Prowler 5.2.2

API

Improvements

• feat(findings): Improve /findings/metadata performance by @prowler-bot in #6749
• feat(scans): Optimize read queries during scans by @prowler-bot in #6756

SDK

Fixes

• fix(sns): Add region to subscriptions by @prowler-bot in #6740
• fix(finding): raise when generating invalid findings by @prowler-bot in #6745
• fix(acm): Key Error DomainName by @prowler-bot in #6744
• fix(aws): iam_user_with_temporary_credentials resource in OCSF by @prowler-bot in #6741
• fix(neptune): correct service name by @prowler-bot in #6747
• fix(set_report_color): Add more details to error by @prowler-bot in #6755
• fix(db_event): Handle other events by @prowler-bot in #6757

Full Changelog: 5.2.1...5.2.2

Prowler 5.2.1

UI

Fixes

• Fixed bug when opening finding details while a scan is in progress by @prowler-bot in #6709
• Fix filters and sorting for scan table by @prowler-bot in #6714
• Fix label for next scan by @prowler-bot in #6726

API

Fixes

• Improve API performance ordering by inserted_at instead of id by @prowler-bot in #6712
• Improve efficiency on providers overview by @prowler-bot in #6718
• Revert - Update Django DB manager to use psycopg3 and connection pooling by @prowler-bot in #6719

SDK

Fixes

• GCP: Add trusted client certificates case for cloudsql_instance_ssl_connections by @prowler-bot in #6687
• AWS: Fix CloudWatch NoneType object is not iterable by @prowler-bot in #6677
• Azure: add name field to SecurityContacts by @prowler-bot in #6715

Full Changelog: 5.2.0...5.2.1

Prowler 5.2.0

🎨 UI

Improved UX when setting up a provider using an IAM role

• When adding AWS IAM Role credentials now you can skip static credentials if you are running Prowler within AWS, e.g: EC2, ECS, EKS since it will automatically use the default SDK credentials.
• We've added CloudFormation and Terraform templates to deploy the ProwlerScan AWS IAM Role.
• You can easily copy the IAM Role External ID 🎉

Finding details layout looks completely different and now includes the first_seen

Scan details have been improved

Improved UX during the sign-up process

Improved UX during the sign-up process for first-time users on the scan page, and when users already have completed scans but cannot launch a new one due to the absence of a provider with a successful connection test.

Provider setup has one less step

5.2-workFlow-2.mp4

💻 API

🐘 Update Django DB Manager with psycopg3 and connection pooling

The API DB Manager now uses psycopg3 to improve their reliability.

❗AWS IAM Role External ID

The IAM Role External ID now is a mandatory field when configuring the IAM Role authentication.

🥇 Finding First Seen

Now all the Findings has a first_seen_at field to quickly identify when was the first time that Prowler saw it.

🔧 SDK

📁 OCSF format includes metadata for each resource

We have included a new field under resource which includes a JSON object with all the resource metadata. The following is an example of an AWS finding:

"metadata": {
	"name": "api",
	"arn": "arn:aws:ecs:eu-west-1:111122223333:task-definition/api:1",
	"revision": "1",
	"region": "eu-west-1",
	"container_definitions": [
	    {
	        "name": "api",
	        "privileged": false,
	        "readonly_rootfilesystem": false,
	        "user": "",
	        "environment": [
	            {
	                "name": "environment",
	                "value": "prod"
	            },
	        ],
	        "log_driver": "awslogs",
	        "log_option": ""
}

Try it out with prowler --output-format json-ocsf

📖 2 new Compliance Frameworks!

• CIS 1.10 Kubernetes
• CIS 3.0 Azure

㊙️ Scan Secrets

Now all checks using detect-secrets can be configured with the list of plugins to be used via the Prowler config file.

Full Changelog: 5.1.5...5.2.0

Prowler 5.1.5

UI

Fixes

• fix(filters): fix dynamic filters by @prowler-bot in #6643

SDK

Fixes

• fix: update Azure CIS with existing App checks by @prowler-bot in #6625
• fix(aws): list tags for DocumentDB clusters by @prowler-bot in #6622
• fix(OCSF): fix OCSF output when timestamp is UNIX format by @prowler-bot in #6627

Full Changelog: 5.1.4...5.1.5

Prowler 5.1.4

UI

Fixes

• fix(RBAC): restore manage_account permission for roles by @prowler-bot in #6603
• fix(RBAC): tweaks for edit role form by @prowler-bot in #6610
• fix(snippet-id): improve provider ID readability in tables by @prowler-bot in #6616

Chores

• chore(RBAC): add permission's info by @prowler-bot in #6617

API

Fixes

• feat(api): restrict the deletion of users, only the user of the request can be deleted by @prowler-bot in #6613
• fix(rbac): remove invalid required permission by @prowler-bot in #6614

SDK

Fixes

• fix(apigatewayv2): managed exception NotFoundException by @prowler-bot in #6590
• fix(sqs): fix flaky test by @prowler-bot in #6595

Full Changelog: 5.1.3...5.1.4

Prowler 5.1.3

API

Fixes

The following two PRs are required in this version for the API and UI to work and to fix an issue.

• feat(findings): add /findings/metadata to retrieve dynamic filters information by @prowler-bot in #6586
• feat(findings): Add resource_tag filters for findings endpoint by @prowler-bot in #6587

SDK

Fixes

• fix(gcp): fix flaky tests from dns service by @prowler-bot in #6571

Full Changelog: 5.1.2...5.1.3

Prowler 5.1.2

UI

Fixes

• fix(findings): remove filter delta_in applied by default by @prowler-bot in #6579
• fix(providers): update the label and placeholder based on the cloud provider by @prowler-bot in #6582

SDK

Fixes

• fix(detect_secrets): refactor logic for detect-secrets by @prowler-bot in #6566
• fix(cis): add subsections if needed by @prowler-bot in #6568

Full Changelog: 5.1.1...5.1.2

Prowler 5.1.1

UI

Fixes

• fix(filters): add resource type filter for findings by @prowler-bot in #6525
• fix(dep): address compatibility issues by @prowler-bot in #6557

SDK

Fixes

• fix(Azure TDE): add filter for master DB by @prowler-bot in #6514

Full Changelog: 5.1.0...5.1.1

Prowler 5.1.0

New features to highlight in this version

🔒 RBAC - Role Based Access Control

Gain granular control over user access and permissions with our new Role-Based Access Control. Now you can assign roles and privileges to specific users, ensuring they only have access to what they need. Also, now you can create cloud provider's groups to be assigned to roles to allow them to be visible.

🧑‍🔧 4 New Checks!

We have expanded our coverage with 4 new checks, enhancing your security and compliance for EC2, StepFunctions and CloudFormation in AWS and Azure SQLServer.

1. ec2_launch_template_imdsv2_required
2. stepfunctions_statemachine_logging_enabled
3. cloudformation_stack_cdktoolkit_bootstrap_version
4. sqlserver_recommended_minimal_tls_version

🚀 30 New AWS Fixers!

We have included 30 new fixers to help you automatically remediate misconfigurations in AWS services: Lambda, SQS, ECR, Glacier, OpenSearch, S3, EC2, CloudTrail and CodeArtifact.

Run a specific fixer with:
prowler aws --check <check_id> --fixer

See all the new available fixers with prowler aws --list-fixers

1. awslambda_function_not_publicly_accessible_fixer
2. sqs_queues_not_publicly_accessible_fixer
3. ecr_repositories_not_publicly_accessible_fixer
4. glacier_vaults_policy_public_access_fixer
5. opensearch_service_domains_not_publicly_accessible_fixer
6. s3_bucket_public_write_acl_fixer
7. s3_bucket_public_list_acl_fixer
8. s3_bucket_public_access_fixer
9. ec2_instance_port_cifs_exposed_to_internet_fixer
10. s3_bucket_policy_public_write_access_fixer
11. ec2_ami_public_fixer
12. cloudtrail_logs_s3_bucket_is_not_publicly_accessible_fixer
13. codeartifact_packages_external_public_publishing_disabled_fixer
14. ec2_instance_port_cassandra_exposed_to_internet_fixer
15. ec2_instance_port_elasticsearch_kibana_exposed_to_internet_fixer
16. ec2_instance_port_ftp_exposed_to_internet_fixer
17. ec2_instance_port_kafka_exposed_to_internet_fixer
18. ec2_instance_port_kerberos_exposed_to_internet_fixer
19. ec2_instance_port_ldap_exposed_to_internet_fixer
20. ec2_instance_port_memcached_exposed_to_internet_fixer
21. ec2_instance_port_mongodb_exposed_to_internet_fixer
22. ec2_instance_port_mysql_exposed_to_internet_fixer
23. ec2_instance_port_oracle_exposed_to_internet_fixer
24. ec2_instance_port_postgresql_exposed_to_internet_fixer
25. ec2_instance_port_rdp_exposed_to_internet_fixer
26. ec2_instance_port_redis_exposed_to_internet_fixer
27. ec2_instance_port_sqlserver_exposed_to_internet_fixer
28. ec2_instance_port_ssh_exposed_to_internet_fixer
29. ec2_instance_port_telnet_exposed_to_internet_fixer
30. ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports_fixer

📄 Added CIS 3.0 for GCP

Prowler now supports the CIS 3.0 for GCP.

🖊️ New check's category gen-ai

With the growing number of Generative AI, Machine Learning and LLM training services, we are adding a new gen-ai category to allow AI related service checks to be found/run more easily.

🐎 Several performance improvements in the API

🔧 Other issues and bug fixes solved

New Contributors

Special thanks to our amazing new contributors: @madslundholmdk @Twodragon0

• @madslundholmdk made their first contribution in #5821
• @Twodragon0 made their first contribution in #5867

UI

Features

• feat(users): user detail can be edited now properly by @paabloLC in #6135
• feat(GHA): add gha for API by @pedrooot in #6032
• feat(roles): RBAC functionality by @paabloLC in #6201
• feat(scans): add new component - alert bar by @paabloLC in #6391
• feat(update-credentials): add explanation text for the current behavior by @paabloLC in #6400

Fixes

• fix(invitations): remove wrong url by @paabloLC in #6005
• fix(BC: NextUI): fix BC from NextUI, resolve ESLint warnings and optimize hooks dependencies by @paabloLC in #6404
• fix(invitation): correct the URL used to share an invitation by @paabloLC in #6472
• styles(invitations): tweak styles for invitation details box by @paabloLC in #6475

Chores / Dependencies

• chore(rbac): tweaks role permissions by @paabloLC in #6496
• chore(deps-dev): bump eslint-plugin-import from 2.29.1 to 2.31.0 in /ui by @dependabot in #6482
• chore(deps): bump @radix-ui/react-slot from 1.1.0 to 1.1.1 in /ui by @dependabot in #6481
• chore(roles): prevent capitalization of provider groups and roles by @paabloLC in #6497
• chore(groups): Enable updating groups without roles or providers by @paabloLC in #6498
• chore(manage-groups): tweaks for provider manage groups by @paabloLC in #6468
• chore(deps): bump @radix-ui/react-toast from 1.2.1 to 1.2.4 in /ui by @dependabot in #6445
• chore(deps): bump lucide-react from 0.417.0 to 0.471.0 in /ui by @dependabot in #6456
• chore(deps): bump date-fns from 3.6.0 to 4.1.0 in /ui by @dependabot in #6444
• chore(deps-dev): bump @iconify/react from 5.0.1 to 5.2.0 in /ui by @dependabot in #6421
• chore(deps): bump nanoid from 3.3.7 to 3.3.8 in /ui by @dependabot in #6110
• chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /ui by @dependabot in #5881
• chore(deps): bump cookie and next-auth in /ui by @dependabot in #5880
• chore(deps): bump next from 14.2.12 to 14.2.22 in /ui by @dependabot in #6356

API

Features

• feat(api-rbac): RBAC system by @AdriiiPRodri in #6114
• feat(services): Add GET /overviews/services to API by @vicferpoy in #6029
• feat(celery): Add configurable broker visibility timeout setting by @vicferpoy in #6245
• feat(compliance): generate compliance reports for GCP scans using API by @vicferpoy in #6318

Fixes

• fix(tenant): fix delete tenants behavior by @vicferpoy in #6013
• fix(deploy): temporal fix for the alpine-python segmentation fault by @AdriiiPRodri in #6109
• fix(RLS): enforce config security by @jfagoagas in #6066
• fix(db-utils): fix batch_delete function by @vicferpoy in #6283
• fix(users): fix /users/me behavior when having more than 1 users in the same tenant by @vicferpoy in #6284
• fix(migrations): fix django migration order dependency by @vicferpoy in #6302
• fix(api): change the inserted_at.lte unittest by @AdriiiPRodri in #6403
• fix(rbac): block admin role deletion by @AdriiiPRodri in #6470

Chores / Dependencies

• ref(rbac): disable some checks by @AdriiiPRodri in #6471
• chore(rls): rename tenant_transaction to rls_transaction by @jfagoagas in #6202
• ref(rbac): improve rbac implementation for views by @AdriiiPRodri in #6226
• chore(rls): Add tenant_id filters in views and improve querysets by @jfagoagas in #6211
• chore(deps-dev): bump openapi-schema-validator from 0.6.2 to 0.6.3 by @dependabot in #6454
• chore(deps-dev): bump vulture from 2.11 to 2.14 in /api by @dependabot in #6426
• chore(deps-dev): bump safety from 3.2.3 to 3.2.9 in /api by @dependabot in #6431
• chore(deps): bump jinja2 from 3.1.4 to 3.1.5 in /api by @dependabot in #6316
• chore(deps): bump django from 5.1.1 to 5.1.4 in /api by @dependabot in #6376
• ref(rbac): enable relationship creation when objects is created by @AdriiiPRodri in #6238

Docs

• docs(prowler-app): add link to https://api.prowler.com/api/v1/docs by @pedrooot in #6016
• docs(api): add commands to run API scheduler by @MrCloudSec in #6085

SDK

Features

• feat(awslambda): add new fixer awslambda_function_not_publicly_accessible_fixer by @danibarranqueroo in #5840
• feat(sqs): add new fixer sqs_queues_not_publicly_accessible_fixer by @danibarranqueroo in https://github.com/prowle...

Prowler 5.0.5 - Powerslave

What's Changed

• fix(gha): run API and UI tests in correct versions by @prowler-bot in #6301
• fix(migrations): fix django migration order dependency by @prowler-bot in #6303
• chore(version): update Prowler version by @MrCloudSec in #6293

Full Changelog: 5.0.4...5.0.5