✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🔔 Alerts

Wire findings straight into the people who need to know. By default, every organization gets a daily digest of critical findings delivered to the organization owner — auto-provisioned, no setup required, editable or removable any time.

From there, organization admins can define custom alert rules over scan results — scoped by provider, account, severity, status, or any combination — and route them to any user in the organization. A Create Alert shortcut on the Findings page turns the current filter set into an alert rule in one click, so the filters you used to triage become the alert that watches for the same condition tomorrow.

All organization users are confirmed recipients by default (no opt-in confirmation required for now), and every alert email carries a one-click unsubscribe link so nobody is stuck on a list they don't want to be on. The new Manage Alerts RBAC permission keeps configuration gated to the right people.

Read more in the alerts documentation.

🔍 Finding Detail Drawer - Built for Triage

The finding drawer is where security teams actually live during triage, so it has been rebuilt around the question every analyst opens it to answer: what's not good, where, and how do I fix it?

• The verdict comes first. A color-coded status banner sits at the top of the drawer - pass, fail, manual, or muted - so the outcome is the first thing you see, not the last thing you scroll to.
• Remediation gets its own tab. Step-by-step fixes no longer compete with identifiers and metadata for attention; you click one tab and you're in the "what do I do about it" view.
• Resource context is front and center. Account and Resource share the top row with a one-click link straight to the resource page.
• Information hierarchy matches the workflow. Internal identifiers (check_id, finding_id, finding_uid) move to the bottom of the overview - still one click away when you need them for a Jira ticket or a copy-paste, but no longer competing with the answer to "what is this?". The "Other Findings For This Resource" tab is renamed to the more direct Findings for this resource.
• Faster carousel navigation. Stepping through findings inside the drawer no longer flashes empty banners - the status renders immediately from the row you came from while the full record loads in the background.

The net effect: less hunting, fewer clicks between "I have a finding" and "I have a plan."

🎯 Prowler ThreatScore - Compliance View Overhaul

The ThreatScore compliance views get a focused UX pass so the score is something you can act on, not just look at:

• Canonical pillar ordering everywhere - pillars now render in a single canonical order (1. IAM → 2. Attack Surface → 3. Logging and Monitoring → 4. Encryption) across the badge, breakdown card, donut legend, and accordion. Missing pillars no longer disappear from the UI - they render with - / 0% so the full set is always visible.
• Pillars are clickable - clicking a pillar on /compliance now jumps straight to the ThreatScore detail page with the accordion pre-expanded on the pillar you clicked, scrolled into view. No more eyeballing the accordion to find what you just clicked on.
• Top Failed Sections always shows the full pillar set - every canonical pillar shows up on the chart, zero-filled when there are no failures, so you get a true at-a-glance pillar-by-pillar fail rate instead of a partial picture.
• Every donut slice is hoverable - on the Requirements Status donut, the slice you hover over expands slightly so even tiny 1–2% fail or manual segments are easy to target and inspect, instead of being swallowed by the dominant pass slice.

📚 ASD Essential Eight Maturity Model - AWS

The Australian Signals Directorate's Essential Eight Maturity Model (Maturity Level One, Nov 2023) is now a first-class compliance framework for AWS. It plugs into the compliance page with the same detail view, top-failed-sections breakdown, and export support as every other framework. Thanks to @boonchuan!

Read more in our compliance documentation.

📧 Google Workspace - Gmail Attachment Safety & Spoofing Protection

Eight new Gmail checks land for Google Workspace, covering attachment safety and spoofing protection at the domain level via the Cloud Identity Policy API:

• gmail_anomalous_attachment_protection_enabled
• gmail_domain_spoofing_protection_enabled
• gmail_employee_name_spoofing_protection_enabled
• gmail_encrypted_attachment_protection_enabled
• gmail_groups_spoofing_protection_enabled
• gmail_inbound_domain_spoofing_protection_enabled
• gmail_script_attachment_protection_enabled
• gmail_unauthenticated_email_protection_enabled

Read more in our Google Workspace documentation.

Explore all Google Workspace checks at Prowler Hub.

☁️ AWS - Bedrock Hardening

Three new AWS Bedrock checks land this release to keep generative-AI surface area honest:

• bedrock_guardrails_configured - flags Bedrock deployments that ship without Guardrails configured, the standard AWS-native abuse and content-safety layer.
• bedrock_prompt_management_exists - verifies Prompt Management is in use so prompts are versioned and auditable rather than embedded inline in application code.
• bedrock_prompt_encrypted_with_cmk- verifies that each Prompt is encrypted with CMK.

Read more in our AWS provider documentation.

Explore all AWS checks at Prowler Hub.

🖥️ UI - Providers Wording, Findings Polish

A coordinated UX pass across the high-traffic surfaces:

• Providers wording - "Cloud Providers", "Accounts", and "Account Groups" copy is gone. Everything is now consistently labeled "Providers" across the UI and docs, removing the last of the legacy naming.
• Finding remediation links - the detail drawer now labels remediation actions by destination ("View CVE", "View in Prowler Hub", "View Advisory", "View Reference") instead of a generic "View" everywhere.
• Compliance cards - full-width progress bar, passing-requirements caption next to the framework logo.

🔗 Remediation Links Now Point to the Source

Container image CVE findings and IaC findings now link to official sources for remediation and references - CVE.org, Prowler Hub, and GitHub Security Advisories - instead of a third-party advisory mirror. Trivy-sourced findings also link correctly into Prowler Hub, so the "View" buttons in the finding drawer go where you expect every time.

🔐 Security Updates

• Image provider SSRF - parser-mismatch SSRF in registry auth fixed: crafted bearer-token realms and pagination links could force requests to internal addresses and leak credentials cross-origin.
• cryptography 46.0.6 → 46.0.7 and trivy 0.69.2 → 0.70.0 across SDK, API, and MCP images for CVE-2026-39892 and CVE-2026-33186.
• requests 2.33.1 in the MCP server image to clear advisory 90553.

🙌 External Contributors

Thank you to our community contributors for this release!

• @boonchuan - Add ASD Essential Eight Maturity Model compliance framework for AWS in #10808
• @DannyLyubenov - Batch AWS CodeBuild API calls to prevent throttling-induced false positives in #10639
• @davletd) - Tighten Azure Network Watcher flow log checks to require workspace-backed Traffic Analytics in #10645
• @davletd - Update Azure Network Watcher flow log compliance text for NSG retirement in #10937
• @ivan-necheporenko - Scan every Azure subscription even when display names collide in #10718
• @rchotacode - Scan Oracle Cloud identity in known valid regions for non-Ashburn tenancies in #10529
• @mohamedsolaiman - Add AWS guide for extending existing services in #10924
• @baggers27 - Fix Azure documentation broken link for minimum TLS version in #10916

UI

🚀 Added

• ASD Essential Eight compliance framework support (#11071)

🔄 Changed

• Standardized "Providers" wording across UI and documentation, replacing legacy "Cloud Providers" / "Accounts" / "Account Groups" copy (#10971)
• Finding detail drawer now labels remediation actions from finding-level recommendation URLs by destination: "View CVE", "View in Prowler Hub", "View Advisory", or "View Reference", while keeping URL-only remediation cards labeled (#10853)
• Finding detail drawer reorganized: status-colored banner below the resource info, dedicated Remediation tab, renamed "Findings for this resource" tab, and inline View Resource link next to the resource UID (#11091)
• ThreatScore compliance views: canonical pillar order across all charts and the accordion, clickable pillars on /compliance that anchor the detail page, Top Failed Sections always shows the full pillar set, and donut tooltip now triggers on every segment (#10975)

API

🚀 Added

• scan-reset-ephemeral-resources post-scan task zeroes failed_findings_count for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort (#10929)
• ASD Essential Eight (AWS) compliance framework support (#10982)

🔐 Security

• trivy binary from 0.69.2 to 0.70.0 and cryptography from 46.0.6 to 46.0.7 (transitive via prowler SDK) in the API image for CVE-2026-33186 and CVE-2026-39892 (#10978)

SDK

🚀 Added

• bedrock_guardrails_configured check for AWS provider (#10844)
• Universal compliance with OCSF support (#10301)
• ASD Essential Eight Maturity Model compliance framework for AWS (Maturity Level One, Nov 2023) (#10808)
• Vercel checks to return personalized finding status extended depending on billing plan and classify them with billing-plan categories (#10663)
• bedrock_prompt_management_exists check for AWS provider (#10878)
• 8 Gmail attachment safety and spoofing protection checks for Google Workspace provider using the Cloud Identity Policy API (#10980)
• bedrock_prompt_encrypted_with_cmk check for AWS provider (#10905)

🔄 Changed

• Azure Network Watcher flow log checks now require workspace-backed Traffic Analytics for network_flow_log_captured_sent and align metadata with VNet-compatible flow log guidance (#10645)
• Azure compliance entries for legacy Network Watcher flow log controls now use retirement-aware guidance and point new deployments to VNet flow logs (#10937)
• AWS CodeBuild service now batches BatchGetProjects and BatchGetBuilds calls per region (up to 100 items per call) to reduce API call volume and prevent throttling-induced false positives in codebuild_project_not_publicly_accessible (#10639)
• display_compliance_table dispatch switched from substring in checks to startswith to prevent false matches between similarly named frameworks (e.g. cisa vs cis) (#10301)
• Restore the ec2-imdsv1 category for EC2 IMDS checks to keep Attack Surface and findings filters aligned (#10998)
• Container image CVE findings and IaC findings now use official CVE, Prowler Hub, or GitHub Security Advisory URLs instead of Aqua advisory URLs in remediation and references; Trivy rule IDs map to Prowler Hub without the AVD- prefix so links resolve (#10853)

🐞 Fixed

• AWS SDK test isolation: autouse mock_aws fixture and leak detector in conftest.py to prevent tests from hitting real AWS endpoints, with idempotent organization setup for tests calling set_mocked_aws_provider multiple times (#10605)
• AWS boto user agent extra is now applied to every client (#10944)
• Image provider connection check no longer fails with a misleading host='https' resolution error when the registry URL includes an http:// or https:// scheme prefix (#10950)
• Azure subscriptions sharing the same display name are no longer collapsed into a single identity entry, so every subscription is scanned (#10718)

🔐 Security

• Parser-mismatch SSRF in image provider registry auth where crafted bearer-token realms and pagination links could force requests to internal addresses and leak credentials cross-origin (#10945)
• cryptography from 46.0.6 to 46.0.7 and trivy binary from 0.69.2 to 0.70.0 in the SDK image for CVE-2026-39892 and CVE-2026-33186 (#10978)