lockout_threshold_3 - lock accounts after 3 failed attempts
• authenticator_password_minimum_age_24h / authenticator_password_maximum_age_60d - password age bounds
• authenticator_password_complexity_uppercase / _lowercase / _number / _symbol - complexity requirements
• authenticator_password_common_password_check - reject common passwords
• authenticator_okta_verify_fips_compliant - require FIPS-compliant Okta Verify
• authenticator_smart_card_active - smart card authenticator enabled

idp

• idp_smart_card_dod_approved_ca - smart card IdP uses a DoD-approved CA

network

• network_zone_block_anonymized_proxies - block anonymizing proxies

apitoken

• apitoken_not_super_admin - API tokens are not bound to a super admin
• apitoken_restricted_to_network_zone - API tokens are restricted to a network zone

systemlog

• systemlog_streaming_enabled - stream system logs to an external destination

Read more in our Okta documentation.

Explore all Okta checks at Prowler Hub.

📚 Compliance: DORA - our first universal compliance framework

Note

DORA is only available for the AWS provider. More providers will be included in the upcoming versions.

The Digital Operational Resilience Act lands as the first universal compliance framework in Prowler.

A universal framework is defined once, independent of any single provider. Instead of a separate framework file per cloud, one definition maps each requirement to checks across multiple providers: every requirement carries a provider-keyed list of checks, and the framework declares its own attribute schema (for DORA, the five pillars and the underlying articles) that drives the report columns. Add another provider's checks to the same requirements and the coverage grows without a new framework file.

DORA currently maps AWS checks to its requirements for financial-sector operational resilience, with the structure ready to extend to other providers.

Universal frameworks can be downloaded in the OCSF Compliance Finding format, so your compliance results plug straight into any SIEM or data platform that speaks OCSF.

Read more in our compliance documentation.

🔍 New Checks

AWS

• sagemaker_models_monitor_enabled - verifies SageMaker model monitoring is enabled - thanks to @RishiWig3!
• elbv2_alb_drop_invalid_header_fields_enabled - checks ALBs drop invalid HTTP header fields (FSBP ELB.4) - thanks to @potato-20!
• bedrock_agent_role_least_privilege - verifies Bedrock Agents run with least privilege role - thanks to @ARYAN03B!

Explore all AWS checks at Prowler Hub.

Microsoft 365

• entra_service_principal_privileged_role_no_owners - flags privileged service principals with no assigned owners - thanks to @asraym!
• exchange_mailbox_primary_smtp_custom_domain - verifies mailbox primary SMTP addresses use a custom domain - thanks to @J-man-2408!

Explore all M365 checks at Prowler Hub.

GCP

• kms_key_rotation_enabled was split into two focused checks: one for rotation being enabled and one enforcing a maximum 90-day rotation period.

Explore all GCP checks at Prowler Hub.

StackIT

A new objectstorage service lands for StackIT, focused on data durability and credential hygiene - thanks to @johannes-engler-mw!

• objectstorage_bucket_object_lock_enabled - verifies buckets enable Object Lock for write-once-read-many (WORM) protection against deletion and ransomware
• objectstorage_bucket_retention_policy - checks buckets enforce a default retention period so objects cannot be deleted or overwritten too early
• objectstorage_access_key_expiration - flags access keys with no expiration date, forcing rotation and limiting credential blast radius

Explore all StackIT checks at Prowler Hub.

🧱 Self-Healing Background Tasks

When a worker crashes or restarts mid-deploy, the work it was running no longer gets stuck. Prowler now picks up the pieces automatically: safe-to-retry work like report summaries and cleanups resumes on its own, while one-off operations like scans are never blindly repeated.

The result is fewer stuck jobs and less manual cleanup after a restart.

Recovery is opt-in and off by default for now. Upcoming releases will make it the default once the behavior is battle-tested.

🔐 Security

• Bumped dulwich to 1.2.5 for GHSA-897w-fcg9-f6xj
• Bumped pyjwt to 2.13.0 for PYSEC-2026-179

🙌 External Contributors

Thank you to our community contributors for this release!

• @RishiWig3 — AWS sagemaker_models_monitor_enabled check in (#11278) -
• @potato-20 — AWS elbv2_alb_drop_invalid_header_fields_enabled check (FSBP ELB.4) in (#11471)
• @asraym — M365 entra_service_principal_privileged_role_no_owners check in (#11189)
• @J-man-2408 — M365 exchange_mailbox_primary_smtp_custom_domain check in (#11215)
• @ARYAN03B — AWS bedrock_agent_role_least_privilege check in (#11335)
• @johannes-engler-mw — StackIT ObjectStorage checks in (#11397)
• @sahil-sols — order-independent CloudWatch metric filter pattern matching in (#11345)

---

UI

🚀 Added

• DISA Okta IDaaS STIG V1R2 compliance framework support with its dedicated mapper, details panel, and icon (#11428)
• DORA compliance framework support (#11131)

🔄 Changed

• Renamed "Customer Support" to "Support Desk" in the side menu, showing it only in Prowler Cloud/Enterprise, while "Community Support" now shows only in Prowler OSS (#11508)
• Compliance detail page now shows a "still loading" retry state while the API warms its compliance catalog, instead of rendering an empty page (#4554)

🐞 Fixed

• Risk Pipeline Sankey chart now adapts height and node spacing for dense provider datasets, keeping provider and severity labels readable (#11527)

API

🚀 Added

• Opt-in automatic recovery of allowlisted idempotent background tasks whose worker died during a deploy or crash: when enabled via DJANGO_TASK_RECOVERY_ENABLED (off by default), stuck summary and deletion tasks are detected and re-run instead of staying pending forever (scan and Jira tasks are excluded), with a reconcile_orphan_tasks management command for on-demand recovery (#11416)
• DORA compliance framework support (#11131)
• Label Postgres connections with application_name="<component>:<alias>" (component injected per process via DJANGO_APP_COMPONENT) so connections are attributable by component in pg_stat_activity (#11494)
• DISA Okta IDaaS STIG V1R2 compliance framework export support for the Okta provider (#11428)

🔄 Changed

• Allowlisted idempotent background tasks are no longer lost when a worker is stopped or crashes mid-task; tasks with external side effects are marked terminal instead of blindly re-running (#11416)

🐞 Fixed

• Workers now shut down gracefully on deploy or restart, finishing or re-queueing in-flight tasks instead of being force-killed and leaving them stuck (#11416)
• Resource name is now stored and refreshed on every scan, so resources no longer keep an empty name (#11476)
• Compliance catalog now warms in background during startup. compliance-overviews/attributes returns 503 while warming, so the first request after a deploy no longer trips the API ti...

Prowler 5.29.3

UI

🐞 Fixed

• Finding drawer tabs now keep the active tab text and underline styling when tooltip state changes (#11493)

API

🐞 Fixed

• API startup no longer crashes when Neo4j is unreachable, as the Neo4j driver now connects lazily on first use rather than during app initialization (#11491)

SDK

🐞 Fixed

• GCP logging_sink_created now recognizes organization-level aggregated sinks with includeChildren=True, avoiding false failures for covered projects (#11355)
• GCP logging_log_metric_filter_and_alert_* checks now recognize organization-level aggregated sinks with includeChildren=True, no longer false-failing projects covered by a central bucket-scoped metric + alert (#11488)
• Jira integration no longer fails with 400 INVALID_INPUT when a finding has empty fields (#11474)
• GCP iam_service_account_unused now passes disabled service accounts instead of failing them, since a disabled account cannot authenticate or be used (#11467)

Prowler 5.29.2

UI

🔄 Changed

• Account and provider-type selector triggers now show the provider icon, with a non-deduped icon stack (#11424)

🐞 Fixed

• Add Provider modal now closes without reloading the providers page (#11424)
• Users page now shows the "Delete User" action only on the current user's row, matching the backend rule that a user can only delete their own account (#11447)

🔐 Security

• Vitest toolchain upgraded 4.0.18 → 4.1.8 to clear two critical pnpm audit advisories (#11424)

Prowler 5.29.1

API

🐞 Fixed

• GET /api/v1/findings N+1 query loading resources__tags when listing findings (#11420)
• Clean up the scan tmp output directory when scan-report fails so partial files do not accumulate and fill the worker disk (No space left on device) (#11421)

SDK

🐞 Fixed

• OCSF output writer now re-raises I/O errors (e.g. ENOSPC) instead of logging them per finding and leaving a truncated file (#11421)

Prowler 5.29.0

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🧑‍💼 Google Workspace — 20 new checks to complete CIS 1.3

20 new checks built on the Cloud Identity Policy API:

• Rules service — 8 checks
• Security service — 12 checks

With these checks, Prowler's automated coverage of the CIS Google Workspace Benchmark 1.3 is now complete.

Read more in our Google Workspace documentation.

Explore all checks at Prowler Hub.

🔑 Okta — Application Service

A new application service for Okta with 6 checks covering admin console and dashboard hardening:

• application_admin_console_session_idle_timeout_15min
• application_admin_console_mfa_required
• application_admin_console_phishing_resistant_authentication
• application_dashboard_mfa_required
• application_dashboard_phishing_resistant_authentication
• application_authentication_policy_network_zone_enforced

Read more in our Okta documentation.

Explore all checks at Prowler Hub.

🚀 API - Performance

• Scan ingestion is significantly lighter on the database. The scan hot loop now bulk-resolves Resource/ResourceTag rows, replaces per-mapping SELECT FOR UPDATE with deferred conflict-tolerant bulk inserts, wraps each micro-batch in a single transaction, and raises the batch size to 1000.
• Faster finding-groups/latest aggregation on tenants where one recent scan holds most findings.

🏢 New Provider: StackIT

Prowler now supports StackIT, the German sovereign cloud. Authentication uses a service account key, either as a file path (--stackit-service-account-key-path / STACKIT_SERVICE_ACCOUNT_KEY_PATH) or inline JSON (--stackit-service-account-key / STACKIT_SERVICE_ACCOUNT_KEY).

Note

StackIT is not officially supported. For more information, contact us.

Read more in our StackIT documentation.

Explore all checks at Prowler Hub.

Thanks to @johannes-engler-mw for their 1st provider in Prowler!

📋 Scan Jobs — Redesigned View

The Scan Jobs view in the UI is fully restyled around dedicated tabs, each with columns tailored to its context:

• In Progress — running and queued scans, auto-refreshing while jobs execute.
• Completed — finished scans with quick access to their findings.
• Scheduled — upcoming scans with their schedule.

Launching a scan now happens through a dedicated modal where you pick connected cloud accounts and add optional scan notes.

🌑 Dark Mode — Redesigned

Dark mode has been reworked for clarity and contrast:

• Pure-black canvas and pure-white primary text for maximum legibility.
• Brighter border and input tokens so cards, tables, and inputs separate cleanly instead of blending into the background.

📚 Compliance - AWS AI Security Framework

A new AWS AI Security Framework mapping Prowler checks to AI/ML security guidance.

Read more in our compliance documentation.

🔍 New Checks

Azure

• storage_account_public_network_access_disabled — flags storage accounts that allow public network access

Explore all Azure checks at Prowler Hub.

🔐 Security Updates

UI

• pnpm upgraded to 11 with supply-chain defaults consolidated in pnpm-workspace.yaml and trustPolicyExclude entries pinned to exact versions.
• uuid pinned to 11.1.1 via pnpm-workspace.yaml#overrides to clear GHSA-w5hq-g745-h8pq (missing bounds check in v3/v5/v6 name-based generators with buf) in the transitive tree.

🙌 External Contributors

Thank you to our community contributors for this release!

• @johannes-engler-mw — Add the StackIT provider with service-account-key authentication in #9237
• @Br1an67 — Add Azure authentication for sovereign clouds (China / US Government) in #10284
• @OokaToru — Deprecate the s3_bucket_default_encryption check for AWS in #11230
• @juampa — Fix the ENS RD 311/2022 VPC compliance mapping for AWS in #11372

---

UI

🚀 Added

• Restyle Scan Jobs view with specific In Progress, Completed, Scheduled tabs (#11258)

🔄 Changed

• Dark mode: pure-black canvas, pure-white primary text, and brighter border / input tokens for clearer separation between cards, tables, and inputs (#11073)
• CI workflows (ui-tests.yml, ui-e2e-tests-v2.yml) now read the Node version from ui/.nvmrc and the pnpm version from package.json#packageManager instead of hardcoded values (#11225)

🐞 Fixed

• Compliance page now loads the most recent scan when opened from the sidebar instead of showing the "no compliance data available" alert (#11374)
• Invitation links now show specific expired, no-longer-valid, and invalid-token messages based on API error responses (#11376)

🔐 Security

• pnpm upgraded to 11 with supply-chain defaults consolidated in pnpm-workspace.yaml and trustPolicyExclude entries pinned to exact versions (#11225)
• uuid pinned to 11.1.1 via pnpm-workspace.yaml#overrides to clear GHSA-w5hq-g745-h8pq (missing bounds check in v3/v5/v6 name-based generators with buf) in the transitive tree (#11225)

API

🔄 Changed

• Scan finding ingestion: bulk-resolve Resource/ResourceTag rows, replace per-mapping SELECT FOR UPDATE with deferred ResourceTagMapping.bulk_create(ignore_conflicts=True), wrap each micro-batch in a single rls_transaction, and raise SCAN_DB_BATCH_SIZE to 1000 (#11249)
• Faster GET /api/v1/finding-groups/latest aggregation on tenants where one recent scan holds most findings (#11380)

SDK

🚀 Added

• application service for Okta provider with application_admin_console_session_idle_timeout_15min, application_admin_console_mfa_required, application_admin_console_phishing_resistant_authentication, application_dashboard_mfa_required, application_dashboard_phishing_resistant_authentication, and application_authentication_policy_network_zone_enforced checks (#11358)
• AWS AI Security Framework compliance for AWS provider (#11353)
• storage_account_public_network_access_disabled check for Azure provider and remapped the Azure CIS "Public Network Access is Disabled" requirements to it (#11334)
• StackIT provider now authenticates with a service account key, either as a file path (--stackit-service-account-key-path / STACKIT_SERVICE_ACCOUNT_KEY_PATH) or as inline JSON content (--stackit-service-account-key / STACKIT_SERVICE_ACCOUNT_KEY, intended for CI/CD with a secret manager); the StackIT SDK refreshes access tokens internally, replacing the short-lived STACKIT_API_TOKEN flow (#9237)
• 8 Rules service checks for Google Workspace provider using the Cloud Identity Policy API (#11379)
• 12 Security service checks for Google Workspace provider using the Cloud Identity Policy API (#11356)

⚠️ Deprecated

• s3_bucket_default_encryption check for AWS provider since SSE-S3 is automatically applied to all S3 buckets by AWS as of January 5, 2023 and can no longer be disabled (#11230)

🐞 Fixed

• ENS RD 311/2022 (AWS) compliance mapping: vpc_different_regions was uncorrectly mapped under the mp.com.4 family (Network segregation). That check is now mapped to a new op.cont.2.aws.vpc.1 requirement under the Continuity of Service control (#11372)
• Compliance CSV row count now matches the UI per requirement by sourcing rows from the framework JSON's requirement.Checks instead of the stale finding.compliance snapshot (#11370)
• OpenStack provider exception codes m...

Prowler 5.28.1

UI

🐞 Fixed

• Large scan report ZIP downloads now stream through a Next.js Route Handler instead of buffering the full file in a Server Action (#11330)
• Compliance requirement findings table now respects the page size selector (#11365)

API

🐞 Fixed

• finding-groups slow response with finding-level filters such as region; check title and description are now read from the daily summaries, which drops sorting by check_title (#11326)

SDK

🐞 Fixed

• compute_project_os_login_enabled and compute_project_os_login_2fa_enabled checks for GCP provider no longer false-FAIL on projects where the enable-oslogin / enable-oslogin-2fa metadata is not set explicitly but is inherited automatically from the constraints/compute.requireOsLogin org policy. The policy controller writes the inherited value in lowercase ("true"), but the service-layer parser compared it to the uppercase string literal "TRUE". Comparison is now case-insensitive (#11341)
• storage_smb_channel_encryption_with_secure_algorithm check for Azure provider no longer passes when a storage account allows a weak SMB channel encryption algorithm (e.g. AES-128-CCM/AES-128-GCM) alongside AES-256-GCM; it now requires every enabled algorithm to be in the recommended list, configurable via azure.recommended_smb_channel_encryption_algorithms (defaults to AES-256-GCM only, as required by CIS) (#11327)
• Azure and M365 providers crashing with RuntimeError: There is no current event loop on Python 3.12 when called from threads without an active event loop (e.g. Celery workers) (#11360)

MCP

🐞 Fixed

• Preserve authorization header in HTTP mode (#11366)

Prowler 5.28.0

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🆔 Okta - Prowler App

Okta lands in Prowler App.

Authenticate with read-only OAuth credentials and scan your Okta tenant from the App in minutes.

The signon service also grows from 1 to 5 checks. Four new medium-severity checks cover the rest of the DISA STIG Okta IDaaS V1R2 Global Session Policy and sign-in banner controls:

• signon_global_session_lifetime_18h — V-273203 / OKTA-APP-001665. Global session maximum lifetime must be 18 hours or less.
• signon_global_session_cookies_not_persistent — V-273206 / OKTA-APP-001710. Global session cookies must not be persistent across browser restarts.
• signon_global_session_policy_network_zone_enforced — V-279691 / OKTA-APP-003242. Global Session Policy rules must enforce a network zone constraint.
• signon_dod_warning_banner_configured — V-273192 / OKTA-APP-000200. The customized sign-in page must display the DoD-mandated warning banner.

Note

The banner check requires reading Okta brands and customized sign-in pages, so okta.brands.read is now part of DEFAULT_SCOPES. Existing Okta service apps must grant it before upgrading.

Read more in our Okta provider documentation.

Explore all Okta checks at Prowler Hub.

🧾 Finding Evidence

The finding detail drawer in the Prowler App now exposes a dedicated "Resource Metadata / Evidence" tab, backed by a new resource.metadata attribute on /api/v1/findings?include=resources.

The tab surfaces the raw resource attributes Prowler captured at scan time, the evidence behind every PASS / FAIL, in one click from the finding. No more jumping out to the source-of-truth console just to confirm what the scanner saw.

🤖 Prowler for Claude Code

Prowler ships a Claude Code plugin and marketplace so Claude can drive end-to-end cloud security and compliance assessments through the Prowler MCP server, against a Prowler Cloud-connected account.

Install it from inside Claude Code:

/plugin marketplace add prowler-cloud/prowler
/plugin install prowler@prowler-plugins

From there, Claude can walk an provider through a chosen security or industry framework and remediate findings until the framework is compliant.

Note

The plugin is in preview and under active development. Please report issues on GitHub or join the Slack community for feedback.

Read more in our Prowler for Claude Code documentation.

📧 Google Workspace — Sites, Marketplace, Additional services, Groups

The Google Workspace provider gains four new services and six new checks through the Cloud Identity Policy API:

• Sites — sites_service_disabled: verifies legacy Google Sites is disabled for the organization so users cannot publish unmanaged Sites pages.
• Additional services — additionalservices_external_groups_disabled: verifies the Additional Google services > Google Groups toggle is disabled, blocking users from accessing external groups from their corporate account.
• Marketplace — marketplace_apps_access_restricted: verifies third-party Marketplace apps are restricted (admin-approved only or fully blocked) instead of letting any user install arbitrary apps.
• Groups — 3 new checks for Google Groups for Business:
   - groups_creation_restricted — verifies group creation is restricted to admins, preventing user-created groups that bypass access reviews.
   - groups_external_access_restricted — verifies groups cannot be made accessible to users outside the organization.
   - groups_view_conversations_restricted — verifies non-members cannot view group conversations.

Read more in our Google Workspace provider documentation.

Explore all Google Workspace checks at Prowler Hub.

🆕 New Checks

AWS

• ses_identity_dkim_enabled — verifies DKIM signing is enabled on every SES identity (domain or email) so outbound email is cryptographically signed and resistant to spoofing. Thanks to @mohamedsolaiman!
• sagemaker_models_registry_in_use — verifies at least one SageMaker Model Package Group has an approved model package, enforcing ML governance workflows through the SageMaker Model Registry. Thanks to @cascioli!

M365

• entra_app_registration_client_secret_unused — flags Entra ID app registration client secrets that have never been used or have not been used for a configurable amount of days, so dormant credentials can be revoked before they leak. Thanks to @AlexanderSanin and @PrettyFox0!

GCP

• cloudsql_instance_cmek_encryption_enabled — verifies Cloud SQL instances are encrypted with a customer-managed encryption key (CMEK) instead of Google-managed defaults. Thanks to @s1ns3nz0!

🔐 Security Updates

• MCP Server — fastmcp 2.14.0 → 3.2.4 for GHSA-5h2m-4q8j-pqpj, GHSA-rww4-4w9c-7733 and GHSA-vv7q-7jx5-f767. The bump also pulls fixed jaraco.context, python-multipart and starlette, and drops the vulnerable lupa and urllib3 transitive dependencies.

🙌 External Contributors

Thank you to our community contributors for this release!

• @mohamedsolaiman — Add ses_identity_dkim_enabled check for AWS provider in #10923
• @cascioli — Add sagemaker_models_registry_in_use check for AWS provider in #11196
• @s1ns3nz0 — Add cloudsql_instance_cmek_encryption_enabled check for GCP provider in #11023
• @Ker102 — Fix OCI Audit service configuration lookup to use the tenancy home region in #10347
• @sandiyochristan — Use PowerShell best practices for quoting credential variables in the M365 provider in #9997
• @AlexanderSanin and @PrettyFox0 — Add entra_app_registration_client_secret_unused check for M365 provider in #11232

---

UI

🚀 Added

• okta provider support with OAuth 2.0 private-key JWT credentials form (client ID + PEM private key) (#11213)
• "Resource Metadata / Evidence" tab in the finding detail drawer (#11187)

🐞 Fixed

• Resource detail panels: metadata editor now scrolls internally with the minimal scrollbar across the finding drawer and /resources/:id, tab labels truncate with tooltips on narrow widths, and "View in AWS Console" moved from the resource UID row to the resource actions menu (#11325)

API

🚀 Added

• okta provider support (#11184)
• resource.metadata attribute included in /api/v1/findings?include=resources (#11187)

SDK

🚀 Added

• Sites, Additional Google services, and Marketplace checks for Google Workspace provider using the Cloud Identity Policy API (#11281)
• entra_app_registration_client_secret_unused check for M365 provider (#11232)
• cloudsql_instance_cmek_encryption_enabled check for GCP provider (#11023)
• Google Workspace Groups service with 3 new checks (#11186)
• ses_identity_dkim_enabled check for AWS provider (#10923)
• sagemaker_models_registry_in_use check for AWS provider, verifying that at least one SageMaker Model Package Group has an approved model package to enforce ML governance workflows (#11196)
• signon_dod_warning_banner_configured, signon_global_session_lifetime_18h, signon_global_session_cookies_not_persistent and signon_global_session_policy_network_zone_enforced checks for Okta provider (#11224)

🔄 Changed

• OktaProvider.test_connection accepts an optional provider_id (org domain) and raises OktaInvalidProviderIdError (14007) when it doesn't match the authenticated org — guards against stored UID drifting from the credentials' org (#11184)
• Use single-quoted strings for credential variables in the M365 provider PowerShell session, following PowerShell best practices for literal values (#9997)

🐞 Fixed

• OCI Audit service configuration lookup when the configured region differs from the tenancy home region (#10347)
• Container image now uses an absolute ENTRYPOINT (/home/prowler/.venv/bin/prowler) so it works under any runtime --workdir. The relative entrypoint was breaking the official GitHub Action (prowler-cloud/prowler@v5.27.0) and any docker run with a custom -w [(#11313)](ht...

Prowler 5.27.1

SDK

🐞 Fixed

• s3_bucket_shadow_resource_vulnerability no longer emits a tautological PASS finding for every bucket; a finding is now produced only when the bucket name matches one of the predictable service patterns (Glue, SageMaker, EMR, CodeStar) (#11220)
• sqlserver_tde_encrypted_with_cmk check for Azure provider no longer reports a false FAIL for SQL Servers whose user databases are correctly encrypted with a customer-managed key, by excluding the system master database (always reports TDE Disabled and is not customer-controllable) from the TDE evaluation (#11233)

Prowler 5.27.0

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🆔 New Provider: Okta (CLI-Only)

Prowler now scans Okta as a first-class provider. Authenticate with OAuth read-only credentials using an application and start auditing your Okta tenant in minutes.

export OKTA_ORG_DOMAIN="your-tenant.okta.com"
export OKTA_CLIENT_ID="0oa1234567890abcdef"
export OKTA_PRIVATE_KEY_FILE="/path/to/prowler-okta.pem"

prowler okta

The release ships with the signon service and one DISA STIG-mapped check:

• signon_global_session_idle_timeout_15min — maps to DISA STIG V-273186 / OKTA-APP-000020: the Default Policy must have a Priority 1 rule (not the built-in Default Rule) that sets Maximum Okta global session idle time to 15 minutes or less.

More services, checks, the STIG v1 Okta compliance framework, and full Prowler API / UI integration are coming in follow-up releases.

Read more in our Okta provider documentation.

Explore all Okta checks at Prowler Hub.

📧 Google Workspace — Chat service

The Google Workspace provider grows again with the new Chat service and 6 CIS-mapped checks landing via the Cloud Identity Policy API:

• chat_apps_installation_disabled — verifies third-party Chat apps cannot be installed by users, blocking unsanctioned access to email, conversation content, and organizational data.
• chat_external_file_sharing_disabled — verifies users cannot share files with people outside the organization via Chat conversations.
• chat_external_messaging_restricted — verifies messaging with users outside the organization is either disabled or restricted to allowlisted domains.
• chat_external_spaces_restricted — verifies external Chat spaces are either disabled or restricted to allowlisted domains.
• chat_incoming_webhooks_disabled — verifies incoming webhooks are disabled so external applications cannot post into Chat spaces.
• chat_internal_file_sharing_disabled — verifies file sharing between internal users in Chat is disabled, for organizations that need to audit all internal file flows.

Read more in our Google Workspace provider documentation.

Explore all Google Workspace checks at Prowler Hub.

🕸️ Attack Paths — Redesigned Graph

The Attack Paths graph in the Prowler App has been rewritten on React Flow, replacing the previous D3 + Dagre implementation. The new graph ships with:

• Improved layout and node clustering
• Smoother pan, zoom, and selection interactions
• Image export
• A minimap for orientation on dense graphs

☁️ AWS — "View in AWS Console"

AWS findings and resource details in the Prowler App now expose a one-click "View in AWS Console" link that opens the resource directly in the AWS Console. Jumping from a finding straight to the offending resource in the source-of-truth console is one click away.

☁️ AWS — IAM checks focus on attached customer-managed policies

AWS IAM customer-managed policy checks now scan only attached policies by default. Unattached customer-managed policies no longer emit a FAIL. They're inert, they're not in any principal's effective permissions, and they were generating findings on accounts that legitimately keep policies around for staged rollouts or break-glass scenarios. To keep auditing unattached policies (and other unused-service surfaces), opt in with --scan-unused-services, matching the existing semantics for the rest of the unused-services scope.

🤖 Lighthouse AI — Finding Groups MCP tools

Lighthouse AI can now reason about Finding Groups end to end. The new Finding Groups MCP tools let Lighthouse AI list, filter and inspect grouped findings, the same lens analysts use to triage at scale, instead of being limited to individual findings.

Read more about it in our Lighthouse AI documentation

📄 PDF Compliance Reports — Performance Improvements

We've introduce two important changes to the Compliance Reports in PDF:

• Only failed findings in the PDF. PDFs now focus on what needs action. PASS findings are no longer written into the report. The CSV and JSON exports remain complete and unfiltered for anyone who needs the full picture.
• Per-check detail tables capped at 100 failed findings. Each check's detail table shows up to 100 failed findings, with an in-PDF banner reading "Showing first 100 of N failed findings" pointing readers to the CSV / JSON exports for the rest.

Read more in our compliance documentation.

🌊 New Provider: Scaleway (Unofficial, CLI-Only)

Prowler now scans Scaleway as a new provider. Point Prowler at your Scaleway organization with a secret key and start auditing IAM:

prowler scaleway

The release ships with the iam service and one check:

• iam_api_keys_no_root_owned — flags Scaleway API keys bound to the account root user. Root-owned API keys bypass IAM policies and grant unrestricted access to every project, resource and billing setting in the organization; rotating them disrupts every automation that depended on root credentials, so they should be replaced with IAM-application-scoped keys.

Read more in our Scaleway provider documentation

⚙️ poetry → uv migration

Both the Prowler API and the Prowler SDK are now on uv as their package manager. Contributors get faster, deterministic installs and a single tool to work across the codebase.

Thank you to @AOrps for the contribution to migrate it in the API!

🆕 New Checks

AWS

• cloudtrail_bedrock_logging_enabled — verifies at least one actively logging CloudTrail trail records Amazon Bedrock API activity for generative-AI auditability.
• iam_user_access_not_stale_to_sagemaker — flags IAM users whose last SageMaker access exceeds the configured threshold (default 90 days, tunable via max_unused_sagemaker_access_days) or who have never accessed SageMaker.
• sagemaker_domain_sso_configured — verifies SageMaker Domains use IAM Identity Center (SSO) authentication instead of IAM users, so user access is centrally managed. Thanks to @kimjune01!

M365

• entra_service_principal_no_secrets_for_permanent_tier0_roles — flags service principals that hold credentials for permanent Tier-0 role assignments (Global Admin, Privileged Role Admin, etc.), where any leaked secret is a tenant-wide compromise.

🔐 Security Updates

• UI: npm dependencies updated to patched versions for Next.js, Vite, LangChain, XML parsing, lodash, and related transitive packages.
• API: 4 HIGH severity dependency vulnerabilities resolved on api/uv.lock — lxml 5.3.2 → 6.1.0 (GHSA-vfmq-68hx-4jfw, XXE), urllib3 2.6.3 → 2.7.0 (GHSA-mf9v-mfxr-j63j, GHSA-qccp-gfcp-xxvc), microsoft-kiota-* 1.9.2 → 1.9.9 (GHSA-7j59-v9qr-6fq9, via override-dependencies since the SDK hard-pins kiota-abstractions), and xmlsec 1.3.14 → 1.3.17 for libxml2 compatibility with lxml 6.x (#11192).
• MCP Server: cryptography 46.0.1 → 47.0.0 (transitive) for CVE-2026-39892, CVE-2026-26007 and CVE-2026-34073.
• Supply chain tooling — safety replaced with osv-scanner, which now also scans the UI workspace in addition to the SDK; npm supply-chain hardening landed in the UI workspace; SDK root transitive dependencies pinned to prevent silent drift.

🙌 External Contributors

Thank you to our community contributors for this release!

• @AOrps — Replace poetry with uv as the Prowler API package manager in #10775
• @b-abderrahmane — Surface M365 AuditLog.Read.All permission errors as preventive per-user FAILs instead of mass false positives in #10907
• @kimjune01 — Add sagemaker_domain_sso_configured check for AWS provider in #11094

---

UI

🚀 Added

• Health endpoint at GET /api/health for Docker Compose liveness checks (#11145)
• AWS findings and resource details now expose a "View in AWS Console" link that opens the resource directly in the AWS Console via the universal /go/view ARN resolver (#9172)
• Lighthouse AI: Prowler App Finding Groups MCP tools (#11140)

🔄 Changed

• Trimmed unused npm dependencies (#11115)
• Faster, stricter pre-commit: prek lints and formats only staged UI files (husky removed), with Prettier and ESLint (--max-warnings 40, stale-disable detection) now covering the full UI workspace, includi...