Merge branch 'master' into fix/ui-compliance-card-layout

Author: HugoPBrito

.github/workflows/labeler.yml

@@ -62,7 +62,7 @@ jobs:
             "Alan-TheGentleman"
             "alejandrobailo"
             "amitsharm"
-            "andoniaf"
+            # "andoniaf"
             "cesararroba"
             "danibarranqueroo"
             "HugoPBrito"

.github/workflows/sdk-tests.yml

@@ -209,11 +209,11 @@ jobs:
           echo "AWS service_paths='${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}'"
 
           if [ "${STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL}" = "true" ]; then
-            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml tests/providers/aws
           elif [ -z "${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}" ]; then
             echo "No AWS service paths detected; skipping AWS tests."
           else
-            poetry run pytest -p no:randomly -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
+            poetry run pytest -n auto --cov=./prowler/providers/aws --cov-report=xml:aws_coverage.xml ${STEPS_AWS_SERVICES_OUTPUTS_SERVICE_PATHS}
           fi
         env:
           STEPS_AWS_SERVICES_OUTPUTS_RUN_ALL: ${{ steps.aws-services.outputs.run_all }}

.pre-commit-config.yaml

@@ -1,17 +1,34 @@
+# Priority tiers (lower = runs first, same priority = concurrent):
+#   P0  — fast file fixers
+#   P10 — validators and guards
+#   P20 — auto-formatters
+#   P30 — linters
+#   P40 — security scanners
+#   P50 — dependency validation
+
+default_install_hook_types: [pre-commit, pre-push]
+
 repos:
   ## GENERAL (prek built-in — no external repo needed)
   - repo: builtin
     hooks:
       - id: check-merge-conflict
+        priority: 10
       - id: check-yaml
         args: ["--allow-multiple-documents"]
         exclude: (prowler/config/llm_config.yaml|contrib/)
+        priority: 10
       - id: check-json
+        priority: 10
       - id: end-of-file-fixer
+        priority: 0
       - id: trailing-whitespace
+        priority: 0
       - id: no-commit-to-branch
+        priority: 10
       - id: pretty-format-json
         args: ["--autofix", --no-sort-keys, --no-ensure-ascii]
+        priority: 10
 
   ## TOML
   - repo: https://github.com/macisamuele/language-formatters-pre-commit-hooks
@@ -20,20 +37,23 @@ repos:
       - id: pretty-format-toml
         args: [--autofix]
         files: pyproject.toml
+        priority: 20
 
   ## GITHUB ACTIONS
   - repo: https://github.com/zizmorcore/zizmor-pre-commit
     rev: v1.24.1
     hooks:
       - id: zizmor
         files: ^\.github/
+        priority: 30
 
   ## BASH
   - repo: https://github.com/koalaman/shellcheck-precommit
     rev: v0.11.0
     hooks:
       - id: shellcheck
         exclude: contrib
+        priority: 30
 
   ## PYTHON — SDK (prowler/, tests/, dashboard/, util/, scripts/)
   - repo: https://github.com/myint/autoflake
@@ -48,6 +68,7 @@ repos:
             "--remove-all-unused-imports",
             "--remove-unused-variable",
           ]
+        priority: 20
 
   - repo: https://github.com/pycqa/isort
     rev: 8.0.1
@@ -56,13 +77,15 @@ repos:
         name: "SDK - isort"
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--profile", "black"]
+        priority: 20
 
   - repo: https://github.com/psf/black
     rev: 26.3.1
     hooks:
       - id: black
         name: "SDK - black"
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        priority: 20
 
   - repo: https://github.com/pycqa/flake8
     rev: 7.3.0
@@ -71,6 +94,7 @@ repos:
         name: "SDK - flake8"
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
         args: ["--ignore=E266,W503,E203,E501,W605"]
+        priority: 30
 
   ## PYTHON — API + MCP Server (ruff)
   - repo: https://github.com/astral-sh/ruff-pre-commit
@@ -80,9 +104,11 @@ repos:
         name: "API + MCP - ruff check"
         files: { glob: ["{api,mcp_server}/**/*.py"] }
         args: ["--fix"]
+        priority: 30
       - id: ruff-format
         name: "API + MCP - ruff format"
         files: { glob: ["{api,mcp_server}/**/*.py"] }
+        priority: 20
 
   ## PYTHON — Poetry
   - repo: https://github.com/python-poetry/poetry
@@ -93,31 +119,36 @@ repos:
         args: ["--directory=./api"]
         files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
       - id: poetry-lock
         name: API - poetry-lock
         args: ["--directory=./api"]
         files: { glob: ["api/{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
       - id: poetry-check
         name: SDK - poetry-check
         args: ["--directory=./"]
         files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
       - id: poetry-lock
         name: SDK - poetry-lock
         args: ["--directory=./"]
         files: { glob: ["{pyproject.toml,poetry.lock}"] }
         pass_filenames: false
+        priority: 50
 
   ## CONTAINERS
   - repo: https://github.com/hadolint/hadolint
     rev: v2.14.0
     hooks:
       - id: hadolint
         args: ["--ignore=DL3013"]
+        priority: 30
 
   ## LOCAL HOOKS
   - repo: local
@@ -128,6 +159,7 @@ repos:
         language: system
         types: [python]
         files: { glob: ["{prowler,tests,dashboard,util,scripts}/**/*.py"] }
+        priority: 30
 
       - id: trufflehog
         name: TruffleHog
@@ -138,6 +170,7 @@ repos:
         language: system
         pass_filenames: false
         stages: ["pre-commit", "pre-push"]
+        priority: 40
 
       - id: bandit
         name: bandit
@@ -148,6 +181,7 @@ repos:
         files: '.*\.py'
         exclude:
           { glob: ["{contrib,skills}/**", "**/.venv/**", "**/*_test.py"] }
+        priority: 40
 
       - id: safety
         name: safety
@@ -166,6 +200,7 @@ repos:
                 ".safety-policy.yml",
               ],
           }
+        priority: 40
 
       - id: vulture
         name: vulture
@@ -174,3 +209,4 @@ repos:
         language: system
         types: [python]
         files: '.*\.py'
+        priority: 40

README.md

@@ -104,22 +104,22 @@ Every AWS provider scan will enqueue an Attack Paths ingestion job automatically
 
 | Provider | Checks | Services | [Compliance Frameworks](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/compliance/) | [Categories](https://docs.prowler.com/projects/prowler-open-source/en/latest/tutorials/misc/#categories) | Support | Interface |
 |---|---|---|---|---|---|---|
-| AWS | 572 | 83 | 41 | 17 | Official | UI, API, CLI |
-| Azure | 165 | 20 | 18 | 13 | Official | UI, API, CLI |
-| GCP | 100 | 13 | 15 | 11 | Official | UI, API, CLI |
-| Kubernetes | 83 | 7 | 7 | 9 | Official | UI, API, CLI |
-| GitHub | 21 | 2 | 1 | 2 | Official | UI, API, CLI |
-| M365 | 89 | 9 | 4 | 5 | Official | UI, API, CLI |
-| OCI | 48 | 13 | 3 | 10 | Official | UI, API, CLI |
-| Alibaba Cloud | 61 | 9 | 3 | 9 | Official | UI, API, CLI |
-| Cloudflare | 29 | 2 | 0 | 5 | Official | UI, API, CLI |
+| AWS | 595 | 84 | 43 | 17 | Official | UI, API, CLI |
+| Azure | 167 | 22 | 19 | 16 | Official | UI, API, CLI |
+| GCP | 102 | 18 | 17 | 12 | Official | UI, API, CLI |
+| Kubernetes | 83 | 7 | 7 | 11 | Official | UI, API, CLI |
+| GitHub | 24 | 3 | 1 | 5 | Official | UI, API, CLI |
+| M365 | 101 | 10 | 4 | 10 | Official | UI, API, CLI |
+| OCI | 51 | 14 | 4 | 10 | Official | UI, API, CLI |
+| Alibaba Cloud | 61 | 9 | 4 | 9 | Official | UI, API, CLI |
+| Cloudflare | 29 | 3 | 0 | 5 | Official | UI, API, CLI |
 | IaC | [See `trivy` docs.](https://trivy.dev/latest/docs/coverage/iac/) | N/A | N/A | N/A | Official | UI, API, CLI |
 | MongoDB Atlas | 10 | 3 | 0 | 8 | Official | UI, API, CLI |
 | LLM | [See `promptfoo` docs.](https://www.promptfoo.dev/docs/red-team/plugins/) | N/A | N/A | N/A | Official | CLI |
 | Image | N/A | N/A | N/A | N/A | Official | CLI, API |
-| Google Workspace | 1 | 1 | 0 | 1 | Official | CLI |
-| OpenStack | 27 | 4 | 0 | 8 | Official | UI, API, CLI |
-| Vercel | 30 | 6 | 0 | 5 | Official | CLI |
+| Google Workspace | 25 | 4 | 2 | 4 | Official | CLI |
+| OpenStack | 34 | 5 | 0 | 9 | Official | UI, API, CLI |
+| Vercel | 26 | 6 | 0 | 5 | Official | CLI |
 | NHN | 6 | 2 | 1 | 0 | Unofficial | CLI |
 
 > [!Note]

api/CHANGELOG.md

@@ -2,6 +2,14 @@
 
 All notable changes to the **Prowler API** are documented in this file.
 
+## [1.27.0] (Prowler UNRELEASED)
+
+### 🚀 Added
+
+- New `scan-reset-ephemeral-resources` post-scan task zeroes `failed_findings_count` for resources missing from the latest full-scope scan, keeping ephemeral resources from polluting the Resources page sort [(#10929)](https://github.com/prowler-cloud/prowler/pull/10929)
+
+---
+
 ## [1.26.1] (Prowler v5.25.1)
 
 ### 🐞 Fixed

api/src/backend/api/models.py

@@ -595,10 +595,40 @@ class Scan(RowLevelSecurityProtectedModel):
     objects = ActiveProviderManager()
     all_objects = models.Manager()
 
+    _SCOPING_SCANNER_ARG_KEYS_CACHE: tuple[str, ...] | None = None
+
+    @classmethod
+    def get_scoping_scanner_arg_keys(cls) -> tuple[str, ...]:
+        """Return the scanner_args keys that mark a scan as scoped.
+
+        Derived from ``prowler.lib.scan.scan.Scan.__init__`` so the API stays
+        in sync with whatever the SDK actually accepts as filters. Cached at
+        class level — the signature is stable for the process lifetime.
+        """
+        if cls._SCOPING_SCANNER_ARG_KEYS_CACHE is None:
+            import inspect
+
+            from prowler.lib.scan.scan import Scan as ProwlerScan
+
+            params = inspect.signature(ProwlerScan.__init__).parameters
+            cls._SCOPING_SCANNER_ARG_KEYS_CACHE = tuple(
+                name for name in params if name not in ("self", "provider")
+            )
+        return cls._SCOPING_SCANNER_ARG_KEYS_CACHE
+
     class TriggerChoices(models.TextChoices):
         SCHEDULED = "scheduled", _("Scheduled")
         MANUAL = "manual", _("Manual")
 
+    # Trigger values for scans that ran the SDK end-to-end. Imported scans (or
+    # any future trigger) are intentionally NOT in this set — they may carry
+    # only a partial slice of resources, so post-scan logic that depends on a
+    # full-scope sweep (e.g. resetting ephemeral resource findings) must skip
+    # them by default.
+    LIVE_SCAN_TRIGGERS = frozenset(
+        (TriggerChoices.SCHEDULED.value, TriggerChoices.MANUAL.value)
+    )
+
     id = models.UUIDField(primary_key=True, default=uuid7, editable=False)
     name = models.CharField(
         blank=True, null=True, max_length=100, validators=[MinLengthValidator(3)]
@@ -681,6 +711,24 @@ class Meta(RowLevelSecurityProtectedModel.Meta):
     class JSONAPIMeta:
         resource_name = "scans"
 
+    def is_full_scope(self) -> bool:
+        """Return True if this scan ran with no scoping filters at all.
+
+        Used to gate post-scan operations (such as resetting the
+        failed_findings_count of resources missing from the scan) that are only
+        safe when the scan covered every check, service, and category. Imported
+        scans are NOT full-scope by definition — they may carry only a partial
+        slice of resources, so they're rejected via ``trigger`` even before the
+        scanner_args check.
+        """
+        if self.trigger not in self.LIVE_SCAN_TRIGGERS:
+            return False
+        scanner_args = self.scanner_args or {}
+        for key in self.get_scoping_scanner_arg_keys():
+            if scanner_args.get(key):
+                return False
+        return True
+
 
 class AttackPathsScan(RowLevelSecurityProtectedModel):
     objects = ActiveProviderManager()