Prowler 5.8.1

UI

🔄 Changed

• Latest new failed findings now use GET /findings/latest (#8219)

🗑️ Removed

• Validation of the provider's secret type during updates (#8197)

API

🚀 Added

• Custom exception for provider connection errors during scans (#8234)

🔄 Changed

• Summary and overview tasks now use a dedicated queue and no longer propagate errors to compliance tasks (#8214)

🐞 Fixed

• Scan with no resources will not trigger legacy code for findings metadata (#8183)
• Invitation email comparison case-insensitive (#8206)

🗑️ Removed

• Validation of the provider's secret type during updates (#8197)

SDK

🐞 Fixed

• Detect wildcarded ARNs in sts:AssumeRole policy resources (#8164)
• List all streams and firehose_stream_encrypted_at_rest logic (#8213)
• Allow empty values for http_endpoint in templates (#8184)
• Convert all Azure Storage models to Pydantic models to avoid serialization issues (#8222)

Full Changelog: 5.8.0...5.8.1

Prowler 5.8.0

New features to highlight in this version

📘 Detailed Views for All Supported Compliance Standards

You asked for more clarity—we delivered. Now every supported compliance framework (like ENS-RD2022, CIS, ISO, NIST, etc.) includes a fully detailed view to help your team understand, prioritize, and act faster.

🔍 What’s New:

• Interactive Pie Chart: quickly assess pass, fail, and manual statuses across all requirements.
• Top Failed Sections: instantly identify where most issues occur, broken down by type, if any.
• Failure Heatmap: visualize section-level failure rates to prioritize efforts.
• Per-Category Drilldown: view grouped sections, with their findings, with expandable breakdowns per compliance framework.

Now live across all frameworks in your Compliance tab!

Warning

The detailed views are only available for new scans from v5.8.0 onwards. Therefore, all the compliance overviews from previous scans are not available.

🤖 Introducing Prowler Lighthouse — Your AI Cloud Security Analyst

Say hello to Prowler Lighthouse, your always-on, AI-powered cloud security assistant.

Designed for teams with or without dedicated security resources, Lighthouse helps you:

• Understand your compliance status
• Prioritize failed and manual security checks
• Remediate vulnerabilities and misconfigurations
• Ask questions in natural language like “What is the CIS 1.10 compliance status of my Kubernetes cluster?”

⚙️ Customizable & Secure

In the Lighthouse Configuration Panel, you can:

• Choose your preferred LLM (e.g., GPT-4o Mini)
• Set your secure API Key
• Provide business-specific context to tailor responses

It not only summarizes your security posture but also highlights where to focus your attention.

Now available in the Lighthouse tab. Start chatting today!

🚀 User Profile

We've revamped the User Profile interface to provide a cleaner, more actionable view of your account:

• Organization Info: instantly view your Organization ID, join date, and email identity at the top.
• Active Roles: clear breakdown of user permissions.
• Organization Membership: Quickly see which organization you're part of and your role within it.
• Quick Actions: Copy your Organization ID with a click and update organization names directly from the interface.

✨ Try it out by visiting your Profile page and experience the streamlined design!

📌 Affected Resource Name in Findings

Quickly pinpoint misconfigurations with the new "Resource name" column in the findings table!

• Instantly identify the specific resource affected by each finding.
• No more digging—this small but powerful update improves triage and remediation workflows.

🔐 GCP Service Account Key Authentication

You can now connect your Google Cloud Platform account by simply pasting your Service Account Key JSON.

• No need for CLI setup or external tooling
• Just paste your key and click Next
• Fast and secure onboarding

This makes it easier than ever to authenticate and start scanning your GCP environment.

🔑 M365 Authentication App-Only (Service Principal) Authentication

Prowler now supports Microsoft 365 app-only (service principal) authentication via OAuth 2.0 client-credentials: just register an Azure AD app, grant it the necessary application-level permissions, grant admin consent, and supply your tenant ID, client ID and secret.

This lets Prowler run fully unattended scans against Exchange Online, SharePoint, Teams, etc., simplifies CI/CD integration and enforces least-privilege access.

🙌 Special thanks to @silverhack for their support and guidance in resolving key Microsoft 365 authentication issues.

Your contributions help make Prowler stronger for everyone! 💜

🆕 Checks

We’ve added 21 new security checks across multiple cloud providers and services to help you stay ahead of evolving risks:

• AWS: 1 new check
• Azure: 11 new checks
• Microsoft 365: 3 new checks
• GitHub: 6 new checks

🧪 Run a scan now to see how your environment stacks up!

🛡️ Baseline NIS 2 Compliance

We’ve added baseline NIS 2 compliance support for AWS, Azure, and GCP, aligning with the EU 2022/2555 directive annex.

This update includes:

• Core risk management measures
• Incident handling and response criteria
• Applicability for both essential and important cloud service providers

Start assessing your NIS 2 readiness directly from the Compliance tab today.

🆕 Compliance Frameworks

We've expanded our compliance coverage to include three major standards:

• CIS 4.0 for GCP — Updated benchmarks for Google Cloud environments
• CIS 1.11 for Kubernetes — Latest hardening guidance for K8s clusters
• ISO 27001 for Microsoft 365 — Security controls mapped to M365 services

Run a scan now to assess your posture against the latest industry benchmarks.

🛠️ IaC Provider powered by checkov

Prowler now supports Infrastructure-as-Code (IaC) scanning using Checkov!

Simply point it at your local files and catch security issues before you deploy:

• Supports Terraform, CloudFormation, ARM, Kubernetes YAML, and more
• Detects misconfigurations and compliance drift pre-deployment
• Seamlessly integrates into your CI/CD or local workflows

Shift left with IaC scanning—now available in Prowler!

Note

Try it out now with prowler iac

---

UI

🚀 Added

• New profile page with details about the user and their roles (#7780)
• Improved SnippetChip component and show resource name in new findings table (#7813)
• Possibility to edit the organization name (#7829)
• GCP credential method (Account Service Key) (#7872)
• Compliance detail view: ENS (#7853)
• Compliance detail view: ISO (#7897)
• Compliance detail view: CIS (#7913)
• Compliance detail view: AWS Well-Architected Framework (#7925)
• Compliance detail view: KISA (#7965)
• Compliance detail view: ProwlerThreatScore (#7979)
• Compliance detail view: Generic (rest of the compliances) (#7990)
• Compliance detail view: MITRE ATTACK (#8002)
• Improve Scan ID filter by adding more context and enhancing the UI/UX (#8046)
• Lighthouse chat interface (#7878)
• Google Tag Manager integration (#8058)

🔄 Changed

• Provider UID filter to scans page (#7820)
• Aligned Next.js version to v14.2.29 across Prowler and Cloud environments for consistency and improved maintainability (#7962)
• Refactor credentials forms with reusable components and error handling (#7988)
• Updated the provider details section in Scan and Findings detail pages (#7968)
• Make user and password fields optional but mutually required for M365 cloud provider (#8044)
• Improve filter behaviour and relationships between filters in findings page (#8046)
• Set filters panel to be always open by default (#8085)
• Updated "Sign in"/"Sign up" capitalization for consistency (#8136)
• Duplicate API base URL as an env var to make it accessible in client components (#8131)

🐞 Fixed

• Sync between filter buttons and URL when filters change (#7928)
• Improve heatmap perfomance (#7934)
• SelectScanProvider warning fixed with empty alias (#7998)
• Prevent console warnings for accessibility and SVG(#8019)

API

🚀 Added

• Support GCP Service Account key (#7824)
• GET /compliance-overviews endpoints to retrieve compliance metadata and specific require...

Prowler 5.7.5

💻 API

🐞Fixed

• Normalize provider UID to ensure safe and unique export directory paths (#8007)
• Blank resource types in /metadata endpoints (#8027)

🔧 SDK

🐞Fixed

• Add EKS to service without subservices (#7959)
• apiserver_strong_ciphers_only check for K8S provider (#7952)
• Handle 0 at the start and end of account uids in Prowler Dashboard (#7955)
• Typo in PCI 4.0 for K8S provider (#7971)
• AWS root credentials checks always verify if root credentials are enabled (#7967)
• Github provider to usage section of prowler -h: (#7906)
• network_flow_log_more_than_90_days check to pass when retention policy is 0 days (#7975)
• Update SDK Azure call for ftps_state in the App Service (#7923)
• Validate ResourceType in CheckMetadata (#8035)
• Missing ResourceType values in check's metadata (#8028)
• Avoid user requests in setup_identity app context and user auth log enhancement (#8043)
• Use unified timestamp for all requirements (#8059)

Full Changelog: 5.7.4...5.7.5

Prowler 5.7.4

💻 API

Removed

• Reverted RLS transaction handling and DB custom backend (#7994).

Full Changelog: 5.7.3...5.7.4

Prowler 5.7.3

🎨 UI

🐞 Fixed

• Fix encrypted password typo in formSchemas. (#7828)

💻 API

Added

• Database backend to handle already closed connections (#7935).

Changed

• Renamed field encrypted_password to password for M365 provider (#7784)

🐞 Fixed

• Fixed transaction persistence with RLS operations (#7916).
• Reverted the change get_with_retry to use the original get method for retrieving tasks (#7932).

🔧 SDK

🐞Fixed

• Automatically encrypt password in Microsoft365 provider. (#7784).
• Remove last encrypted password appearances. (#7825).

Full Changelog: 5.7.2...5.7.3

Prowler 5.7.2

🎨 UI

🐞 Fixes

• Download report behaviour updated to show feedback based on API response. (#7758)
• Missing KISA and ProwlerThreat icons added to the compliance page. (#7860)
• Retrieve more than 10 scans in /compliance page. (#7865)
• Improve CustomDropdownFilter component. (#7868)

💻 API

🐛 Fixes

• Fixed task lookup to use task_kwargs instead of task_args for scan report resolution. (#7830)
• Fixed Kubernetes UID validation to allow valid context names (#7871)
• Fixed the connection status verification before launching a scan (#7831)
• Fixed a race condition when creating background tasks (#7876).
• Fixed an error when modifying or retrieving tenants due to missing user UUID in transaction context (#7890).

🔧 SDK

Fixes

• Fix m365_powershell test_credentials to use sanitized credentials. (#7761)
• Fix admincenter_users_admins_reduced_license_footprint check logic to pass when admin user has no license. (#7779)
• Fix m365_powershell to close the PowerShell sessions in msgraph services. (#7816)
• Fix defender_ensure_notify_alerts_severity_is_highcheck to accept high or lower severity. (#7862)
• Replace Directory.Read.All permission with Domain.Read.All which is more restrictive. (#7888)
• Split calls to list Azure Functions attributes. (#7778)

Full Changelog: 5.7.1...5.7.2

Prowler 5.7.1

🎨 UI

🐞 Fixes

• Added validation to AWS IAM role. (#7787)
• Tweak some wording for consistency throughout the app. (#7794)
• Retrieve more than 10 providers in /scans, /manage-groups and /findings pages. (#7793)

💻 API

🐛 Fixes

• Added database index to improve performance on finding lookup. (#7800)

Full Changelog: 5.7.0...5.7.1

Prowler 5.7.0

New features to highlight in this version

🚀 Performance Improvements

• Optimized /findings/metadata and resource-related filters for significantly faster querying and filtering of findings
• Enhanced /overviews endpoints for better response times and scalability in large environments
• Added new high-performance endpoints to fetch the latest findings and metadata quickly

Important

The performance optimization included in /findings and /findings/metadata applies for scans from this release on. This also applies to the service, region and resource_type filters for these views.

These updates collectively reduce latency, improve data freshness, and scale better across high-volume environments.

👨‍💻 GitHub Provider (CLI Only)

We’ve added GitHub as a new cloud provider in the Prowler CLI. Including:

• 11 security checks tailored for GitHub, see all with prowler github --list-checks or in Prowler Hub at https://hub.prowler.com/
• Based on CIS GitHub Benchmark v1.0.0

Warning

Currently available in the CLI only — support for the App is coming in an upcoming release!

Tip

Try it out now with prowler github

📘 Prowler ThreatScore for Microsoft 365

We’ve extended Prowler ThreatScore to support Microsoft 365 environments:

• Assigns a contextual risk score to your M365 tenant based on detected misconfigurations and best practices
• Helps prioritize remediation efforts with actionable insights
• Enhances visibility into your Microsoft 365 security posture

Tip

Try it out now with prowler m365 --compliance prowler_threatscore_m365

📘 CIS M365 Benchmark v4.0.0

You can now assess your M365 environment against the CIS v4.0 framework. This brings M365 in line with our existing CIS support for AWS, GCP, Kubernetes and Azure, expanding your ability to meet compliance requirements across cloud platforms.

Tip

Try it out now with prowler m365 --compliance cis_4.0_m365

📘 CIS AWS Foundations Benchmark v5.0.0

Prowler now includes full coverage for the CIS AWS Foundations Benchmark version 5.0.0, aligning with the latest security best practices from the Center for Internet Security.

Tip

Try it out now with prowler aws --compliance cis_5.0_aws

Provider UID Filter Enhanced

We’ve significantly enhanced the Provider UID filter in the App to make multi-cloud analysis faster and more intuitive:

• 🌐 Provider icons (AWS, GCP) for instant visual identification
• 🏷️ Including the Cloud Provider alias

☁️ AWS CloudFormation Quick Link for IAM Role Setup

We’ve streamlined the setup process for AWS IAM Role credentials with a new CloudFormation Quick Link:

• Launch the required IAM Role stack in one click
• Pre-filled with the necessary permissions and trust policies
• Available directly in the IAM Role credentials step for faster onboarding

This update helps you get started with Prowler in AWS faster and with fewer manual steps.

---

🎨 UI

🚀 Added

• Add a new chart to show the split between passed and failed findings. (#7680)
• Added Accordion component. (#7700)
• Improve Provider UID filter by adding more context and enhancing the UI/UX. (#7741)
• Added an AWS CloudFormation Quick Link to the IAM Role credentials step (#7735)
• Use getLatestFindings on findings page when no scan or date filters are applied. (#7756)

🐞 Fixed

• Fix form validation in launch scan workflow. (#7693)
• Moved ProviderType to a shared types file and replaced all occurrences across the codebase. (#7710)
• Added filter to retrieve only connected providers on the scan page. (#7723)
• Removed the alias if not added from findings detail page. (#7751)

💻 API

🚀 Added

• Added huge improvements to /findings/metadata and resource related filters for findings (#7690).
• Added improvements to /overviews endpoints (#7690).
• Added new queue to perform backfill background tasks (#7690).
• Added new endpoints to retrieve latest findings and metadata (#7743).

🔧 SDK

🚀 Added

• Update the compliance list supported for each provider from docs. (#7694)
• Allow setting cluster name in in-cluster mode in Kubernetes. (#7695)
• Add Prowler ThreatScore for M365 provider. (#7692)
• Add GitHub provider. (#5787)
• Add repository_default_branch_requires_multiple_approvals check for GitHub provider. (#6160)
• Add repository_default_branch_protection_enabled check for GitHub provider. (#6161)
• Add repository_default_branch_requires_linear_history check for GitHub provider. (#6162)
• Add repository_default_branch_disallows_force_push check for GitHub provider. (#6197)
• Add repository_default_branch_deletion_disabled check for GitHub provider. (#6200)
• Add repository_default_branch_status_checks_required check for GitHub provider. (#6204)
• Add repository_default_branch_protection_applies_to_admins check for GitHub provider. (#6205)
• Add repository_branch_delete_on_merge_enabled check for GitHub provider. (#6209)
• Add repository_default_branch_requires_conversation_resolution check for GitHub provider. (#6208)
• Add organization_members_mfa_required check for GitHub provider. (#6304)
• Add GitHub provider documentation and CIS v1.0.0 compliance. (#6116)
• Add CIS 5.0 compliance framework for AWS. (7766)
• Add CIS 4.0 for M365 provider. (#7699)

🐞 Fixed

• Update and upgrade CIS for all the providers (#7738)
• Cover policies with conditions with SNS endpoint in sns_topics_not_publicly_accessible. (#7750)
• Change severity logic for ec2_securitygroup_allow_ingress_from_internet_to_all_ports check. (#7764)

Full Changelog: 5.6.0...5.7.0

Prowler 5.6.0

New features to highlight in this version

☁️ Microsoft 365 (M365) support in Prowler App

You can now onboard and assess Microsoft 365 environments, both in Prowler App and CLI.

This release includes 33 new checks for Teams, Defender, Purview and Exchange — helping security teams strengthen identity governance and reduce risk exposure across Microsoft 365.

Check the new M365 checks with prowler m365 --services teams defender purview exchange --list-checks

Thanks to the new UI team members @sumit-tft and @alejandrobailo for the effort put on this 🥇

📖 Compliance Exports

You can now download individual compliance frameworks directly from the Compliance page in the Prowler App, making it easier to share specific audit results with internal teams or external auditors.

In addition, the overall scan report now bundles all supported compliance frameworks, giving you a complete view of your organization's posture in a single export.

This feature is available starting with this release; previous scans will not include Compliance Frameworks.

🧩 Explore Prowler Hub – Your Source for Checks and Compliance Frameworks

We’ve launched Prowler Hub — Knowledge is p(r)ow(l)er.

Prowler Hub is our growing public library of versioned checks, cloud service artifacts, and compliance frameworks with its mappings. It’s searchable, explainable, and built to serve the community. It helps answer the question every engineer has asked at some point: What does this check actually do?

Prowler Hub also provides a fully documented public API that you can integrate into your internal tools, dashboards, or automation workflows.

📚 Explore the API docs at: https://hub.prowler.com/api/docs

Whether you’re customizing policies, managing compliance, or enhancing visibility, Prowler Hub is built to support your security operations.

Thanks to @miguelaeh and @cesararroba for their work to make this happen 👏

❗ Delta indicator for findings

We’ve introduced a delta dot (•) next to findings that are new or have changed since the previous scan. This makes it easier for security teams to focus on what’s new, track changes over time, and prioritize triage and remediation efforts more efficiently.

✅ Prowler ThreatScore Compliance Framework

The new Prowler ThreatScore compliance framework is now available for AWS, Azure, and GCP. Built on Prowler ThreatScore, it provides a unified way to assess cloud security posture across providers. ThreatScore evaluates your environment across four critical areas: Identity and Access Management, Attack Surface, Forensic Readiness, and Encryption — helping teams monitor, prioritize, and remediate risks more effectively in multi-cloud environments.

Try it out for your favourite provider with prowler <provider> --compliance prowler_threatscore_<provider>

📄 SOC2 for Azure

You can now assess your Azure environment against the SOC2 framework. This brings Azure in line with our existing SOC2 support for AWS and GCP, expanding your ability to meet compliance requirements across cloud platforms.

Try it out now with prowler azure --compliance soc2_azure

🛡️ New Google Cloud Platform check - Unused Service Accounts

A new check has been added to detect unused service accounts in Google Cloud Platform (GCP). This helps identify dormant identities that may pose a risk if left unmanaged, enabling security teams to reduce attack surface by pruning unnecessary access credentials.

Try it out now with prowler gcp --check iam_service_account_unused

Thanks to @bgdanix 🏅

🤖 Prowler Studio

Security isn’t one-size-fits-all, and neither are your risks. Prowler Studio lets your team define exactly what “secure” means in your environment. Write custom checks, build fixers, and map them to your compliance requirements—visually or through code.

We're excited to announce major updates to Prowler Studio, including a new package management system using uv and a modular structure with separated sub-packages:

• prowler-studio (includes Core + CLI by default)
• prowler-studio-core
• prowler-studio-cli
• prowler-studio-api
• prowler-studio-mcp-server

This release also introduces seamless integration with AI Code assists via MCP Server and comprehensive improved documentation for each component.

---

🎨 UI

🚀 Features

• Support for the M365 Cloud Provider. (#7590)
• Added option to customize the number of items displayed per table page. (#7634)
• Add delta attribute in findings detail view. (#7654)
• Add delta indicator in new findings table. (#7676)
• Add a button to download the CSV report in compliance card. (#7665)
• Show loading state while checking provider connection. (#7669)

🔄 Changed

• Finding URLs now include the ID, allowing them to be shared within the organization. (#7654)
• Show Add/Update credentials depending on whether a secret is already set or not. (#7669)

🐞 Fixes

• Set a default session duration when configuring an AWS Cloud Provider using a role. (#7639)
• Error about page number persistence when filters change. (#7655)

💻 API

🚀 Features

• Added M365 as a new provider (#7563).
• Added a compliance/ folder and ZIP‐export functionality for all compliance reports.(#7653).
• Added a new API endpoint to fetch and download any specific compliance file by name (#7653).

🔧 SDK

🚀 Features

• Add SOC2 compliance framework to Azure (#7489).
• Add check for unused Service Accounts in GCP (#7419).
• Add Powershell to Microsoft365 (#7331).
• Add service Defender to Microsoft365 with one check for Common Attachments filter enabled in Malware Policies (#7425).
• Add check for Outbound Antispam Policy well configured in service Defender for M365 (#7480).
• Add check for Antiphishing Policy well configured in service Defender in M365 (#7453).
• Add check for Notifications for Internal users enabled in Malware Policies from service Defender in M365 (#7435).
• Support CLOUDSDK_AUTH_ACCESS_TOKEN in GCP (#7495).
• Add service Exchange to Microsoft365 with one check for Organizations Mailbox Auditing enabled (#7408)
• Add check for Bypass Disable in every Mailbox for service Defender in M365 (#7418)
• Add new check teams_external_domains_restricted (#7557)
• Add new check teams_email_sending_to_channel_disabled (#7533)
• Add new check for External Mails Tagged for service Exchange in M365 (#7580)
• Add new check for WhiteList not used in Transport Rules for service Defender in M365 (#7569)
• Add check for Inbound Antispam Policy with no allowed domains from service Defender in M365 (#7500)
• Add new check teams_meeting_anonymous_user_join_disabled (#7565)
• Add new check teams_unmanaged_communication_disabled (#7561)
• Add new check teams_external_users_cannot_start_conversations (#7562)
• Add new check for AllowList not used in the Connection Filter Policy from service Defender in M365 (#7492)
• Add new check for SafeList not enabled in the Connection Filter Policy from service Defender in M365 [(#7492)](https://github....

Prowler 5.5.1

🔧 SDK

Fixes

• Add default name to contacts in Azure Defender (#7483)
• Handle projects without ID in GCP (#7496)
• Restore packages location in PyProject (#7510) to restore prowler and prowler dashboard

Full Changelog: 5.5.0...5.5.1