github prowler-cloud/prowler 5.34.0
Prowler 5.34.0

6 hours ago

✨ New features to highlight in this version

Enjoy them all now for free at https://cloud.prowler.com

🏷️ New product names

The Prowler family has grown, and the names now say what each product is. Same products, clearer names:

Prowler products:

  • Prowler Cloud — the managed cloud security platform operated by the Prowler team.
  • Prowler Private Cloud (formerly Prowler Enterprise) — the self-hosted deployment of Prowler Cloud in your own environment.
  • Prowler Hub — the free public library of versioned checks, cloud service artifacts, and compliance frameworks.
  • Prowler Lighthouse AI — The Agentic Cloud Defender in Prowler Cloud and Prowler Private Cloud.
  • Prowler MCP — the MCP server that connects AI assistants and agents to Prowler, including the IDE plugins.

Open source projects:

  • Prowler CLI — the command-line scanner for all supported providers.
  • Prowler Local Server (formerly Prowler App) — the self-hosted web application and API to run scans, visualize findings, and manage providers.
  • Prowler Local Dashboard — the web dashboard for visualizing Prowler CLI scan results, distributed with the CLI.
  • Prowler SDK — the Python library behind Prowler CLI and Prowler Local Server.

See the full family in the Prowler products documentation.

🧭 Cross-Provider Compliance

Note

This feature is available exclusively in Prowler Cloud and Prowler Private Cloud with a subscription.

One framework, every cloud, a single answer. The new Cross-provider tab in Compliance takes the most recent completed scan of every compatible provider and rolls them up into a single compliance posture per framework, with a per-provider breakdown and a combined executive PDF report. Requirement status follows strict precedence (FAIL > PASS > MANUAL), so one failing provider is enough to flag a requirement across your whole estate.

Screenshot 2026-07-15 at 17 18 25

Three universal frameworks support it today:

  • CIS Controls 8.1 — AWS, Azure, Google Cloud, Microsoft 365, Kubernetes, GitHub, Google Workspace, Okta, Oracle Cloud, Alibaba Cloud, Cloudflare, MongoDB Atlas, OpenStack, and Vercel.
  • CSA CCM 4.0 — AWS, Azure, Google Cloud, Alibaba Cloud, and Oracle Cloud.
  • DORA 2022/2554 — AWS, Azure, Google Cloud, Alibaba Cloud, and Cloudflare.

Filter by provider type, account, or provider group, drill into each framework's requirements, and export the combined PDF.

Screenshot 2026-07-15 at 17 18 32

Read more in our Cross-Provider Compliance documentation.

🏢 New Provider — E2E Networks

Prowler now scans E2E Networks, with 27 checks spanning compute nodes, networking, security groups, load balancers, block and file storage, and managed databases. Thanks to @deepak7093 for their 1st provider in Prowler!

Available in the Prowler CLI:

export E2E_NETWORKS_API_KEY="your-api-key"
export E2E_NETWORKS_AUTH_TOKEN="your-auth-token"
export E2E_NETWORKS_PROJECT_ID="your-project-id"
prowler e2enetworks

Read more in our E2E Networks documentation.

Explore all E2E Networks checks at Prowler Hub.

🔐 Security

User role relationship updates in the API are now limited to the active tenant, preserving the role assignments the same user holds in other tenants.

🔍 Checks

AWS

  • ec2_ami_account_block_public_access — verifies AMI block public access is enabled at the account level in each Region, so AMIs cannot be shared publicly. Thanks to @goutham-hari!
  • datapipeline_pipeline_no_secrets_in_definition — scans Data Pipeline object fields, parameter objects, and parameter values for hardcoded secrets with Kingfisher. Thanks to @YinkaMetrics!
  • elbv2_listener_pqc_tls_enabled — verifies ELBv2 HTTPS/TLS listeners use post-quantum TLS security policies with TLS 1.2 or higher, helping reduce harvest-now-decrypt-later exposure.
  • amplify_app_no_secrets_in_environment — scans Amplify app and branch environment variables and build settings (buildSpec) for hardcoded secrets with Kingfisher. Thanks to @Deep070203!

Read more in our AWS documentation.

Explore all AWS checks at Prowler Hub.

Azure

  • app_function_ensure_http_is_redirected_to_https — verifies that Function Apps enforce HTTPS-only traffic. Thanks to @amandalal007!

Read more in our Azure documentation.

Explore all Azure checks at Prowler Hub.

Kubernetes

  • core_minimize_hostpath_volume_mounts — detects Pods that use hostPath volumes. Thanks to @0xTaoZ!
  • core_readonly_root_filesystem_enabled — verifies that every container in each Pod explicitly sets readOnlyRootFilesystem: true in its security context. Thanks to @Weedle02!

Read more in our Kubernetes documentation.

Explore all Kubernetes checks at Prowler Hub.

STACKIT

  • iaas_server_public_ip_attached — flags IaaS servers that have a public IP address directly attached to a network interface. Thanks to @johannes-engler-mw!

Read more in our STACKIT documentation.

Explore all STACKIT checks at Prowler Hub.

🙌 External Contributors

Thank you to our community contributors for this release!


UI

🚀 Added

  • Dynamically registered providers are now listed, filtered, and rendered across the UI, using a generic icon and humanized label when no bespoke assets exist, a "Custom" badge, and read-only handling for non-configurable providers (#11869)
  • Prowler Local Server branding and contextual Prowler Cloud upgrade prompts across navigation, scans, providers, compliance, findings, alerts, and Lighthouse AI (#11982)

🔄 Changed

  • UI components migrated from HeroUI to shared shadcn primitives (#11532)
  • UI integration enable flags renamed to past tense — UI_SENTRY_ENABLEUI_SENTRY_ENABLED, UI_GOOGLE_TAG_MANAGER_ENABLEUI_GOOGLE_TAG_MANAGER_ENABLED, UI_POSTHOG_ENABLEUI_POSTHOG_ENABLED; deployments that set the former names must update them (#11917)

🐞 Fixed

  • Metronome billing failing to start when PostHog was enabled, caused by a stale reference to the renamed UI_POSTHOG_ENABLED flag (#11938)
  • Lighthouse AI overview entry now starts a new remediation conversation, and returning to Overview restores app navigation mode (#11955)

API

🐞 Fixed

  • rls_transaction now falls back directly to the primary DB for connection-level mid-query read replica failures via execute_wrapper, reducing non-streaming read crashes during replica recovery (#10379)
  • RBAC permission gates now combine permissions from every role assigned to a user in the active tenant (#11979)
  • attack-paths-cleanup-stale-scans now retries worker pings and checks recent scan activity before failing scans and removing temporary databases (#11986)

🔐 Security

  • User role relationship updates are limited to the active tenant to preserve role assignments in other tenants (#11903)
  • Container image removes the unused Debian libxml2 runtime package and scopes the CVE-2026-13221 Trivy exception to unaffected Perl 5.36 packages (#11991)

SDK

🚀 Added

  • elbv2_listener_pqc_tls_enabled check for AWS provider, verifying that ELBv2 listeners use post-quantum TLS policies (#11254)
  • iaas_server_public_ip_attached check for STACKIT provider, flagging IaaS servers that have a public IP address directly attached to a network interface (#11549)
  • Changelog fragment workflow for SDK, API, UI, and MCP Server releases, including PR attribution, fragment validation, release compilation, and preserved section ordering (#11572)
  • E2E Networks provider with 27 checks across compute nodes, networking, security groups, load balancers, block/file storage, and managed databases (#11654)
  • datapipeline_pipeline_no_secrets_in_definition check for AWS provider, scanning Data Pipeline object fields, parameter objects, and parameter values for hardcoded secrets with Kingfisher (#11821)
  • amplify_app_no_secrets_in_environment check for AWS provider, scanning Amplify app and branch environment variables and build settings for hardcoded secrets (#11825)
  • ec2_ami_account_block_public_access check for AWS provider, verifying AMI block public access is enabled at the account level in each Region so AMIs cannot be shared publicly (#11828)
  • core_readonly_root_filesystem_enabled check for Kubernetes provider, verifying that every container in each Pod explicitly sets readOnlyRootFilesystem: true in its security context (#11835)
  • core_minimize_hostpath_volume_mounts check for Kubernetes provider, detecting Pods that use hostPath volumes (#11837)
  • app_function_ensure_http_is_redirected_to_https check for Azure provider, verifying that Function Apps enforce HTTPS-only traffic (#11929)

🔄 Changed

  • Missing trailing newlines to compliance, region, and fixture data files for POSIX compliance (#11765)
  • Oracle Cloud API key authentication now uses an internal bootstrap region when no explicit scan region filter is provided (#11853)
  • Redesign the local dashboard sidebar and informational pages (#11972)

Don't miss a new prowler release

NewReleases is sending notifications on new releases.