API

Fixed

• Calculate failed findings during scans to prevent heavy database queries (#8322)

Full Changelog: 5.9.0...5.9.1

New features to highlight in this version

🔇 Mutelist Support

Easily mute findings through a flexible and fully configurable setup.

• Mute findings seamlessly either from the interface or through API calls, no extra effort required.
• Instantly toggle the visibility of muted findings across all visualizations and tables.
• The mute reason is clearly displayed in finding details and listing views for full transparency.

🔐 Single Sign-On (SSO) with SAML: Seamless and Secure Access

We are pleased to introduce Single Sign-On (SSO) with SAML, a significant step forward in making your authentication experience both smoother and more secure. With SAML-based SSO, you can now log in to Prowler using your organization's identity provider, such as Okta, without needing to remember another set of credentials.

• Effortless Access: Simply use your existing corporate account to sign in, reducing password fatigue and streamlining your daily workflow.
• Enhanced Security: Authentication is managed by your trusted identity provider, ensuring that access policies and multi-factor authentication requirements are enforced consistently.
• Consistent Experience: The login process is now fully integrated with your organization's security standards, providing a familiar and reliable experience every time you access Prowler.
• Broad Compatibility: Our SAML integration supports leading providers like Okta and any other SAML-compatible service, making onboarding straightforward for organizations of all sizes.

To get started, look for the new "Sign in with SSO" option on the login page. For detailed configuration instructions, please refer to the "SSO with SAML" section in our documentation.

🧩 Resource View: A unified overview of your assets

Introducing a brand-new Resource View, a central place to explore and understand your resources in depth.

• Browse all resources in your environment with a clean and organized layout.
• Each resource comes with its tags clearly displayed, making classification and filtering effortless.
• Quickly assess security posture by viewing findings directly linked to each resource — no need to navigate away.
• Get full visibility into resource details, provider info, and metadata.

⚡️ Smoother, Faster Experience

We've made several improvements behind the scenes to make Prowler feel faster and more responsive.

• Resource and overview pages now load quicker, even in large environments.
• Filtering across findings and resources using the search bar is now accurate and noticeably faster.
• Interacting with data — whether through the UI or API — feels more fluid and efficient.
• New backend optimizations reduce wait times and improve overall performance across the platform.

🔒 Enhanced Password Security

We've improved account security by introducing stronger password requirements. Passwords must now be at least 12 characters long and include a mix of uppercase letters, lowercase letters, numbers, and special characters. A real-time strength indicator helps users meet these criteria as they type, ensuring more secure account creation. These enhancements align with best practices to better protect user data and prevent unauthorized access.

✅ New Checks!

We've added 8 new security checks across multiple cloud providers and services to help you stay ahead of evolving risks:

• entra_intune_enrollment_sign_in_frequency_every_time for M365.
• The following 7 checks for Azure:
  • storage_smb_channel_encryption_with_secure_algorithm
  • storage_smb_protocol_version_is_latest
  • vm_backup_enabled
  • vm_linux_enforce_ssh_authentication
  • vm_ensure_using_approved_images
  • vm_scaleset_associated_load_balancer
  • defender_attack_path_notifications_properly_configured

🛠️ IaC Provider now supports remote Git repositories

The IaC provider just got more powerful! You can now scan Infrastructure-as-Code files directly from remote Git repositories.

• Supports both public and private repos
• Authenticate via CLI flags or environment variables
• Perfect for integrating into CI/CD pipelines and automated workflows
• Continue scanning Terraform, CloudFormation, Kubernetes YAML, and more

UI

🚀 Added

• Mutelist configuration form (#8190)
• SAML login integration (#8203)
• Resource view (#7760)
• Navigation link in Scans view to access Compliance Overview (#8251)
• Status column for findings table in the Compliance Detail view (#8244)
• Allow to restrict routes access based on user permissions (#8287)

🔒 Security

• Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers (#8225)

🔄 Changed

• Upgrade to Next.js 14.2.30 and lock TypeScript to 5.5.4 for ESLint compatibility (#8189)

🐞 Fixed

• Error message when launching a scan if user has no permissions (#8280)
• Include compliance in the download button tooltip (#8307)

API

🚀 Added

• SSO with SAML support (#8175)
• GET /resources/metadata, GET /resources/metadata/latest and GET /resources/latest to expose resource metadata and latest scan results (#8112)

🔄 Changed

• /processors endpoints to post-process findings. Currently, only the Mutelist processor is supported to allow to mute findings.
• Optimized the underlying queries for resources endpoints (#8112)
• Optimized include parameters for resources view (#8229)
• Optimized overview background tasks (#8300)
• POST /schedules/daily returns a 409 CONFLICT if already created (#8258)

🐞 Fixed

• Search filter for findings and resources (#8112)
• RBAC is now applied to GET /overviews/providers (#8277)

🔒 Security

• Enhanced password validation to enforce 12+ character passwords with special characters, uppercase, lowercase, and numbers (#8225)

SDK

🚀 Added

• storage_smb_channel_encryption_with_secure_algorithm check for Azure provider (#8123)
• storage_smb_protocol_version_is_latest check for Azure provider (#8128)
• vm_backup_enabled check for Azure provider (#8182)
• vm_linux_enforce_ssh_authentication check for Azure provider (#8149)
• vm_ensure_using_approved_images check for Azure provider (#8168)
• vm_scaleset_associated_load_balancer check for Azure provider (#8181)
• defender_attack_path_notifications_properly_configured check for Azure provider (#8245)
• entra_intune_enrollment_sign_in_frequency_every_time check for M365 provider (#8223)
• Support for remote repository scanning in IaC provider (#8193)
• Add test_connection method to GitHub provider (#8248)

🔄 Changed

• Refactor the Azure Defender get security contact configuration method to use the API REST endpoint instead of the SDK (#8241)

🐞 Fixed

• Title & description wording for iam_user_accesskey_unused check for AWS provider (#8233)
• Add GitHub provider to lateral panel in documentation and change -h environment variable output [(#8246)](https://github.com/prowler-cloud/pr...

UI

🔄 Changed

• Latest new failed findings now use GET /findings/latest (#8219)

🗑️ Removed

• Validation of the provider's secret type during updates (#8197)

API

🚀 Added

• Custom exception for provider connection errors during scans (#8234)

🔄 Changed

• Summary and overview tasks now use a dedicated queue and no longer propagate errors to compliance tasks (#8214)

🐞 Fixed

• Scan with no resources will not trigger legacy code for findings metadata (#8183)
• Invitation email comparison case-insensitive (#8206)

🗑️ Removed

• Validation of the provider's secret type during updates (#8197)

SDK

🐞 Fixed

• Detect wildcarded ARNs in sts:AssumeRole policy resources (#8164)
• List all streams and firehose_stream_encrypted_at_rest logic (#8213)
• Allow empty values for http_endpoint in templates (#8184)
• Convert all Azure Storage models to Pydantic models to avoid serialization issues (#8222)

Full Changelog: 5.8.0...5.8.1

New features to highlight in this version

📘 Detailed Views for All Supported Compliance Standards

You asked for more clarity—we delivered. Now every supported compliance framework (like ENS-RD2022, CIS, ISO, NIST, etc.) includes a fully detailed view to help your team understand, prioritize, and act faster.

🔍 What’s New:

• Interactive Pie Chart: quickly assess pass, fail, and manual statuses across all requirements.
• Top Failed Sections: instantly identify where most issues occur, broken down by type, if any.
• Failure Heatmap: visualize section-level failure rates to prioritize efforts.
• Per-Category Drilldown: view grouped sections, with their findings, with expandable breakdowns per compliance framework.

Now live across all frameworks in your Compliance tab!

🤖 Introducing Prowler Lighthouse — Your AI Cloud Security Analyst

Say hello to Prowler Lighthouse, your always-on, AI-powered cloud security assistant.

Designed for teams with or without dedicated security resources, Lighthouse helps you:

• Understand your compliance status
• Prioritize failed and manual security checks
• Remediate vulnerabilities and misconfigurations
• Ask questions in natural language like “What is the CIS 1.10 compliance status of my Kubernetes cluster?”

⚙️ Customizable & Secure

In the Lighthouse Configuration Panel, you can:

• Choose your preferred LLM (e.g., GPT-4o Mini)
• Set your secure API Key
• Provide business-specific context to tailor responses

It not only summarizes your security posture but also highlights where to focus your attention.

Now available in the Lighthouse tab. Start chatting today!

🚀 User Profile

We've revamped the User Profile interface to provide a cleaner, more actionable view of your account:

• Organization Info: instantly view your Organization ID, join date, and email identity at the top.
• Active Roles: clear breakdown of user permissions.
• Organization Membership: Quickly see which organization you're part of and your role within it.
• Quick Actions: Copy your Organization ID with a click and update organization names directly from the interface.

✨ Try it out by visiting your Profile page and experience the streamlined design!

📌 Affected Resource Name in Findings

Quickly pinpoint misconfigurations with the new "Resource name" column in the findings table!

• Instantly identify the specific resource affected by each finding.
• No more digging—this small but powerful update improves triage and remediation workflows.

🔐 GCP Service Account Key Authentication

You can now connect your Google Cloud Platform account by simply pasting your Service Account Key JSON.

• No need for CLI setup or external tooling
• Just paste your key and click Next
• Fast and secure onboarding

This makes it easier than ever to authenticate and start scanning your GCP environment.

🔑 M365 Authentication App-Only (Service Principal) Authentication

Prowler now supports Microsoft 365 app-only (service principal) authentication via OAuth 2.0 client-credentials: just register an Azure AD app, grant it the necessary application-level permissions, grant admin consent, and supply your tenant ID, client ID and secret.

This lets Prowler run fully unattended scans against Exchange Online, SharePoint, Teams, etc., simplifies CI/CD integration and enforces least-privilege access.

🙌 Special thanks to @silverhack for their support and guidance in resolving key Microsoft 365 authentication issues.

Your contributions help make Prowler stronger for everyone! 💜

🆕 Checks

We’ve added 21 new security checks across multiple cloud providers and services to help you stay ahead of evolving risks:

• AWS: 1 new check
• Azure: 11 new checks
• Microsoft 365: 3 new checks
• GitHub: 6 new checks

🧪 Run a scan now to see how your environment stacks up!

🛡️ Baseline NIS 2 Compliance

We’ve added baseline NIS 2 compliance support for AWS, Azure, and GCP, aligning with the EU 2022/2555 directive annex.

This update includes:

• Core risk management measures
• Incident handling and response criteria
• Applicability for both essential and important cloud service providers

Start assessing your NIS 2 readiness directly from the Compliance tab today.

🆕 Compliance Frameworks

We've expanded our compliance coverage to include three major standards:

• CIS 4.0 for GCP — Updated benchmarks for Google Cloud environments
• CIS 1.11 for Kubernetes — Latest hardening guidance for K8s clusters
• ISO 27001 for Microsoft 365 — Security controls mapped to M365 services

Run a scan now to assess your posture against the latest industry benchmarks.

🛠️ IaC Provider powered by checkov

Prowler now supports Infrastructure-as-Code (IaC) scanning using Checkov!

Simply point it at your local files and catch security issues before you deploy:

• Supports Terraform, CloudFormation, ARM, Kubernetes YAML, and more
• Detects misconfigurations and compliance drift pre-deployment
• Seamlessly integrates into your CI/CD or local workflows

Shift left with IaC scanning—now available in Prowler!

UI

🚀 Added

• New profile page with details about the user and their roles (#7780)
• Improved SnippetChip component and show resource name in new findings table (#7813)
• Possibility to edit the organization name (#7829)
• GCP credential method (Account Service Key) (#7872)
• Compliance detail view: ENS (#7853)
• Compliance detail view: ISO (#7897)
• Compliance detail view: CIS (#7913)
• Compliance detail view: AWS Well-Architected Framework (#7925)
• Compliance detail view: KISA (#7965)
• Compliance detail view: ProwlerThreatScore (#7979)
• Compliance detail view: Generic (rest of the compliances) (#7990)
• Compliance detail view: MITRE ATTACK (#8002)
• Improve Scan ID filter by adding more context and enhancing the UI/UX (#8046)
• Lighthouse chat interface (#7878)
• Google Tag Manager integration (#8058)

🔄 Changed

• Provider UID filter to scans page (#7820)
• Aligned Next.js version to v14.2.29 across Prowler and Cloud environments for consistency and improved maintainability (#7962)
• Refactor credentials forms with reusable components and error handling (#7988)
• Updated the provider details section in Scan and Findings detail pages (#7968)
• Make user and password fields optional but mutually required for M365 cloud provider (#8044)
• Improve filter behaviour and relationships between filters in findings page (#8046)
• Set filters panel to be always open by default (#8085)
• Updated "Sign in"/"Sign up" capitalization for consistency (#8136)
• Duplicate API base URL as an env var to make it accessible in client components (#8131)

🐞 Fixed

• Sync between filter buttons and URL when filters change (#7928)
• Improve heatmap perfomance (#7934)
• SelectScanProvider warning fixed with empty alias (#7998)
• Prevent console warnings for accessibility and SVG(#8019)

API

🚀 Added

• Support GCP Service Account key (#7824)
• GET /compliance-overviews endpoints to retrieve compliance metadata and specific require...

💻 API

🐞Fixed

• Normalize provider UID to ensure safe and unique export directory paths (#8007)
• Blank resource types in /metadata endpoints (#8027)

🔧 SDK

🐞Fixed

• Add EKS to service without subservices (#7959)
• apiserver_strong_ciphers_only check for K8S provider (#7952)
• Handle 0 at the start and end of account uids in Prowler Dashboard (#7955)
• Typo in PCI 4.0 for K8S provider (#7971)
• AWS root credentials checks always verify if root credentials are enabled (#7967)
• Github provider to usage section of prowler -h: (#7906)
• network_flow_log_more_than_90_days check to pass when retention policy is 0 days (#7975)
• Update SDK Azure call for ftps_state in the App Service (#7923)
• Validate ResourceType in CheckMetadata (#8035)
• Missing ResourceType values in check's metadata (#8028)
• Avoid user requests in setup_identity app context and user auth log enhancement (#8043)
• Use unified timestamp for all requirements (#8059)

Full Changelog: 5.7.4...5.7.5

💻 API

Removed

• Reverted RLS transaction handling and DB custom backend (#7994).

Full Changelog: 5.7.3...5.7.4

🎨 UI

🐞 Fixed

• Fix encrypted password typo in formSchemas. (#7828)

💻 API

Added

• Database backend to handle already closed connections (#7935).

Changed

• Renamed field encrypted_password to password for M365 provider (#7784)

🐞 Fixed

• Fixed transaction persistence with RLS operations (#7916).
• Reverted the change get_with_retry to use the original get method for retrieving tasks (#7932).

🔧 SDK

🐞Fixed

• Automatically encrypt password in Microsoft365 provider. (#7784).
• Remove last encrypted password appearances. (#7825).

Full Changelog: 5.7.2...5.7.3

🎨 UI

🐞 Fixes

• Download report behaviour updated to show feedback based on API response. (#7758)
• Missing KISA and ProwlerThreat icons added to the compliance page. (#7860)
• Retrieve more than 10 scans in /compliance page. (#7865)
• Improve CustomDropdownFilter component. (#7868)

💻 API

🐛 Fixes

• Fixed task lookup to use task_kwargs instead of task_args for scan report resolution. (#7830)
• Fixed Kubernetes UID validation to allow valid context names (#7871)
• Fixed the connection status verification before launching a scan (#7831)
• Fixed a race condition when creating background tasks (#7876).
• Fixed an error when modifying or retrieving tenants due to missing user UUID in transaction context (#7890).

🔧 SDK

Fixes

• Fix m365_powershell test_credentials to use sanitized credentials. (#7761)
• Fix admincenter_users_admins_reduced_license_footprint check logic to pass when admin user has no license. (#7779)
• Fix m365_powershell to close the PowerShell sessions in msgraph services. (#7816)
• Fix defender_ensure_notify_alerts_severity_is_highcheck to accept high or lower severity. (#7862)
• Replace Directory.Read.All permission with Domain.Read.All which is more restrictive. (#7888)
• Split calls to list Azure Functions attributes. (#7778)

Full Changelog: 5.7.1...5.7.2

🎨 UI

🐞 Fixes

• Added validation to AWS IAM role. (#7787)
• Tweak some wording for consistency throughout the app. (#7794)
• Retrieve more than 10 providers in /scans, /manage-groups and /findings pages. (#7793)

💻 API

🐛 Fixes

• Added database index to improve performance on finding lookup. (#7800)

Full Changelog: 5.7.0...5.7.1

New features to highlight in this version

🚀 Performance Improvements

• Optimized /findings/metadata and resource-related filters for significantly faster querying and filtering of findings
• Enhanced /overviews endpoints for better response times and scalability in large environments
• Added new high-performance endpoints to fetch the latest findings and metadata quickly

These updates collectively reduce latency, improve data freshness, and scale better across high-volume environments.

👨‍💻 GitHub Provider (CLI Only)

We’ve added GitHub as a new cloud provider in the Prowler CLI. Including:

• 11 security checks tailored for GitHub, see all with prowler github --list-checks or in Prowler Hub at https://hub.prowler.com/
• Based on CIS GitHub Benchmark v1.0.0

📘 Prowler ThreatScore for Microsoft 365

We’ve extended Prowler ThreatScore to support Microsoft 365 environments:

• Assigns a contextual risk score to your M365 tenant based on detected misconfigurations and best practices
• Helps prioritize remediation efforts with actionable insights
• Enhances visibility into your Microsoft 365 security posture

📘 CIS M365 Benchmark v4.0.0

You can now assess your M365 environment against the CIS v4.0 framework. This brings M365 in line with our existing CIS support for AWS, GCP, Kubernetes and Azure, expanding your ability to meet compliance requirements across cloud platforms.

📘 CIS AWS Foundations Benchmark v5.0.0

Prowler now includes full coverage for the CIS AWS Foundations Benchmark version 5.0.0, aligning with the latest security best practices from the Center for Internet Security.

Provider UID Filter Enhanced

We’ve significantly enhanced the Provider UID filter in the App to make multi-cloud analysis faster and more intuitive:

• 🌐 Provider icons (AWS, GCP) for instant visual identification
• 🏷️ Including the Cloud Provider alias

☁️ AWS CloudFormation Quick Link for IAM Role Setup

We’ve streamlined the setup process for AWS IAM Role credentials with a new CloudFormation Quick Link:

• Launch the required IAM Role stack in one click
• Pre-filled with the necessary permissions and trust policies
• Available directly in the IAM Role credentials step for faster onboarding

This update helps you get started with Prowler in AWS faster and with fewer manual steps.

🎨 UI

🚀 Added

• Add a new chart to show the split between passed and failed findings. (#7680)
• Added Accordion component. (#7700)
• Improve Provider UID filter by adding more context and enhancing the UI/UX. (#7741)
• Added an AWS CloudFormation Quick Link to the IAM Role credentials step (#7735)
• Use getLatestFindings on findings page when no scan or date filters are applied. (#7756)

🐞 Fixed

• Fix form validation in launch scan workflow. (#7693)
• Moved ProviderType to a shared types file and replaced all occurrences across the codebase. (#7710)
• Added filter to retrieve only connected providers on the scan page. (#7723)
• Removed the alias if not added from findings detail page. (#7751)

💻 API

🚀 Added

• Added huge improvements to /findings/metadata and resource related filters for findings (#7690).
• Added improvements to /overviews endpoints (#7690).
• Added new queue to perform backfill background tasks (#7690).
• Added new endpoints to retrieve latest findings and metadata (#7743).

🔧 SDK

🚀 Added

• Update the compliance list supported for each provider from docs. (#7694)
• Allow setting cluster name in in-cluster mode in Kubernetes. (#7695)
• Add Prowler ThreatScore for M365 provider. (#7692)
• Add GitHub provider. (#5787)
• Add repository_default_branch_requires_multiple_approvals check for GitHub provider. (#6160)
• Add repository_default_branch_protection_enabled check for GitHub provider. (#6161)
• Add repository_default_branch_requires_linear_history check for GitHub provider. (#6162)
• Add repository_default_branch_disallows_force_push check for GitHub provider. (#6197)
• Add repository_default_branch_deletion_disabled check for GitHub provider. (#6200)
• Add repository_default_branch_status_checks_required check for GitHub provider. (#6204)
• Add repository_default_branch_protection_applies_to_admins check for GitHub provider. (#6205)
• Add repository_branch_delete_on_merge_enabled check for GitHub provider. (#6209)
• Add repository_default_branch_requires_conversation_resolution check for GitHub provider. (#6208)
• Add organization_members_mfa_required check for GitHub provider. (#6304)
• Add GitHub provider documentation and CIS v1.0.0 compliance. (#6116)
• Add CIS 5.0 compliance framework for AWS. (7766)
• Add CIS 4.0 for M365 provider. (#7699)

🐞 Fixed

• Update and upgrade CIS for all the providers (#7738)
• Cover policies with conditions with SNS endpoint in sns_topics_not_publicly_accessible. (#7750)
• Change severity logic for ec2_securitygroup_allow_ingress_from_internet_to_all_ports check. (#7764)

Full Changelog: 5.6.0...5.7.0