Prowler 3.16.10 - Back in the Village

What's Changed

Chores

• chore(v3): include latest v4 changes by @sergargar in #4350
  • chore(acm): Improve near-expiration certificates check (#4207)
  • chore(network): Reduce network watchers azure check findings (#4242)
  • fix(aws): aws check and metadata fixes (#4251)
  • chore(s3): reduce false positive in s3 public check (#4281)
  • fix(rds): handle not existing endpoint (#4285)
  • fix(csv-outputs): compliance outputs not showing consistents values (#4287)
  • fix(codebuild): enhance service functions (#4319)
  • fix(aws): parallelize functions per resource (#4323)
  • fix(s3): handle empty Action in bucket policy (#4328)

Dependencies

• chore(deps): bump azure-identity from 1.16.1 to 1.17.1 by @dependabot in #4312
• chore(deps): bump azure-mgmt-cosmosdb from 9.5.0 to 9.5.1 by @dependabot in #4306
• chore(deps): bump azure-mgmt-storage from 21.2.0 to 21.2.1 by @dependabot in #4340
• chore(deps): bump azure-mgmt-web from 7.2.0 to 7.3.0 by @dependabot in #4304
• chore(deps): bump boto3 from 1.34.132 to 1.34.136 by @dependabot in #4354
• chore(deps): bump botocore from 1.34.136 to 1.34.137 by @dependabot in #4353
• chore(deps): bump docker/build-push-action from 5 to 6 by @dependabot in #4262
• chore(deps): bump google-api-python-client from 2.134.0 to 2.135.0 by @dependabot in #4338
• chore(deps): bump pydantic from 1.10.16 to 1.10.17 by @dependabot in #4307
• chore(deps): bump requests from 2.32.2 to 2.32.3 by @dependabot in #4341
• chore(deps): bump slack-sdk from 3.29.0 to 3.30.0 by @dependabot in #4309
• chore(deps): bump trufflesecurity/trufflehog from 3.78.2 to 3.79.0 by @dependabot in #4336
• chore(deps): Upgrade requests to 2.32.2 by @jfagoagas in #4314
• chore(deps-dev): bump bandit from 1.7.8 to 1.7.9 by @dependabot in #4268
• chore(deps-dev): bump coverage from 7.5.3 to 7.5.4 by @dependabot in #4302
• chore(deps-dev): bump flake8 from 7.0.0 to 7.1.0 by @dependabot in #4267
• chore(deps-dev): bump moto from 5.0.9 to 5.0.10 by @dependabot in #4346
• chore(deps-dev): bump pylint from 3.2.3 to 3.2.5 by @dependabot in #4348
• chore(deps-dev): bump pytest from 8.2.1 to 8.2.2 by @dependabot in #4216
• chore(deps-dev): bump safety from 3.2.0 to 3.2.3 by @dependabot in #4221
• chore(python): update vulnerable anyio library by @jfagoagas in #4349

Full Changelog: 3.16.9...3.16.10

Prowler 4.2.4 - 2 Minutes to Midnight

What's Changed

Fixes

• fix(compliance): check if custom check has compliance metadata by @sergargar in #4208
• fix(encoding): handle encoding issues and improve error handling in config and HTML file loading functions by @lshw54 in #4203
• fix(custom): execute custom checks by @sejimhp in #4202
• fix(dashboard): fix styles in overview page by @pedrooot in #4204
• fix(html): fix status from HTML outputs by @pedrooot in #4206

Chores

• chore(acm): Improve near-expiration certificates check by @puchy22 in #4207
• chore(regions_update): Changes in regions for AWS services. by @jfagoagas in #4205

New Contributors

• @sejimhp made their first contribution in #4202
• @lshw54 made their first contribution in #4203

Full Changelog: 4.2.3...4.2.4

Prowler 4.2.3 - 2 Minutes to Midnight

What's Changed

Fixes

• fix(elasticache): handle empty cluster subnets by @sergargar in #4192
• fix(glue): check if get dev endpoints call is supported by @sergargar in #4193
• fix(rds): handle not existing parameter values by @sergargar in #4191
• fix(s3): check if account is signed up by @sergargar in #4194
• fix(html): resolve html changing finding status by @pedrooot in #4199
• fix(html): handle muted status to html outputs by @pedrooot in #4195

Documentation

• docs(reporting): fix mapping of json-ocsf field cloud.account.type by @kagahd in #4186
• docs(index): fix docu about output modes by @kagahd in #4187

Full Changelog: 4.2.2...4.2.3

Prowler 3.16.9 - Back in the Village

What's Changed

Chores

• chore(backport): update v3 with latest changes by @sergargar in #4198
  • chore(regions_update): Changes in regions for AWS services. (#4178)
  • fix(rds): handle not existing parameter values (#4191)
  • fix(elasticache): handle empty cluster subnets (#4192)
  • fix(glue): check if get dev endpoints call is supported (#4193)
  • fix(s3): check if account is signed up (#4194)
• chore(deps): bump boto3 from 1.34.109 to 1.34.113 by @dependabot in #4173
• chore(deps): bump botocore from 1.34.113 to 1.34.118 by @dependabot in #4176
• chore(deps): bump google-api-python-client from 2.130.0 to 2.131.0 by @dependabot in #4174
• chore(deps): bump trufflesecurity/trufflehog from 3.76.3 to 3.77.0 by @dependabot in #4168
• chore(deps-dev): bump coverage from 7.5.2 to 7.5.3 by @dependabot in #4175
• chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.5 to 1.2.6 by @dependabot in #4172
• chore(deps-dev): bump moto from 5.0.8 to 5.0.9 by @dependabot in #4171

Full Changelog: 3.16.8...3.16.9

Prowler 4.2.2 - 2 Minutes to Midnight

What's Changed

Fixes

• fix(cloudtrail): check if trails exist in service by @sergargar in #4161
• fix(cloudtrail): trail.region must be home region by @jfagoagas in #4153
• fix(defender): Add new parameter required by new API version by @puchy22 in #4147
• fix(dependencies): ignore jinja vulnerability by @pedrooot in #4154
• fix(html): add correct color for manual findings by @pedrooot in #4184
• fix(html): make Prowler logo resizable by @pedrooot in #4185
• fix(mutelist): Handle items starting by * by @jfagoagas in #4136
• fix(mutelist): return False if something fails by @jfagoagas in #4139
• fix(mutelist): Split code for AWS and the rest of providers by @jfagoagas in #4143
• fix(rds): Handle DBParameterGroupNotFound by @jfagoagas in #4148
• fix(rds): use correct API call for cluster parameters by @sergargar in #4150
• fix(trustedadvisor): handle AccessDenied exception by @sergargar in #4158

Chores

• chore(AWS): allow ingress to any port for user defined network interface types by @kagahd in #4094
• chore(cloudformation): Update related URL by @rieck-srlabs in #4134
• chore(deps): bump boto3 from 1.34.109 to 1.34.113 by @dependabot in #4165
• chore(deps): bump botocore from 1.34.113 to 1.34.118 by @dependabot in #4170
• chore(deps): bump google-api-python-client from 2.130.0 to 2.131.0 by @dependabot in #4166
• chore(deps): bump trufflesecurity/trufflehog from 3.76.3 to 3.77.0 by @dependabot in #4163
• chore(deps-dev): bump coverage from 7.5.2 to 7.5.3 by @dependabot in #4167
• chore(deps-dev): bump mkdocs-git-revision-date-localized-plugin from 1.2.5 to 1.2.6 by @dependabot in #4164
• chore(deps-dev): bump moto from 5.0.8 to 5.0.9 by @dependabot in #4169
• chore(ec2): add scan unused services logic to SG check by @sergargar in #4138
• chore(favicon): update favicon logo by @sergargar in #4151
• chore(iam): Downgrade AWS IAM check severity by @rieck-srlabs in #4149
• chore(regions_update): Changes in regions for AWS services. by @jfagoagas in #4178
• chore(version): update Prowler version by @sergargar in #4131
• chore(vpc): add scan unused services logic to VPC checks by @sergargar in #4137
• refactor(banner): remove unneeded arguments by @jfagoagas in #4155
• refactor(run_check): Simplify and add tests by @jfagoagas in #4183
• refactor(Slack): create class by @jfagoagas in #4127

Full Changelog: 4.2.1...4.2.2

Prowler 3.16.8 - Back in the Village

What's Changed

Fixes

• fix(cloudtrail): check if trails exist in service by @sergargar in #4162

Full Changelog: 3.16.7...3.16.8

Prowler 3.16.7 - Back in the Village

What's Changed

Chores

• chore(backport): include latest changes of v4 by @sergargar in #4159
  • fix(defender): Add new parameter required by new API version (#4147)
  • chore(iam): Downgrade AWS IAM check severity (#4149)
  • fix(rds): use correct API call for cluster parameters (#4150)
  • fix(dependencies): ignore jinja vulnerability (#4154)
  • fix(cloudtrail): trail.region must be home region (#4153)
  • fix(trustedadvisor): handle AccessDenied exception (#4158)

Full Changelog: 3.16.6...3.16.7

Prowler 3.16.6 - Back in the Village

What's Changed

Fixes

• fix(allowlist): Handle items starting by * by @jfagoagas in #4135
• fix(allowlist): return False if something fails by @jfagoagas in #4140

Chores

• chore(backport): put latest changes of v4 to v3 by @sergargar in #4144
  • chore(aws): Add failed_checks to track (#4018)
  • feat(rds): Add AWS RDS clusters to transport encryption check (#4028)
  • fix(gcp): handle projects API Call error (#4055)
  • fix(doc): mapping of extra748 and add extra74 (#4059)
  • chore(IAM): Improve IAM checks for Azure (#4061)
  • chore(regions_update): Changes in regions for AWS services. (#4071)
  • chore(slack): change Slack channel name env variable (#4080)
  • fix(rds): solve ParameterValue KeyError (#4085)
  • fix(opensearch): handle non existing SAMLOptions in domain (#4086)
  • fix(rds): ParameterValue MySQL and MariaDB RDS Instances (#4116)
  • chore(regions_update): Changes in regions for AWS services. (#4126)
  • chore(cloudformation): Update related URL (#4134)
  • chore(vpc): add scan unused services logic to VPC checks (#4137)
  • fix(allowlist): return False if something fails (#4140)
  • fix(outputs): fill compliance field for outputs (#4054)
  • chore(ec2): add scan unused services logic to SG check (#4138)

Dependencies

• chore(deps): bump azure-mgmt-resource from 23.0.1 to 23.1.1 by @dependabot in #3998
• chore(deps): bump microsoft-kiota-abstractions from 1.3.2 to 1.3.3 by @dependabot in #4097
• chore(deps-dev): bump coverage from 7.5.1 to 7.5.2 by @dependabot in #4099
• chore(deps-dev): bump moto from 5.0.7 to 5.0.8 by @dependabot in #4100
• chore(deps): bump boto3 from 1.34.105 to 1.34.109 by @dependabot in #4101
• chore(deps-dev): bump docker from 7.0.0 to 7.1.0 by @dependabot in #4102
• chore(deps): bump google-api-python-client from 2.129.0 to 2.130.0 by @dependabot in #4098
• chore(deps): bump botocore from 1.34.109 to 1.34.113 by @dependabot in #4103
• chore(deps): bump azure-mgmt-network from 25.3.0 to 25.4.0 by @dependabot in #4105

Full Changelog: 3.16.5...3.16.6

Prowler 4.2.1 - 2 Minutes to Midnight

What's Changed

Fixes

• fix(rds): solve TypeError and make Certificate class by @sergargar in #4122
• fix(readme): solve logo in GitHub app by @sergargar in #4128
• fix(readme): resize logo by @sergargar in #4129
• fix(eventbridge): solve import function in check by @sergargar in #4121

Chores

• chore(version): update Prowler version by @sergargar in #4120
• chore(readme): update AWS count checks by @sergargar in #4119
• chore(regions_update): Changes in regions for AWS services. by @jfagoagas in #4126

Full Changelog: 4.2.0...4.2.1

Prowler 4.2.0 - 2 Minutes to Midnight

The blind men shout,
"Let the creatures out! We'll show the unbelievers"

Here we have Prowler 4.2.0 - 2 Minutes to Midnight 🚀 bringing a new look for Prowler with this Iron Maiden song.

New features to highlight in this version

🥳 New Prowler logo
This version comes with a new look of Prowler thanks to the new logo:

💪🏼 55 New AWS checks
Prowler is improving its AWS coverage by including 55 new checks for Kafka, Lightsail, Storage Gateway, DynamoDB, Cognito, EC2, EventBridge, SNS and RDS.
Special thanks to our external contributors @madereddy, @rieck-srlabs and @Davidm4r for doing new checks 🙌
See all the new available checks with prowler aws --list-checks

📝 HTML output is back!
We have listened you and as our community is always first, we brought our HTML back 😄
Get it again with prowler <provider> -M/--output-formats html

✍️ Custom Checks Metadata
Now you can override the all the metadata fields from a check using the --custom-checks-metadata-file custom_checks_metadata.yaml flag.

See more in https://docs.prowler.cloud/en/latest/tutorials/custom-checks-metadata/

🔧 Other issues and bug fixes solved for all the cloud providers

Features

• feat(aws): Add new kafka service by @puchy22 in #4001
• feat(aws): Lightsail new service and checks by @puchy22 in #3919
• feat(aws): New Storage Gateway FileShare KMS CMK Check by @madereddy in #4082
• feat(aws): new dynamodb_table_cross_account_access check by @sergargar in #3932
• feat(cognito): Add new checks related with cognito service by @pedrooot in #3898
• feat(compliance): Update RBI compliance framework by @pedrooot in #4026
• feat(custom-checks-metadata): add new fields by @pedrooot in #3976
• feat(dashboard): add idgrupocontrol description in compliance page for ens by @pedrooot in #3910
• feat(dashboard): add more fields to dashboard overview component by @pedrooot in #4084
• feat(dashboard): Improve table overview by @pedrooot in #4015
• feat(dashboard): Multiple changes in compliance page by @pedrooot in #4051
• feat(ec2): Add 2 new checks + fixers related with EC2 service by @pedrooot in #3827
• feat(ec2): add EC2 Security group check to verify if at least one port is opened by @sergargar in #3962
• feat(ec2): New EC2 AWS check (#852) by @rieck-srlabs in #4076
• feat(ec2): add checks for EC2 instances with exposed ports to the internet by @sergargar in #4029
• feat(eventbridge): add EventBridge checks by @sergargar in #4020
• feat(json-ocsf): Add new fields for py-ocsf 0.1.0 by @pedrooot in #3853
• feat(Kafka): New Kafka AWS checks by @puchy22 in #4021
• feat(kubernetes): Handle empty --kubeconfig-file by @pedrooot in #3980
• feat(logo): add new Prowler logo! by @sergargar in #4090
• feat(output): Add HTML outputs to Prowler by @pedrooot in #4005
• feat(rds): Add AWS RDS clusters to transport encryption check by @madereddy in #4028
• feat(rds): Add RDS certificate expiration check by @madereddy in #4002
• feat(sns): sns topics no http subscriptions by @Davidm4r in #4095

Fixes

• fix(actions): Don't need expressions within if by @jfagoagas in #3733
• fix(aws_lambda): Update obsolete lambda runtimes by @pedrooot in #3735
• fix(ulimit): import library only in windows by @sergargar in #3738
• fix(download): remove dataframe index from download in dashboard by @pedrooot in #3739
• fix(json-ocsf): add check_id field in json-ocsf output by @pedrooot in #3740
• fix(json-ocsf): Add missing fields for JSON-OCSF by @pedrooot in #3745
• fix(ocsf): Include check_id as metadata.event_code by @jfagoagas in #3748
• fix(json-ocsf): Remove risk field from unmapped by @pedrooot in #3759
• fix(wafv2): Handle WAFNonexistentItemException by @pedrooot in #3761
• fix(compliance): Add muted info to compliance outputs by @pedrooot in #3751
• fix(mutelist): if all fails are muted do exit 0 by @jfagoagas in #3754
• fix(ocsf): Add compliance by @jfagoagas in #3753
• fix(rds): ParameterValue MySQL and MariaDB RDS Instances by @sansns in #4116
• fix(security-hub): MUTED -> WARNING by @jfagoagas in #3768
• fix(slack): Use global provider object by @jfagoagas in #3770
• fix(trufflehog): fix GitHub action of TruffleHog by @sergargar in #3775
• fix(table-overview): Multiple changes on dashboard table from overview by @pedrooot in #3773
• fix(utils): import libraries when needed by @sergargar in #3805
• fix(network_azure): handle capitalized protocols in security group rules by @pedrooot in #3808
• fix(execute_check): Handle ModuleNotFoundError by @jfagoagas in #3812
• fix(overview-table): change font in overview table by @pedrooot in #3815
• fix(dashboard): fix error in windows for csvreader by @pedrooot in #3806
• fix(ocsf): Add resource details to data by @jfagoagas in #3819

Chores

• chore(aws): Add failed_checks to track by @kagahd in #4018
• chore(aws): cleanup aws test cases and standardize checks by @madereddy in #4053
• chore(aws): cleanup aws test cases by @madereddy in #4049
• chore(check): global_provider is not needed here by @jfagoagas in #3828
• chore(CLI): start working on CLI by @pedrooot in #4067
• chore(compliance): change security group any port check by @sergargar in #4019
• chore(docs): remove unnecessary line by @sergargar in #3933
• chore(docs): solve some issues by @sergargar in #3868
• chore(docs): update BridgeCrew links in metadata to our local docs link by @sergargar in #3858
• chore(docs): add mapping of CSV headers with providers by @sergargar in #4118
• chore(docs): Update docs related with the Prowler Dashboard by @pedrooot in #4113
• chore(execute_checks): remove mutelist since it is within the provider by @jfagoagas in #4052
• chore(gcp): handle list projects API call errors by @sergargar in #3849
• chore(get_tagged_resources): Add return value type hint by @mlmerchant in #3860
• chore(global_provider): Move methods to class as static by @jfagoagas in #3896
• chore(IAM): Improve IAM checks for Azure by @puchy22 in #4061
• chore(issue-template): Modify issue template to add logs by @pedrooot in #3924
• chore(labeler): Add cli label by @jfagoagas in #4069
• chore(logo): resize logo in README and update favicon and architecture by @sergargar in #4092
• chore(logo-dashboard): update logo in dashboard by @pedrooot in #4088
• chore(logo-html): update html logo by @pedrooot in #4089
• chore(mitre azure): add mapping to mitre for azure provider by @n4ch04 in #3857
• chore(mitre gcp): add mitre mapping for gcp by @n4ch04 in #3899
• chore(mutelist): improve default AWS mutelist with ControlTower by @sergargar in #3904
• ch...