Prowler 4.2.0 - 2 Minutes to Midnight

The blind men shout,
"Let the creatures out! We'll show the unbelievers"

Here we have Prowler 4.2.0 - 2 Minutes to Midnight 🚀 bringing a new look for Prowler with this Iron Maiden song.

New features to highlight in this version

🥳 New Prowler logo
This version comes with a new look of Prowler thanks to the new logo:

💪🏼 55 New AWS checks
Prowler is improving its AWS coverage by including 55 new checks for Kafka, Lightsail, Storage Gateway, DynamoDB, Cognito, EC2, EventBridge, SNS and RDS.
Special thanks to our external contributors @madereddy, @rieck-srlabs and @Davidm4r for doing new checks 🙌
See all the new available checks with prowler aws --list-checks

📝 HTML output is back!
We have listened you and as our community is always first, we brought our HTML back 😄
Get it again with prowler <provider> -M/--output-formats html

✍️ Custom Checks Metadata
Now you can override the all the metadata fields from a check using the --custom-checks-metadata-file custom_checks_metadata.yaml flag.

See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/

🔧 Other issues and bug fixes solved for all the cloud providers

Features

• feat(aws): Add new kafka service by @puchy22 in #4001
• feat(aws): Lightsail new service and checks by @puchy22 in #3919
• feat(aws): New Storage Gateway FileShare KMS CMK Check by @madereddy in #4082
• feat(aws): new dynamodb_table_cross_account_access check by @sergargar in #3932
• feat(cognito): Add new checks related with cognito service by @pedrooot in #3898
• feat(compliance): Update RBI compliance framework by @pedrooot in #4026
• feat(custom-checks-metadata): add new fields by @pedrooot in #3976
• feat(dashboard): add idgrupocontrol description in compliance page for ens by @pedrooot in #3910
• feat(dashboard): add more fields to dashboard overview component by @pedrooot in #4084
• feat(dashboard): Improve table overview by @pedrooot in #4015
• feat(dashboard): Multiple changes in compliance page by @pedrooot in #4051
• feat(ec2): Add 2 new checks + fixers related with EC2 service by @pedrooot in #3827
• feat(ec2): add EC2 Security group check to verify if at least one port is opened by @sergargar in #3962
• feat(ec2): New EC2 AWS check (#852) by @rieck-srlabs in #4076
• feat(ec2): add checks for EC2 instances with exposed ports to the internet by @sergargar in #4029
• feat(eventbridge): add EventBridge checks by @sergargar in #4020
• feat(json-ocsf): Add new fields for py-ocsf 0.1.0 by @pedrooot in #3853
• feat(Kafka): New Kafka AWS checks by @puchy22 in #4021
• feat(kubernetes): Handle empty --kubeconfig-file by @pedrooot in #3980
• feat(logo): add new Prowler logo! by @sergargar in #4090
• feat(output): Add HTML outputs to Prowler by @pedrooot in #4005
• feat(rds): Add AWS RDS clusters to transport encryption check by @madereddy in #4028
• feat(rds): Add RDS certificate expiration check by @madereddy in #4002
• feat(sns): sns topics no http subscriptions by @Davidm4r in #4095

Fixes

• fix(actions): Don't need expressions within if by @jfagoagas in #3733
• fix(aws_lambda): Update obsolete lambda runtimes by @pedrooot in #3735
• fix(ulimit): import library only in windows by @sergargar in #3738
• fix(download): remove dataframe index from download in dashboard by @pedrooot in #3739
• fix(json-ocsf): add check_id field in json-ocsf output by @pedrooot in #3740
• fix(json-ocsf): Add missing fields for JSON-OCSF by @pedrooot in #3745
• fix(ocsf): Include check_id as metadata.event_code by @jfagoagas in #3748
• fix(json-ocsf): Remove risk field from unmapped by @pedrooot in #3759
• fix(wafv2): Handle WAFNonexistentItemException by @pedrooot in #3761
• fix(compliance): Add muted info to compliance outputs by @pedrooot in #3751
• fix(mutelist): if all fails are muted do exit 0 by @jfagoagas in #3754
• fix(ocsf): Add compliance by @jfagoagas in #3753
• fix(rds): ParameterValue MySQL and MariaDB RDS Instances by @sansns in #4116
• fix(security-hub): MUTED -> WARNING by @jfagoagas in #3768
• fix(slack): Use global provider object by @jfagoagas in #3770
• fix(trufflehog): fix GitHub action of TruffleHog by @sergargar in #3775
• fix(table-overview): Multiple changes on dashboard table from overview by @pedrooot in #3773
• fix(utils): import libraries when needed by @sergargar in #3805
• fix(network_azure): handle capitalized protocols in security group rules by @pedrooot in #3808
• fix(execute_check): Handle ModuleNotFoundError by @jfagoagas in #3812
• fix(overview-table): change font in overview table by @pedrooot in #3815
• fix(dashboard): fix error in windows for csvreader by @pedrooot in #3806
• fix(ocsf): Add resource details to data by @jfagoagas in #3819

Chores

• chore(aws): Add failed_checks to track by @kagahd in #4018
• chore(aws): cleanup aws test cases and standardize checks by @madereddy in #4053
• chore(aws): cleanup aws test cases by @madereddy in #4049
• chore(check): global_provider is not needed here by @jfagoagas in #3828
• chore(CLI): start working on CLI by @pedrooot in #4067
• chore(compliance): change security group any port check by @sergargar in #4019
• chore(docs): remove unnecessary line by @sergargar in #3933
• chore(docs): solve some issues by @sergargar in #3868
• chore(docs): update BridgeCrew links in metadata to our local docs link by @sergargar in #3858
• chore(docs): add mapping of CSV headers with providers by @sergargar in #4118
• chore(docs): Update docs related with the Prowler Dashboard by @pedrooot in #4113
• chore(execute_checks): remove mutelist since it is within the provider by @jfagoagas in #4052
• chore(gcp): handle list projects API call errors by @sergargar in #3849
• chore(get_tagged_resources): Add return value type hint by @mlmerchant in #3860
• chore(global_provider): Move methods to class as static by @jfagoagas in #3896
• chore(IAM): Improve IAM checks for Azure by @puchy22 in #4061
• chore(issue-template): Modify issue template to add logs by @pedrooot in #3924
• chore(labeler): Add cli label by @jfagoagas in #4069
• chore(logo): resize logo in README and update favicon and architecture by @sergargar in #4092
• chore(logo-dashboard): update logo in dashboard by @pedrooot in #4088
• chore(logo-html): update html logo by @pedrooot in #4089
• chore(mitre azure): add mapping to mitre for azure provider by @n4ch04 in #3857
• chore(mitre gcp): add mitre mapping for gcp by @n4ch04 in #3899
• chore(mutelist): improve default AWS mutelist with ControlTower by @sergargar in #3904
• ch...

Prowler 3.16.5 - Back in the Village

What's Changed

Chores

• chore(backport): include latest changes of v4 in v3 by @sergargar in #4027
  • fix(rds): add ReadReplicaSourceDBInstanceIdentifier to db_instance (#3912)
  • feat(ec2): add EC2 Security group check to verify if at least one port is open (#3962)
  • chore(regions_update): Changes in regions for AWS services. (#3965)
  • chore(rds): support more AWS RDS DB Instance engines in encryption check (#3968)
  • chore(regions_update): Changes in regions for AWS services. (#3971)
  • chore(deps): remove mrestazure deprecated (#3974)
  • chore(regions_update): Changes in regions for AWS services. (#4009)
  • fix(elasticache): make previous comprobations for subnet (#4014)
  • chore(regions_update): Changes in regions for AWS services. (#4017)
  • chore(compliance): change security group any port check. (#4019)
  • chore(regions_update): Changes in regions for AWS services. (#4023)
• chore(safety-v3): ignore pip vulnerability by @sergargar in #4008

Dependencies

• chore(deps): bump azure-mgmt-cosmosdb from 9.4.0 to 9.5.0 by @dependabot in #4047
• chore(deps): bump azure-mgmt-security from 6.0.0 to 7.0.0 by @dependabot in #4040
• chore(deps): bump azure-storage-blob from 12.19.1 to 12.20.0 by @dependabot in #3996
• chore(deps): bump boto3 from 1.34.94 to 1.34.99 by @dependabot in #3993
• chore(deps): bump boto3 from 1.34.99 to 1.34.105 by @dependabot in #4045
• chore(deps): bump botocore from 1.34.99 to 1.34.105 by @dependabot in #4012
• chore(deps): bump botocore from 1.34.105 to 1.34.109 by @dependabot in #4042
• chore(deps): bump google-api-python-client from 2.127.0 to 2.129.0 by @dependabot in #3995
• chore(deps): bump msgraph-sdk from 1.3.0 to 1.4.0 by @dependabot in #4046
• chore(deps): bump slack-sdk from 3.27.1 to 3.27.2 by @dependabot in #4044
• chore(deps): bump trufflesecurity/trufflehog from 3.75.1 to 3.76.3 by @dependabot in #4048
• chore(deps-dev): bump freezegun from 1.5.0 to 1.5.1 by @dependabot in #4000
• chore(deps-dev): bump moto from 5.0.6 to 5.0.7 by @dependabot in #3999
• chore(deps-dev): bump pylint from 3.1.0 to 3.2.0 by @dependabot in #4013
• chore(deps-dev): bump pylint from 3.2.0 to 3.2.2 by @dependabot in #4043
• chore(deps-dev): bump pytest from 8.2.0 to 8.2.1 by @dependabot in #4041

Full Changelog: 3.16.4...3.16.5

Prowler 3.16.4 - Back in the Village

What's Changed

Chores

• chore(v3): backport latest v4 changes by @sergargar in #3916

  • test(gcp): Add new services tests to GCP (#3796)
  • fix(aws): not show findings when AccessDenieds (#3803)
  • fix(metadata): remove semicolons from metadata texts (#3830)
  • chore(regions_update): Changes in regions for AWS services. (#3848)
  • chore(gcp): handle list projects API call errors (#3849)
  • chore(regions_update): Changes in regions for AWS services. (#3855)
  • fix(KeyError): handle CacheSubnetGroupName keyError (#3856)
  • chore(docs): update BridgeCrew links in metadata to our local docs li…
  • chore(regions_update): Changes in regions for AWS services. (#3862)
  • fix(efs): check all public conditions (#3872)
  • docs(unit-testing): Add GCP services documentation (#3901)
  • fix(vpc): solve subnet route key error (#3902)
  • fix(vpc): solve AWS principal key error (#3903)
  • fix(ec2): handle non-existing private ip (#3906)
  • chore(regions_update): Changes in regions for AWS services. (#3908)
  • test(gcp): Add Compute client the project_ids parameter (#3918)
  • chore(regions_update): Changes in regions for AWS services. (#3915)
  • fix(efs): change public EFS check metadata (#3917)
  • chore(regions_update): Changes in regions for AWS services. (#3929)

• chore(backport): Add latest changes by @jfagoagas in #3960

  • chore(regions_update): Changes in regions for AWS services. (#3957)
  • fix(s3): Handle if regional client is present (#3959)

Fixes

• fix(aws): Extend opensearch_service_domains_use_cognito_authentication_for_kibana with SAML by @kagahd in #3861
• fix(html): Produce valid HTML output in Prowler v3 by @rieck-srlabs in #3863

Dependencies

• chore(deps): bump azure-mgmt-compute from 30.6.0 to 31.0.0 by @dependabot in #3890
• chore(deps): bump boto3 from 1.34.84 to 1.34.94 by @dependabot in #3895
• chore(deps): bump botocore from 1.34.89 to 1.34.94 by @dependabot in #3884
• chore(deps): bump trufflesecurity/trufflehog from 3.73.0 to 3.74.0 by @dependabot in #3873
• chore(deps-dev): bump black from 24.4.0 to 24.4.2 by @dependabot in #3892
• chore(deps-dev): bump coverage from 7.4.4 to 7.5.0 by @dependabot in #3885
• chore(deps-dev): bump freezegun from 1.4.0 to 1.5.0 by @dependabot in #3887
• chore(deps-dev): bump moto from 5.0.5 to 5.0.6 by @dependabot in #3888
• chore(deps-dev): bump pytest-xdist from 3.5.0 to 3.6.1 by @dependabot in #3893
• chore(deps-dev): bump pytest from 8.1.1 to 8.2.0 by @dependabot in #3889

Full Changelog: 3.16.3...3.16.4

Prowler 3.16.3 - Back in the Village

What's Changed

Fixes

• fix(trufflehog): fix GitHub action of TruffleHog by @sergargar in #3774

Chores

• chore(release): 3.16.2 by @jfagoagas in #3771
• chore(CODEOWNERS): Add prowler-dev for v3 by @jfagoagas in #3776
• chore(deps): bump botocore from 1.34.77 to 1.34.84 by @dependabot in #3784
• chore(deps): bump trufflesecurity/trufflehog from 3.72.0 to 3.73.0 by @dependabot in #3787
• chore(deps-dev): bump black from 24.3.0 to 24.4.0 by @dependabot in #3781
• chore(deps): bump azure-identity from 1.15.0 to 1.16.0 by @dependabot in #3785
• chore(deps): bump boto3 from 1.34.77 to 1.34.84 by @dependabot in #3790
• chore(deps-dev): bump mkdocs-material from 9.5.17 to 9.5.18 by @dependabot in #3792
• chore(backport): include latest changes of v4 in v3 by @sergargar in #3825
  ** chore(rds): improve rds public instance check by @sergargar in #3797
  ** chore(ec2): improve handling of ENIs by @sergargar in #3798
  ** docs(developer guide): fix broken link by @mlmerchant in #3799
  ** fix(network_azure): handle capitalized protocols in security group rules by @pedrooot in #3808
  ** chore(vpc): improve public subnet logic by @sergargar in #3814
  ** fix(aws): Include record names for dangling IPs by @rieck-srlabs in #3821
  ** fix(aws): Corrects privilege escalation vectors by @rieck-srlabs in #3823
• chore(backport): include latest changes to version 3 by @sergargar in #3846
• chore(deps): bump msgraph-sdk from 1.2.0 to 1.3.0 by @dependabot in #3838
• chore(deps): bump botocore from 1.34.84 to 1.34.89 by @dependabot in #3841
• chore(deps): bump azure-mgmt-containerservice from 29.1.0 to 30.0.0 by @dependabot in #3839
• chore(deps): bump google-api-python-client from 2.125.0 to 2.127.0 by @dependabot in #3843

Full Changelog: 3.16.2...3.16.3

Prowler 4.1.0 - Aces High

There goes the siren that warns of the air raid
There comes the sound of the guns sending flak
Out for the scramble we've got to get airborne
Got to get up for the coming attack

Here we have Prowler 4.1.0 Aces High 🚀 ready to help you improve your Cloud security with this Iron Maiden song.

New features to highlight in this version

🖊️ GCP flags to list, exclude/include Project IDs

• Now the --project-ids flag allows you to use *, as a prefix or suffix, to include the project ids you want to scan.
• The --list-project-ids allows you to copy and paste values and know the accessible projects to be scanned with the provided crendentials.
• The --excluded-project-ids flag allows you to exclude the projects to be scanned and it also accepts *.

🔨 13 new fixers (remediations) for AWS

• We have included 13 new fixers for services like Access Analyzer, CloudTrail, GuardDuty, KMS, Security Hub and IAM. You can get all the available fixers with prowler aws --list-fixers then go per check to remediate the failed findings by prowler aws --check guardduty_is_enabled --fixer.
• Some of those fixers are configurable using the fixer_config.yaml file present in the prowler/config folder. You can read more about the fixer and how to configure it here

📘 New fields for the OCSF Detection Finding

• We have included the check_id, compliance and all the Prowler check's metadata within the OCSF Detection Finding that Prowler generates in the .ocsf.json output file. You can read more about this finding format here.

🔧 Other issues and bug fixes solved for all the cloud providers

Features

• feat(gcp): improve Google Projects scan customization by @sergargar in #3741

Fixes

• fix(actions): Don't need expressions within if by @jfagoagas in #3733
• fix(aws_lambda): Update obsolete lambda runtimes by @pedrooot in #3735
• fix(ulimit): import library only in windows by @sergargar in #3738
• fix(download): remove dataframe index from download in dashboard by @pedrooot in #3739
• fix(json-ocsf): add check_id field in json-ocsf output by @pedrooot in #3740
• fix(json-ocsf): Add missing fields for JSON-OCSF by @pedrooot in #3745
• fix(ocsf): Include check_id as metadata.event_code by @jfagoagas in #3748
• fix(json-ocsf): Remove risk field from unmapped by @pedrooot in #3759
• fix(wafv2): Handle WAFNonexistentItemException by @pedrooot in #3761
• fix(compliance): Add muted info to compliance outputs by @pedrooot in #3751
• fix(mutelist): if all fails are muted do exit 0 by @jfagoagas in #3754
• fix(ocsf): Add compliance by @jfagoagas in #3753
• fix(security-hub): MUTED -> WARNING by @jfagoagas in #3768
• fix(slack): Use global provider object by @jfagoagas in #3770
• fix(trufflehog): fix GitHub action of TruffleHog by @sergargar in #3775
• fix(table-overview): Multiple changes on dashboard table from overview by @pedrooot in #3773
• fix(utils): import libraries when needed by @sergargar in #3805
• fix(network_azure): handle capitalized protocols in security group rules by @pedrooot in #3808
• fix(execute_check): Handle ModuleNotFoundError by @jfagoagas in #3812
• fix(overview-table): change font in overview table by @pedrooot in #3815
• fix(dashboard): fix error in windows for csvreader by @pedrooot in #3806
• fix(ocsf): Add resource details to data by @jfagoagas in #3819

Chores

• chore(version): update Prowler version by @sergargar in #3730
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3746
• chore(dashboard): Use Prowler CLI parser by @jfagoagas in #3722
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3755
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3765
• chore(fixer): improve fixer logic and include more by @sergargar in #3750
• chore(rds): improve rds public instance check by @sergargar in #3797
• chore(ec2): improve handling of ENIs by @sergargar in #3798
• chore(aws): Add CloudTrail Threat Detection tests by @pedrooot in #3804
• chore(fixer): add more fixers by @sergargar in #3772
• chore(vpc): improve public subnet logic by @sergargar in #3814
• chore(codeowners): Add prowler-dev team by @jfagoagas in #3763

Dependencies

• chore(deps): bump idna from 3.6 to 3.7 by @dependabot in #3758
• chore(dependabot): increase PRs limit by @sergargar in #3789
• chore(deps): bump boto3 from 1.34.80 to 1.34.84 by @dependabot in #3793
• chore(deps-dev): bump mkdocs-material from 9.5.17 to 9.5.18 by @dependabot in #3794
• chore(deps): bump azure-identity from 1.15.0 to 1.16.0 by @dependabot in #3795
• chore(deps): bump pandas from 2.2.1 to 2.2.2 by @dependabot in #3791
• chore(deps-dev): bump black from 24.3.0 to 24.4.0 by @dependabot in #3777
• chore(deps): bump trufflesecurity/trufflehog from 3.72.0 to 3.73.0 by @dependabot in #3786
• chore(deps): bump boto3 from 1.34.77 to 1.34.80 by @dependabot in #3780
• chore(deps): bump botocore from 1.34.80 to 1.34.84 by @dependabot in #3779
• chore(deps): bump dash-bootstrap-components from 1.5.0 to 1.6.0 by @dependabot in #3778
  chore(deps): bump aiohttp from 3.9.3 to 3.9.4 by @dependabot in #3818

Documentation

• docs(dashboard): Indicate how to change port by @jfagoagas in #3729
• docs(dashboard): format list by @jfagoagas in #3732
• docs: readme points to docs.prowler.com to learn everything by @jfagoagas in #3707
• chore(docs): Support toggle light/dark mode by @puchy22 in #3744
• docs(outputs): update docs for v4 outputs by @pedrooot in #3734
• docs(threat-detection): Add threat-detection docs by @pedrooot in #3757
• docs(compliance): Change images for compliance by @pedrooot in #3760
• docs(devel-guide): Adding some improves and clarifications to developer guide by @puchy22 in #3749
• docs(devel-guide): Add provider section and remove audit_info section by @puchy22 in #3756
• docs(unit-testing): Update the unit testing section by @puchy22 in #3764
• docs(developer guide): fix broken link by @mlmerchant in #3799
• docs(ocsf): Add missing fields to the example by @jfagoagas in #3816

New Contributors

• @mlmerchant made their first contribution in #3799

Full Changelog: 4.0.1...4.1.0

Prowler 3.16.2 - Back in the Village

What's Changed

Fixes

• fix(aws_lambda): Update obsolete lambda runtimes for v3 by @pedrooot in #3736
• fix(wafv2): Handle WAFNonexistentItemException v3 by @pedrooot in #3762

Chores

• chore(version): update Prowler v3 version by @sergargar in #3731
• chore(backport): v4 -> v3 by @jfagoagas in #3767
  • chore(dispatch): just for v3 by @jfagoagas in #3712
  • fix(actions): Don't need expressions within if by @jfagoagas in #3733
  • chore(regions_update): Changes in regions for AWS services by @n4ch04 in #3746, #3755, #3765
  • chore(deps): bump idna from 3.6 to 3.7 by @dependabot in #3758
  • chore(docs): Support toggle light/dark mode by @puchy22 in #3744

Full Changelog: 3.16.1...3.16.2

Prowler 4.0.1 - The Trooper

What's Changed

Fixes

• fix(actions): use LATEST_TAG for v4 by @jfagoagas in #3703
• fix(args): Handle default argument by @jfagoagas in #3674
• fix(compliance): add field ModoEjecucion in csv output for ENS by @pedrooot in #3719
• fix(dashboard): add correct label for each dropdown by @pedrooot in #3700
• fix(dashboard): Add multiple dashboard fixes by @pedrooot in #3714
• fix(dockerfile): add missing path to build by @jfagoagas in #3680
• fix(ens): add dependencias field ENS rd2022 compliance by @pedrooot in #3701
• fix(gcp): add project id to outputs by @sergargar in #3711
• fix(k8s): improve kubernetes deployment by @sergargar in #3713
• fix(k8s): sanitize context syntax only for output file names by @sergargar in #3689
• fix(service_name): fix typo in ServiceName field by @pedrooot in #3723

Chores

• chore(action): update python version to 3.12 in GH action by @sergargar in #3705
• chore(actions): Run for master and v3 by @jfagoagas in #3685
• chore(Azure): Optimize Entra service to use async funcs by @puchy22 in #3706
• chore(dependabot): Add v3 label by @jfagoagas in #3698
• chore(dependabot): Run also for v3 branch by @jfagoagas in #3683
• chore(dispatch): just for v3 by @jfagoagas in #3712
• chore(Dockerfile): remove deprecated dash dependencies by @sergargar in #3708
• chore(Dockerfile): update Python version to 3.12 by @sergargar in #3699
• chore(docs): update CloudShell scripts by @sergargar in #3687
• chore(merge): include latest changes of v3 by @sergargar in #3686
• chore(mutelist): remove space within mutelist name by @sergargar in #3690
• chore(regions): Add backport-v3 label by @jfagoagas in #3684
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3693
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3727

Documentation

• docs(dashboard): improve dashboard documentation by @pedrooot in #3688
• docs(images): fix images link in documentation by @sergargar in #3709
• docs(mutelist): remove MUTED and explain new fields by @jfagoagas in #3726

Dependencies

• build(deps): Update boto3 to version 1.34.77 by @sergargar in #3669
• chore(deps): bump botocore from 1.34.77 to 1.34.80 by @dependabot in #3715
• chore(deps): bump google-api-python-client from 2.124.0 to 2.125.0 by @dependabot in #3678
• chore(deps): bump kubernetes from 28.1.0 to 29.0.0 by @dependabot in #3679
• chore(deps): bump trufflesecurity/trufflehog from 3.71.2 to 3.72.0 by @dependabot in #3677
• chore(deps-dev): bump moto from 5.0.4 to 5.0.5 by @dependabot in #3681

Full Changelog: 4.0.0...4.0.1

Prowler 3.16.1 - Back in the Village

What's Changed

Fixes

• fix(actions): Docker v3-latest by @jfagoagas in #3692
• fix(actions): use LATEST_TAG by @jfagoagas in #3702
• fix(compliance): Add new fields to csv output for ENS compliance by @pedrooot in #3718
• fix(compliance ENS): fixing ens compliance dashboard by @n4ch04 in #3673
• fix(docs): solve docs dependencies by @sergargar in #3661
• fix(service_name): fix typo in ServiceName field for v3 by @pedrooot in #3724
• fix: typo by @jfagoagas in #3663

Chores

• chore(actions): Run for master and v3 by @jfagoagas in #3691
• chore(backport): include latest changes in v3 by @sergargar in #3728
• chore(readme): update azure count checks by @sergargar in #3667
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3656
• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3676
• chore: 3.16.0 version by @jfagoagas in #3704

Docs

• docs(poetry): Add poetry command to install doc dependencies by @puchy22 in #3664
• docs(azure): test services in Azure added by @Hugo966 in #3649

Builds

• build(deps): bump msgraph-sdk from 1.1.0 to 1.2.0 by @dependabot in #3605
• chore(deps): bump google-api-python-client from 2.124.0 to 2.125.0 by @dependabot in #3695
• chore(deps): bump pydantic from 1.10.14 to 1.10.15 by @dependabot in #3716
• chore(deps): bump trufflesecurity/trufflehog from 3.71.2 to 3.72.0 by @dependabot in #3694
• chore(deps-dev): bump moto from 5.0.4 to 5.0.5 by @dependabot in #3696

Full Changelog: 3.16.0...3.16.1

Prowler 4.0.0 - The Trooper

You'll take my life, but I'll take yours too
You'll fire your musket, but I'll run you through
So when you're waiting for the next attack
You'd better stand, there's no turning back

When I started Prowler almost eight years ago, I thought about calling it The Trooper (thetrooper as in the command line sounds good but I thought prowler was even better). I can say today, with no doubt that this version 4.0 of Prowler, The Trooper, is by far the software that I always wanted to release. Now, as a company, with a whole team dedicated to Prowler (Open Source and SaaS), this is even more exciting. With standard support for AWS, Azure, GCP and also Kubernetes, with all new features, this is the beginning of a new era where Open Cloud Security makes an step forward and we say: hey WE ARE HERE FOR REAL and when you're waiting for the next attack, you'd better stand, there's no turning back

Enjoy Prowler - The Trooooooooper! 🤘🏽🔥 song!

Breaking Changes

• Allowlist now is called Mutelist
• Deprecate the AWS flag --sts-endpoint-region since we use AWS STS regional tokens.
• The --quiet option has been deprecated, now use the --status flag to select the finding's status you want to get from PASS, FAIL or MANUAL.
• To send only FAILS to AWS Security Hub, now use either --send-sh-only-fails or --security-hub --status FAIL
• All INFO finding's status has changed MANUAL.

We have deprecated some of our outputs formats:

• The HTML is replaced for the new Prowler Dashboard (prowler dashboard)
• The JSON is replaced for the JSON OCSF v1.1.0

New features to highlight in this version

Dashboard

• Prowler has local dashboard to play with gathered data easier. Run prowler dashboard and enjoy overview data and compliance.
  

🎛️ New Kubernetes provider

• Prowler has a new Kubernetes provider to improve the security posture of your clusters! Try it now with prowler kubernetes --kubeconfig-file <kube.yaml>
• CIS Benchmark 1.8 for K8s is included.

📄 Compliance

• All compliance frameworks are executed by default and stored in a new location: output/compliance

AWS

• The AWS provider execution by default does not scan unused services, you can enable it with --scan-unused-services.
• 2 new checks to detect possible threads, try it now with prowler aws --category threat-detection for Enumeration and Privilege Escalation type of activities.

🗺️ Azure

• All Azure findings includes the location!
• CIS Benchmark for Azure 2.0 and 2.1 is included.

🔇 Mutelist

• The renamed mutelist feature is available for all the providers.
• In AWS a default allowlist is included in the execution.

🌐 Outputs

• Prowler now the outputs in a common format for all the providers.
• The only JSON output now follows the OCSF Schema v1.1.0

💻 Providers

• We have unified the way of including new providers for easier development and to add new ones.

🔨 Fixer

• We have included a new argument --fix to allow you to remediate findings. You can list all the available fixers with prowler aws --list-fixers

Features

• feat(mute list): change allowlist to mute list by @sergargar in #3039
• feat(CloudProvider): introduce global provider Azure&GCP by @n4ch04 in #3069
• feat(compliance): execute all compliance by default by @sergargar in #3003
• feat(kubernetes): add Kubernetes provider by @sergargar in #3226
• feat(status): add --status flag by @sergargar in #3238
• feat(AwsProvider): include new structure for AWS provider by @n4ch04 in #3252
• feat(kubernetes): add etcd, controllermanager and rbac services by @sergargar in #3261
• feat(apiserver): new 9 Kubernetes ApiServer checks by @sergargar in #3288
• feat(apiserver): new 10 Kubernetes ApiServer checks by @sergargar in #3289
• feat(apiserver): new 10 Kubernetes ApiServer checks by @sergargar in #3290
• feat(controllermanager): add checks for Kubernetes Controller Manager by @sergargar in #3291
• feat(etcd): add checks for Kubernetes etcd by @sergargar in #3294
• feat(kubelet): add 10 checks of Kubernetes Kubelet service by @sergargar in #3302
• feat(rbac): add 9 checks of Kubernetes RBAC service by @sergargar in #3314
• feat(core): add 13 checks of Kubernetes Core service by @sergargar in #3315
• feat(kubelet): add 6 checks of Kubelet configuration files on the worker nodes by @sergargar in #3335
• feat(namespace): add --namespaces argument and solve bugs by @sergargar in #3431
• feat(mutelist): add Mute List for all providers by @sergargar in #3548
• feat(azure): locations added to Azure findings by @Hugo966 in #3596
• feat(compliance): Add CIS 1.8 framework for Kubernetes by @pedrooot in #3600
• feat(cloudtrail): add threat detection checks for AWS (enum and priv escalation) by @sergargar in #3602
• feat(fixer): add Prowler Fixer feature! by @sergargar in #3634
• feat(dashboards): add new Prowler dashboards by @pedrooot in #3575

Documentation

• docs(kubernetes): add Kubernetes documentation by @sergargar in #3482
• chore(readme): update k8s cis by @sergargar in #3640

Fixes

• fix(gcp): fix error in generating compliance by @sergargar in #3201
• fix(kubernetes): improve in-cluster execution by @sergargar in #3397
• fix(shodan): Make it available for all the providers by @jfagoagas in #3500
• fix(azure): use subscriptions in get_locations by @jfagoagas in #3541
• fix(compliance): fix csv output for framework Mitre Attack by @pedrooot in #3574
• fix(quickinventory): Adapt for the new AWS provider class by @jfagoagas in #3569
• fix(mapping): handle None attributes in data by @sergargar in #3588
• fix(securityhub): Add validation and handle errors by @jfagoagas in #3590
• fix(providers): import modules also from outside of directory by @sergargar in #3595

Chores

• chore(sts-endpoint): deprecate --sts-endpoint-region by @sergargar in #3046
• chore(manual status): change INFO to MANUAL status by @sergargar in #3254
• chore(tests): add kubernetes provider tests by @sergargar in #3265
• chore(aws): Remove old provider by @jfagoagas in #3468
• chore(kubernetes): add strong ciphers config vars by @sergargar in #3470
• chore(kubernetes): enhance checks metadata by @sergargar in #3469
• chore(azure): working version executing checks by @jfagoagas in #3472
• chore(gcp): working version executing checks by @jfagoagas in #3474
• chore(kubernetes): Working provider by @jfagoagas in #3475
• chore(aws): Simplify provider by @jfagoagas in #3481
• chore(aws): Working outputs by @jfagoagas in #3488
• chore(k8s): Working outputs by @jfagoagas in #3489
• chore(gcp): working outputs by @jfagoagas in #3490
• chore(azure): working outputs by @jfagoagas in #3491
• chore(providers): Store output options and mutelist by @jfagoagas in #3497
• chore(kubernetes): add outputs fields by @sergargar in #3499
• chore(config): Store in provider by @jfagoagas in #3498
• chore(html): deprecate output by @jfagoagas in #3501
• chore(compliance): solve compliance issues by @sergargar in #3507
• chore(csv): Common output for all the providers by @jfagoagas in #3513
• chore(json): deprecate native json by @jfagoagas i...

Prowler 3.16.0 - Back in the Village

Turn the spotlights on the people
Switch the dial and eat the worm
Take your chances, kill the engine
Drop your bombs and let it burn

Enjoy the last release of Prowler v3 🤘🏽🔥 with this Iron Maiden song!

New features to highlight in this version

💪🏼 17 New Azure checks

• Prowler is improving its Azure coverage by including 17 new checks that appears in the CIS Benchmark v2.0.0 and v2.1.0.
  See all the new available checks with prowler azure --list-checks

🔒 Azure CIS v2.0 and v2.1 coverage

• Prowler includes coverage for two new compliance frameworks for Azure CIS, v2.0.0 and v2.1.0. You can execute these new frameworks with prowler azure --compliance cis_2.1_azure

🔧 More fixes and updates for all the providers

Features

• feat(azure): New check related with diagnostics settings in subscriptions by @Hugo966 in #3539
• feat(azure): New check related with logging in Azure Key Vault by @Hugo966 in #3496
• feat(azure):App check related with http logs by @Hugo966 in #3568
• feat(entra): New 11 checks related with Microsoft Entra ID by @puchy22 in #3585
• feat(azure): New check related with trusted launch in vm by @Hugo966 in #3616
• feat(azure) New Microsoft Entra ID checks by @puchy22 in #3610
• feat(entra): Manage 403 error for getting user authentication methods by @puchy22 in #3624
• feat(azure): Check related with roles and vm access with mfa by @Hugo966 in #3638
• feat(compliance): Add new CIS 2.0 / 2.1 compliance framework for Azure by @pedrooot in #3626

Fixes

• fix(metadata): change ResourceType Type for AWS Inline Policy Check by @gabrielsoltz in #3599
• fix(sts): handle China STS regions by @sergargar in #3613
• fix(azure): fixed check vm_ensure_using_managed_disks metadata by @Hugo966 in #3617
• fix(aws): break loop after FAIL in SQS and SNS checks by @kagahd in #3618
• fix(azure): normalize tenant domain set in checks by @sergargar in #3641
• fix(cis_2.0_azure): add remaining requirement with id 1.25 by @pedrooot in #3646
• fix(azure): add DefaultValue to Azure CIS compliance by @pedrooot in #3652

Documentation

• docs: Update number of Azure checks by @jfagoagas in #3639
• docs(azure): Add new permissions necessary from Microsoft Entra ID by @puchy22 in #3648

Chores

• chore(regions_update): Changes in regions for AWS services. by @n4ch04 in #3598, #3609, #3615, #3621, #3637, #3647
• chore(version): update Prowler version by @sergargar in #3614
• chore(apigateway): Handle NotFoundException by @jfagoagas in #3623
• chore(action): Prepare containers release for v4 by @jfagoagas in #3597
• chore(entra): Moving constants from checks and services to config file by @puchy22 in #3645
• chore(azure): Fix AKS and App tests to new format by @puchy22 in #3651

Dependencies

• build(deps): bump trufflesecurity/trufflehog from 3.70.2 to 3.71.0 by @dependabot in #3603
• build(deps): bump crazy-max/ghaction-import-gpg from 4 to 6 by @dependabot in #3604
• build(deps-dev): bump mkdocs-material from 9.5.14 to 9.5.15 by @dependabot in #3606
• build(deps-dev): bump pytest-cov from 4.1.0 to 5.0.0 by @dependabot in #3607
• build(deps): bump google-api-python-client from 2.122.0 to 2.123.0 by @dependabot in #3608
• build(deps): bump tj-actions/changed-files from 43 to 44 by @dependabot in #3627
• build(deps): bump trufflesecurity/trufflehog from 3.71.0 to 3.71.2 by @dependabot in #3628
• build(deps): bump google-api-python-client from 2.123.0 to 2.124.0 by @dependabot in #3630
• build(deps-dev): bump mkdocs-material from 9.5.15 to 9.5.17 by @dependabot in #3633
• build(deps-dev): bump safety from 3.0.1 to 3.1.0 by @dependabot in #3632
• build(deps-dev): bump moto from 5.0.3 to 5.0.4 by @dependabot in #3629

Full Changelog: 3.15.3...3.16.0