github prowler-cloud/prowler 5.33.0
Prowler 5.33.0

5 hours ago

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🤖 Lighthouse AI — The Agentic Cloud Defender

Note

This feature is available exclusively in Prowler Cloud and Prowler Enterprise with a subscription.

Lighthouse AI is now a full agentic assistant wired to the Prowler Cloud backend. Ask it about your findings, your compliance posture, or your riskiest resources, and watch it work: the agent discovers and runs the Prowler tools it needs to answer, with every tool call visible in the new agentic view. It reads your security data through read-only tools, so it can never touch secrets or modify your tenant.

lighthouse-ai-1

The chat experience is rebuilt around persistent sessions: conversations stream in real time, stay in your session history, can be archived, and a sidebar chat mode lets you ask questions from any page in the app without losing your place.

lighthouse-ai-2

You control the brain behind it. Configure one or more LLM providers — OpenAI, Amazon Bedrock, or any OpenAI-compatible endpoint (OpenRouter, Ollama) — with connection testing built into the setup and per-provider model selection. Prowler Cloud defaults to GPT-5.5. Add a shared business context (your security goals, compliance needs, organizational priorities) and every session uses it to give answers that fit your environment.

lighthouse-ai-3

Read more in our Lighthouse AI documentation and the multiple LLM providers guide.

📄 Compliance PDF Reports Without Credentials

Compliance PDF reports no longer require the provider's credentials to be present. Findings are now enriched from the provider metadata stored in the database, so a report still generates even after the provider secret has been deleted or its credentials have become invalid.

Read more in our compliance documentation.

⏳ Scan Queueing

Overlapping scans for the same provider now queue behind the active one instead of dispatching concurrent scan workers. Launch a manual scan while a scheduled one is running and it waits its turn. No more duplicated work or racing scans.

🔐 Security

The Kubernetes provider credentials now reject kubeconfigs using exec authentication in Prowler Cloud, at the API and in the credential form, preventing user-supplied commands from running on Cloud workers.

Read more in the Kubernetes provider authentication documentation.

🙌 External Contributors

Thank you to our community contributors for this release!

  • @kratos0718 — Azure postgresql_flexible_server_log_retention_days_greater_3 Flexible Server log retention fix (#11761)
  • @Sanjays2402KeyError: 'MANUAL' crash fix in the compliance summary table, shipped early in v5.32.1 (#11823)

UI

🚀 Added

  • Owners can delete their last organization from the profile page (#11864)

🔄 Changed

  • Organization row actions in the profile page are aligned in fixed columns and the Active indicator now sits next to the organization name (#11864)
  • Sentry, Google Tag Manager, and PostHog now load their UI_* config only when the matching enable flag (UI_SENTRY_ENABLE / UI_GOOGLE_TAG_MANAGER_ENABLE / UI_POSTHOG_ENABLE) is "true" (default off); the deprecated legacy names (NEXT_PUBLIC_*, POSTHOG_KEY/POSTHOG_HOST) still activate without the flag (#11682)

API

🚀 Added

  • Compliance PDF reports no longer require provider credentials: findings are enriched from the provider metadata stored in the database, so reports generate even after the provider secret is deleted or its credentials become invalid (#11845)

🐞 Fixed

  • Provider scans now queue behind active provider scans instead of dispatching concurrently, and resource failed-finding counters retry database conflicts with stable row locking (#11848)

SDK

🐞 Fixed

  • Azure resource group scoped scans now keep subscription entries when scoped resource listing fails, clarify helper documentation and test organization, and align the resource group documentation example with the described values (#11796)
  • Azure postgresql_flexible_server_log_retention_days_greater_3 check now queries the logfiles.retention_days configuration parameter instead of log_retention_days (which only exists on the retired Single Server), fixing false FAIL results on every Flexible Server regardless of the actual retention value (#11761)

Don't miss a new prowler release

NewReleases is sending notifications on new releases.