Prowler 5.3.0

🎨 UI

Improved UX in Forms

• Enhanced the sign-in and sign-up forms to provide a smoother user experience.
• Improved form validation and error handling for better clarity and guidance.

🚀 Real-Time Scan Visibility

• New! 🎉 Scans now appear immediately after launching them, eliminating the previous delay.
• When setting up a provider and initiating the first scan, it will be displayed right away instead of requiring users to wait several minutes.
• This improvement provides instant feedback and a more seamless experience when running scans.

💻 API

🕐 Scheduled Scans

• Daily scheduled scan instances are now created beforehand with SCHEDULED state, making scheduled scans visible before launching them.

🔎 Findings

• Findings endpoints now require at least one date filter to get all the findings.
• Findings metadata endpoint received a performance improvement.

☁️ Providers

• Increased the allowed length of the provider UID for Kubernetes providers to support AWS EKS, Azure AKS and GCP GKE.

🔧 SDK

Microsoft365 Provider 🎉

We’re excited to announce that Prowler now supports Microsoft365 as a new cloud provider! This release introduces several dedicated security and compliance checks tailored for Microsoft365 environments. These new assessments help you identify configuration gaps, enforce best practices, and maintain a strong security posture across your Microsoft365 deployments.

This is only available in Prowler CLI and will be added to the API and UI 🔜

Try it out now with: prowler microsoft365 {--sp-env-auth | --az-cli-auth | --browser-auth} 🚀

Choose the authentication method that best suits your needs:

1. Service Principal Credentials: Uses a registered app in Entra (formerly Azure AD) with client credentials (tenant ID, client ID and client secret).
2. Azure CLI: Uses your logged-in Azure CLI session.
3. Interactive Browser: Opens a browser window to sign in manually.

Five new checks ❗

This release includes several new security and compliance checks designed specifically for Microsoft365 environments:

• admincenter_groups_not_public_visibility
• admincenter_settings_password_never_expire
• admincenter_users_admins_reduced_license_footprint
• admincenter_users_between_two_and_four_global_admins
• entra_thirdparty_integrated_apps_not_allowed

You can see all the Microsoft365 checks with prowler microsoft365 --list-checks

📖 1 new Compliance Framework

• CIS (Center for Internet Security) Microsoft 365 Foundations Benchmark v4.0.0

New AWS Check ✅

We’ve added a new security check in AWS KMS:

• kms_cmk_not_multi_region

This check ensures that KMS Customer Managed Keys (CMKs) are not multi-region, helping enforce security best practices for key management.

🎉 Special thanks to our external contributor wunzeco for this contribution!

Full Changelog: 5.2.3...5.3.0

Prowler 5.2.3

Task Runner

Fixes

• fix(celery): Kill celery worker process after every task to release memory by @prowler-bot in #6763

Full Changelog: 5.2.2...5.2.3

Prowler 5.2.2

API

Improvements

• feat(findings): Improve /findings/metadata performance by @prowler-bot in #6749
• feat(scans): Optimize read queries during scans by @prowler-bot in #6756

SDK

Fixes

• fix(sns): Add region to subscriptions by @prowler-bot in #6740
• fix(finding): raise when generating invalid findings by @prowler-bot in #6745
• fix(acm): Key Error DomainName by @prowler-bot in #6744
• fix(aws): iam_user_with_temporary_credentials resource in OCSF by @prowler-bot in #6741
• fix(neptune): correct service name by @prowler-bot in #6747
• fix(set_report_color): Add more details to error by @prowler-bot in #6755
• fix(db_event): Handle other events by @prowler-bot in #6757

Full Changelog: 5.2.1...5.2.2

Prowler 5.2.1

UI

Fixes

• Fixed bug when opening finding details while a scan is in progress by @prowler-bot in #6709
• Fix filters and sorting for scan table by @prowler-bot in #6714
• Fix label for next scan by @prowler-bot in #6726

API

Fixes

• Improve API performance ordering by inserted_at instead of id by @prowler-bot in #6712
• Improve efficiency on providers overview by @prowler-bot in #6718
• Revert - Update Django DB manager to use psycopg3 and connection pooling by @prowler-bot in #6719

SDK

Fixes

• GCP: Add trusted client certificates case for cloudsql_instance_ssl_connections by @prowler-bot in #6687
• AWS: Fix CloudWatch NoneType object is not iterable by @prowler-bot in #6677
• Azure: add name field to SecurityContacts by @prowler-bot in #6715

Full Changelog: 5.2.0...5.2.1

Prowler 5.2.0

🎨 UI

Improved UX when setting up a provider using an IAM role

• When adding AWS IAM Role credentials now you can skip static credentials if you are running Prowler within AWS, e.g: EC2, ECS, EKS since it will automatically use the default SDK credentials.
• We've added CloudFormation and Terraform templates to deploy the ProwlerScan AWS IAM Role.
• You can easily copy the IAM Role External ID 🎉

Finding details layout looks completely different and now includes the first_seen

Scan details have been improved

Improved UX during the sign-up process

Improved UX during the sign-up process for first-time users on the scan page, and when users already have completed scans but cannot launch a new one due to the absence of a provider with a successful connection test.

Provider setup has one less step

5.2-workFlow-2.mp4

💻 API

🐘 Update Django DB Manager with psycopg3 and connection pooling

The API DB Manager now uses psycopg3 to improve their reliability.

❗AWS IAM Role External ID

The IAM Role External ID now is a mandatory field when configuring the IAM Role authentication.

🥇 Finding First Seen

Now all the Findings has a first_seen_at field to quickly identify when was the first time that Prowler saw it.

🔧 SDK

📁 OCSF format includes metadata for each resource

We have included a new field under resource which includes a JSON object with all the resource metadata. The following is an example of an AWS finding:

"metadata": {
	"name": "api",
	"arn": "arn:aws:ecs:eu-west-1:111122223333:task-definition/api:1",
	"revision": "1",
	"region": "eu-west-1",
	"container_definitions": [
	    {
	        "name": "api",
	        "privileged": false,
	        "readonly_rootfilesystem": false,
	        "user": "",
	        "environment": [
	            {
	                "name": "environment",
	                "value": "prod"
	            },
	        ],
	        "log_driver": "awslogs",
	        "log_option": ""
}

Try it out with prowler --output-format json-ocsf

📖 2 new Compliance Frameworks!

• CIS 1.10 Kubernetes
• CIS 3.0 Azure

㊙️ Scan Secrets

Now all checks using detect-secrets can be configured with the list of plugins to be used via the Prowler config file.

Full Changelog: 5.1.5...5.2.0

Prowler 5.1.5

UI

Fixes

• fix(filters): fix dynamic filters by @prowler-bot in #6643

SDK

Fixes

• fix: update Azure CIS with existing App checks by @prowler-bot in #6625
• fix(aws): list tags for DocumentDB clusters by @prowler-bot in #6622
• fix(OCSF): fix OCSF output when timestamp is UNIX format by @prowler-bot in #6627

Full Changelog: 5.1.4...5.1.5

Prowler 5.1.4

UI

Fixes

• fix(RBAC): restore manage_account permission for roles by @prowler-bot in #6603
• fix(RBAC): tweaks for edit role form by @prowler-bot in #6610
• fix(snippet-id): improve provider ID readability in tables by @prowler-bot in #6616

Chores

• chore(RBAC): add permission's info by @prowler-bot in #6617

API

Fixes

• feat(api): restrict the deletion of users, only the user of the request can be deleted by @prowler-bot in #6613
• fix(rbac): remove invalid required permission by @prowler-bot in #6614

SDK

Fixes

• fix(apigatewayv2): managed exception NotFoundException by @prowler-bot in #6590
• fix(sqs): fix flaky test by @prowler-bot in #6595

Full Changelog: 5.1.3...5.1.4

Prowler 5.1.3

API

Fixes

The following two PRs are required in this version for the API and UI to work and to fix an issue.

• feat(findings): add /findings/metadata to retrieve dynamic filters information by @prowler-bot in #6586
• feat(findings): Add resource_tag filters for findings endpoint by @prowler-bot in #6587

SDK

Fixes

• fix(gcp): fix flaky tests from dns service by @prowler-bot in #6571

Full Changelog: 5.1.2...5.1.3

Prowler 5.1.2

UI

Fixes

• fix(findings): remove filter delta_in applied by default by @prowler-bot in #6579
• fix(providers): update the label and placeholder based on the cloud provider by @prowler-bot in #6582

SDK

Fixes

• fix(detect_secrets): refactor logic for detect-secrets by @prowler-bot in #6566
• fix(cis): add subsections if needed by @prowler-bot in #6568

Full Changelog: 5.1.1...5.1.2

Prowler 5.1.1

UI

Fixes

• fix(filters): add resource type filter for findings by @prowler-bot in #6525
• fix(dep): address compatibility issues by @prowler-bot in #6557

SDK

Fixes

• fix(Azure TDE): add filter for master DB by @prowler-bot in #6514

Full Changelog: 5.1.0...5.1.1