New features to highlight in this version
🔒 RBAC - Role Based Access Control
Gain granular control over user access and permissions with our new Role-Based Access Control. Now you can assign roles and privileges to specific users, ensuring they only have access to what they need. Also, now you can create cloud provider's groups to be assigned to roles to allow them to be visible.
🧑🔧 4 New Checks!
We have expanded our coverage with 4 new checks, enhancing your security and compliance for EC2, StepFunctions and CloudFormation in AWS and Azure SQLServer.
1. ec2_launch_template_imdsv2_required
2. stepfunctions_statemachine_logging_enabled
3. cloudformation_stack_cdktoolkit_bootstrap_version
4. sqlserver_recommended_minimal_tls_version
🚀 30 New AWS Fixers!
We have included 30 new fixers to help you automatically remediate misconfigurations in AWS services: Lambda, SQS, ECR, Glacier, OpenSearch, S3, EC2, CloudTrail and CodeArtifact.
Run a specific fixer with:
prowler aws --check <check_id> --fixer
See all the new available fixers with
prowler aws --list-fixers
1. awslambda_function_not_publicly_accessible_fixer
2. sqs_queues_not_publicly_accessible_fixer
3. ecr_repositories_not_publicly_accessible_fixer
4. glacier_vaults_policy_public_access_fixer
5. opensearch_service_domains_not_publicly_accessible_fixer
6. s3_bucket_public_write_acl_fixer
7. s3_bucket_public_list_acl_fixer
8. s3_bucket_public_access_fixer
9. ec2_instance_port_cifs_exposed_to_internet_fixer
10. s3_bucket_policy_public_write_access_fixer
11. ec2_ami_public_fixer
12. cloudtrail_logs_s3_bucket_is_not_publicly_accessible_fixer
13. codeartifact_packages_external_public_publishing_disabled_fixer
14. ec2_instance_port_cassandra_exposed_to_internet_fixer
15. ec2_instance_port_elasticsearch_kibana_exposed_to_internet_fixer
16. ec2_instance_port_ftp_exposed_to_internet_fixer
17. ec2_instance_port_kafka_exposed_to_internet_fixer
18. ec2_instance_port_kerberos_exposed_to_internet_fixer
19. ec2_instance_port_ldap_exposed_to_internet_fixer
20. ec2_instance_port_memcached_exposed_to_internet_fixer
21. ec2_instance_port_mongodb_exposed_to_internet_fixer
22. ec2_instance_port_mysql_exposed_to_internet_fixer
23. ec2_instance_port_oracle_exposed_to_internet_fixer
24. ec2_instance_port_postgresql_exposed_to_internet_fixer
25. ec2_instance_port_rdp_exposed_to_internet_fixer
26. ec2_instance_port_redis_exposed_to_internet_fixer
27. ec2_instance_port_sqlserver_exposed_to_internet_fixer
28. ec2_instance_port_ssh_exposed_to_internet_fixer
29. ec2_instance_port_telnet_exposed_to_internet_fixer
30. ec2_securitygroup_allow_ingress_from_internet_to_high_risk_tcp_ports_fixer
📄 Added CIS 3.0 for GCP
Prowler now supports the CIS 3.0 for GCP.
🖊️ New check's category gen-ai
With the growing number of Generative AI, Machine Learning and LLM training services, we are adding a new gen-ai category to allow AI related service checks to be found/run more easily.
🐎 Several performance improvements in the API
🔧 Other issues and bug fixes solved
New Contributors
Special thanks to our amazing new contributors: @madslundholmdk @Twodragon0
- @madslundholmdk made their first contribution in #5821
- @Twodragon0 made their first contribution in #5867
UI
Features
- feat(users): user detail can be edited now properly by @paabloLC in #6135
- feat(GHA): add gha for API by @pedrooot in #6032
- feat(roles): RBAC functionality by @paabloLC in #6201
- feat(scans): add new component - alert bar by @paabloLC in #6391
- feat(update-credentials): add explanation text for the current behavior by @paabloLC in #6400
Fixes
- fix(invitations): remove wrong url by @paabloLC in #6005
- fix(BC: NextUI): fix BC from NextUI, resolve ESLint warnings and optimize hooks dependencies by @paabloLC in #6404
- fix(invitation): correct the URL used to share an invitation by @paabloLC in #6472
- styles(invitations): tweak styles for invitation details box by @paabloLC in #6475
Chores / Dependencies
- chore(rbac): tweaks role permissions by @paabloLC in #6496
- chore(deps-dev): bump eslint-plugin-import from 2.29.1 to 2.31.0 in /ui by @dependabot in #6482
- chore(deps): bump @radix-ui/react-slot from 1.1.0 to 1.1.1 in /ui by @dependabot in #6481
- chore(roles): prevent capitalization of provider groups and roles by @paabloLC in #6497
- chore(groups): Enable updating groups without roles or providers by @paabloLC in #6498
- chore(manage-groups): tweaks for provider manage groups by @paabloLC in #6468
- chore(deps): bump @radix-ui/react-toast from 1.2.1 to 1.2.4 in /ui by @dependabot in #6445
- chore(deps): bump lucide-react from 0.417.0 to 0.471.0 in /ui by @dependabot in #6456
- chore(deps): bump date-fns from 3.6.0 to 4.1.0 in /ui by @dependabot in #6444
- chore(deps-dev): bump @iconify/react from 5.0.1 to 5.2.0 in /ui by @dependabot in #6421
- chore(deps): bump nanoid from 3.3.7 to 3.3.8 in /ui by @dependabot in #6110
- chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 in /ui by @dependabot in #5881
- chore(deps): bump cookie and next-auth in /ui by @dependabot in #5880
- chore(deps): bump next from 14.2.12 to 14.2.22 in /ui by @dependabot in #6356
API
Features
- feat(api-rbac): RBAC system by @AdriiiPRodri in #6114
- feat(services): Add GET /overviews/services to API by @vicferpoy in #6029
- feat(celery): Add configurable broker visibility timeout setting by @vicferpoy in #6245
- feat(compliance): generate compliance reports for GCP scans using API by @vicferpoy in #6318
Fixes
- fix(tenant): fix delete tenants behavior by @vicferpoy in #6013
- fix(deploy): temporal fix for the alpine-python segmentation fault by @AdriiiPRodri in #6109
- fix(RLS): enforce config security by @jfagoagas in #6066
- fix(db-utils): fix batch_delete function by @vicferpoy in #6283
- fix(users): fix /users/me behavior when having more than 1 users in the same tenant by @vicferpoy in #6284
- fix(migrations): fix django migration order dependency by @vicferpoy in #6302
- fix(api): change the inserted_at.lte unittest by @AdriiiPRodri in #6403
- fix(rbac): block admin role deletion by @AdriiiPRodri in #6470
Chores / Dependencies
- ref(rbac): disable some checks by @AdriiiPRodri in #6471
- chore(rls): rename tenant_transaction to rls_transaction by @jfagoagas in #6202
- ref(rbac): improve rbac implementation for views by @AdriiiPRodri in #6226
- chore(rls): Add tenant_id filters in views and improve querysets by @jfagoagas in #6211
- chore(deps-dev): bump openapi-schema-validator from 0.6.2 to 0.6.3 by @dependabot in #6454
- chore(deps-dev): bump vulture from 2.11 to 2.14 in /api by @dependabot in #6426
- chore(deps-dev): bump safety from 3.2.3 to 3.2.9 in /api by @dependabot in #6431
- chore(deps): bump jinja2 from 3.1.4 to 3.1.5 in /api by @dependabot in #6316
- chore(deps): bump django from 5.1.1 to 5.1.4 in /api by @dependabot in #6376
- ref(rbac): enable relationship creation when objects is created by @AdriiiPRodri in #6238
Docs
- docs(prowler-app): add link to https://api.prowler.com/api/v1/docs by @pedrooot in #6016
- docs(api): add commands to run API scheduler by @MrCloudSec in #6085
SDK
Features
- feat(awslambda): add new fixer
awslambda_function_not_publicly_accessible_fixerby @danibarranqueroo in #5840 - feat(sqs): add new fixer
sqs_queues_not_publicly_accessible_fixerby @danibarranqueroo in #5911 - feat(ecr): add new fixer
ecr_repositories_not_publicly_accessible_fixerby @danibarranqueroo in #5923 - feat(glacier): add new fixer
glacier_vaults_policy_public_access_fixerby @danibarranqueroo in #5950 - feat(opensearch): add new fixer
opensearch_service_domains_not_publicly_accessible_fixerby @danibarranqueroo in #5926 - feat(s3): add new fixer
s3_bucket_public_write_acl_fixerby @danibarranqueroo in #5855 - feat(s3): add new fixer
s3_bucket_public_list_acl_fixerby @danibarranqueroo in #6166 - feat(ec2): add new check
ec2_launch_template_imdsv2_requiredby @danibarranqueroo in #6139 - feat(s3): add new fixer
s3_bucket_public_access_fixerby @danibarranqueroo in #6164 - feat(ec2): add new fixer
ec2_instance_port_cifs_exposed_to_internet_fixerby @danibarranqueroo in #6159 - feat(s3): add new fixer
s3_bucket_policy_public_write_access_fixerby @danibarranqueroo in #6173 - feat(ec2): add new fixer
ec2_ami_public_fixerby @danibarranqueroo in #6177 - feat(cloudtrail): add new fixer
cloudtrail_logs_s3_bucket_is_not_publicly_accessible_fixerby @danibarranqueroo in #6174 - feat(stepfunctions): add stepfunctions service and check
stepfunctions_statemachine_logging_enabledby @AdriiiPRodri in #5466 - feat(codeartifact): add new fixer
codeartifact_packages_external_public_publishing_disabled_fixerby @danibarranqueroo in #6263 - feat(aws): add new check
cloudformation_stack_cdktoolkit_bootstrap_versionby @MrCloudSec in #6323 - feat(azure): check for minimal TLS version for Azure SQL server by @johannes-engler-mw in #5745
- feat(gcp): add service account credentials by @pedrooot in #6165
- feat(mutelist): add description field by @pedrooot in #6221
- feat(ec2): add new fixers for internet exposed ports by @danibarranqueroo in #6223
- feat(prowler-docker): Run Prowler docker with AWS SSO by @Twodragon0 in #5867
- feat: New gen-ai category for all relevant checks. by @metahertz in #6450
- feat(ec2): include resource metadata in Check_Report by @MrCloudSec in #6440
- feat(compliance): add CIS 3.0 for gcp by @pedrooot in #6463
Fixes
- fix(codecov): create components by @jfagoagas in #6028
- fix(backup): modify list recovery points call by @danibarranqueroo in #5996
- fix(backport): Add action to detect labels by @jfagoagas in #5270
- fix(backport): remove v from branch prefix by @jfagoagas in #6081
- fix(autoscaling):
autoscaling_group_launch_configuration_requires_imdsv2fails if Launch Template is used by @danibarranqueroo in #6111 - fix(aws): set same severity for EC2 IMDSv2 checks by @MrCloudSec in #6046
- fix(gcp): make sure default project is active by @MrCloudSec in #6097
- fix(aws): set IAM identity as resource in threat detection by @MrCloudSec in #6048
- fix(aws): check AWS Owned keys in
firehose_stream_encrypted_at_restby @HugoPBrito in #6108 - fix(aws): get firewall manager managed rule groups by @HugoPBrito in #6119
- fix(compliance_tables): add correct values for findings by @pedrooot in #6122
- fix(iam): set unique resource id for each user access key by @MrCloudSec in #6128
- fix(app): add support for TLS 1.3 to Web Apps check by @puchy22 in #6004
- fix(README): show latest release by @MrCloudSec in #6145
- fix(aurora): Add default ports to the check of using non default ports by @madslundholmdk in #5821
- fix(rds): add invalid SG to status_extended by @pedrooot in #6157
- fix: dependabot syntax by @jfagoagas in #6181
- fix(aws): set unique resource IDs by @MrCloudSec in #6152
- fix(azure): custom Prowler Role for Azure assignableScopes by @puchy22 in #6149
- fix(.env): remove comment by @jfagoagas in #6230
- fix(gha): make conditional job for checking the repo by @jfagoagas in #6255
- fix(aws): solve
Nonetype errors by @MrCloudSec in #6268 - fix(aws): add missing region to Backup Recovery Point by @MrCloudSec in #6273
- fix(aws): disallow child-accounts to overwrite policy for
ai_services_opt_outby @kagahd in #6229 - fix(gha): run API and UI tests in correct versions by @MrCloudSec in #6294
- fix(aws): add missing sqs service without subservice by @puchy22 in #6352
- fix(ci): move poetry deprecated command to new one by @AdriiiPRodri in #6384
- fix(pre-commit): add api needed excludes by @pedrooot in #6393
- fix(cloudformation): fix flaky tests by @danibarranqueroo in #6398
- fix(iam): handle non existing MFA devices by @MrCloudSec in #6396
- fix(codeartifact): fix flaky tests by @danibarranqueroo in #6449
- fix(vpc): add new principal wildcard verification by @puchy22 in #6461
- fix(iso27001-2013): add ReqId and ReqDescription in output by @pedrooot in #6405
- fix(backport): more than one backport tag is allowed by @jfagoagas in #6090
Chores / Dependencies
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6041
- chore(deps): bump trufflesecurity/trufflehog from 3.84.1 to 3.85.0 by @dependabot in #6040
- chore(deps): bump slack-sdk from 3.33.4 to 3.33.5 by @dependabot in #6039
- chore(deps): bump botocore from 1.35.71 to 1.35.76 by @dependabot in #6037
- chore(deps-dev): bump pylint from 3.3.1 to 3.3.2 by @dependabot in #5993
- chore(deps-dev): bump mkdocs-material from 9.5.46 to 9.5.47 by @dependabot in #5988
- chore(deps-dev): bump pytest from 8.3.3 to 8.3.4 by @dependabot in #5992
- chore(deps-dev): bump coverage from 7.6.8 to 7.6.9 by @dependabot in #6053
- chore: delete unneeded requirements file by @jfagoagas in #6056
- chore(deps): bump boto3 from 1.35.71 to 1.35.76 by @dependabot in #6054
- chore(actions): standardize names by @jfagoagas in #6059
- chore(dependabot): Update for UI and v4 by @jfagoagas in #6062
- chore(containers): support for v4.6 branch by @jfagoagas in #6063
- chore(deps-dev): bump mkdocs-material from 9.5.47 to 9.5.48 by @dependabot in #6073
- chore(dependabot): change interval of PRs by @MrCloudSec in #6086
- chore(deps-dev): bump vulture from 2.13 to 2.14 by @dependabot in #6068
- chore(deps): bump botocore from 1.35.76 to 1.35.77 by @dependabot in #6098
- chore(deps): bump microsoft-kiota-abstractions from 1.6.2 to 1.6.6 by @dependabot in #6038
- chore(deps): bump msgraph-sdk from 1.12.0 to 1.14.0 by @dependabot in #5957
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6136
- chore(deps): bump boto3 from 1.35.76 to 1.35.77 by @dependabot in #6131
- chore(deps): bump trufflesecurity/trufflehog from 3.85.0 to 3.86.0 by @dependabot in #6130
- chore(deps): bump botocore from 1.35.77 to 1.35.78 by @dependabot in #6132
- chore(deps): bump google-api-python-client from 2.154.0 to 2.155.0 by @dependabot in #6155
- chore(deps): bump trufflesecurity/trufflehog from 3.86.0 to 3.86.1 by @dependabot in #6156
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6158
- chore(deps): bump boto3 from 1.35.77 to 1.35.78 by @dependabot in #6154
- refactor(gcp): use always .region for checks by @pedrooot in #6206
- refactor(mutelist): use jsonschema on mutelist by @pedrooot in #6264
- chore(deps): bump botocore from 1.35.78 to 1.35.79 by @dependabot in #6153
- chore(gha): build and push OSS UI by @jfagoagas in #6168
- chore(deps): bump boto3 from 1.35.78 to 1.35.79 by @dependabot in #6171
- chore(dependabot): Add docker by @jfagoagas in #6180
- chore(deps): bump botocore from 1.35.79 to 1.35.80 by @dependabot in #6172
- chore(labeler): add provider github by @pedrooot in #6194
- chore(deps): bump actions/setup-node from 3 to 4 by @dependabot in #5893
- chore(deps): bump boto3 from 1.35.79 to 1.35.80 by @dependabot in #6198
- chore(deps): bump botocore from 1.35.80 to 1.35.81 by @dependabot in #6199
- chore(deps-dev): bump mkdocs-material from 9.5.48 to 9.5.49 by @dependabot in #6217
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6222
- chore(deps): bump boto3 from 1.35.80 to 1.35.81 by @dependabot in #6218
- chore(deps): bump trufflesecurity/trufflehog from 3.86.1 to 3.87.0 by @dependabot in #6234
- chore(deps): bump botocore from 1.35.81 to 1.35.83 by @dependabot in #6232
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6237
- chore(config): set default values for empty config fields by @pedrooot in #6225
- chore: skip action on .env changes by @jfagoagas in #6257
- chore(deps): bump boto3 from 1.35.81 to 1.35.83 by @dependabot in #6253
- chore(deps): bump google-api-python-client from 2.155.0 to 2.156.0 by @dependabot in #6252
- chore(deps): bump microsoft-kiota-abstractions from 1.6.6 to 1.6.7 by @dependabot in #6233
- chore(deps): bump trufflesecurity/trufflehog from 3.87.0 to 3.87.1 by @dependabot in #6249
- chore(api): Use prowler ^5.0 by @jfagoagas in #6266
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6262
- chore(deps): bump slack-sdk from 3.33.5 to 3.34.0 by @dependabot in #6254
- chore(deps): bump trufflesecurity/trufflehog from 3.87.1 to 3.87.2 by @dependabot in #6279
- chore(deps): bump msgraph-sdk from 1.14.0 to 1.15.0 by @dependabot in #6250
- chore(findings): remove delta new as filter by default in findings by @paabloLC in #6280
- chore(gha): solve pypi release github action by @MrCloudSec in #6278
- chore(menu): add API reference link to the sidebar by @paabloLC in #6287
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6282
- chore(deps): bump botocore from 1.35.83 to 1.35.85 by @dependabot in #6276
- chore(deps): bump trufflesecurity/trufflehog from 3.87.2 to 3.88.0 by @dependabot in #6298
- chore(deps): bump boto3 from 1.35.83 to 1.35.85 by @dependabot in #6295
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6299
- chore(deps): bump botocore from 1.35.85 to 1.35.87 by @dependabot in #6307
- chore(deps-dev): bump pylint from 3.3.2 to 3.3.3 by @dependabot in #6317
- chore(deps): bump boto3 from 1.35.85 to 1.35.87 by @dependabot in #6320
- chore(deps-dev): bump coverage from 7.6.9 to 7.6.10 by @dependabot in #6322
- chore(deps): bump botocore from 1.35.87 to 1.35.88 by @dependabot in #6321
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6329
- chore(deps): bump trufflesecurity/trufflehog from 3.88.0 to 3.88.1 by @dependabot in #6372
- chore(deps): bump botocore from 1.35.88 to 1.35.93 by @dependabot in #6373
- chore(deps): bump azure-mgmt-compute from 33.0.0 to 33.1.0 by @dependabot in #6219
- chore(deps): bump boto3 from 1.35.87 to 1.35.93 by @dependabot in #6381
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6382
- chore(deps): bump google-api-python-client from 2.156.0 to 2.157.0 by @dependabot in #6349
- chore(deps): bump microsoft-kiota-abstractions from 1.6.7 to 1.6.8 by @dependabot in #6347
- chore(deps): bump msgraph-sdk from 1.15.0 to 1.16.0 by @dependabot in #6350
- chore(deps): bump azure-mgmt-network from 28.0.0 to 28.1.0 by @dependabot in #6296
- chore(deps): bump botocore from 1.35.93 to 1.35.94 by @dependabot in #6388
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6390
- chore(containers): Build stable for API and UI by @jfagoagas in #6395
- chore(dependabot): Review for API and UI by @jfagoagas in #6402
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6399
- chore(deps): bump trufflesecurity/trufflehog from 3.88.1 to 3.88.2 by @dependabot in #6446
- chore(deps): bump google-api-python-client from 2.157.0 to 2.158.0 by @dependabot in #6442
- chore(deps): bump boto3 from 1.35.93 to 1.35.94 by @dependabot in #6410
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6448
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6458
- chore(regions_update): Changes in regions for AWS services by @prowler-bot in #6459
Docs
- docs(env): move warning about env files by @MrCloudSec in #6049
- docs: Prowler SaaS -> Cloud and add missing compliance by @jfagoagas in #6061
- docs(unitesting): Make some fixes to the documentation by @MarioRgzLpz in #6102
- docs: add note about containers arch by @jfagoagas in #6236
- fix(docs): change typo from provideruid in k8s by @pedrooot in #6239
- docs: add note about platform flag in docker by @jfagoagas in #6256
- docs: add new format CloudFormation for ResourceType in check metadata by @puchy22 in #6353
- docs(outputs): add custom outputs formats documentation by @pedrooot in #6386
- docs(integrations): add integrations docs by @pedrooot in #6269
- docs(azure): improve tutorials for Prowler App by @puchy22 in #6210
Full Changelog: 5.0.5...5.1.0