feat(sns): Add Amazon SNS integration for email alerts

[toniblyx]

Context

Prowler currently supports various integrations for sending findings, but lacks an email notification system. Many teams rely on email alerts for immediate notification of critical security findings. This PR adds a complete Amazon SNS integration that allows users to send Prowler findings as formatted email alerts via SNS topics.

Description

This PR implements a full-featured Amazon SNS integration that sends security findings as email alerts. The integration uses AWS credentials for authentication and provides comprehensive filtering capabilities similar to other integrations.

Key Features:

Amazon SNS Client:

• AWS credential authentication (access keys, roles, session tokens)
• SNS topic validation and connection testing
• Email-formatted alert messages with comprehensive finding details
• Support for remediation recommendations and code examples
• Comprehensive error handling with custom exception classes

API Integration:

• New integration type: "sns"
• CRUD operations for SNS integrations
• Async task processing for bulk operations
• Topic ARN validation before dispatch
• Support for filtering findings before sending

Filtering Capabilities:

• Severity filtering: Filter by severity level (critical, high, medium, low, informational)
• Provider filtering: Filter by cloud provider type and provider ID
• Region filtering: Filter by AWS region
• Resource filtering: Filter by resource name, UID, and tags
• Finding ID filtering: Send specific findings or lists of findings

Email Alert Format:

• Subject: [Prowler Alert] SEVERITY - CHECK_ID - RESOURCE_NAME
• Body: Text-formatted with 80-character width including:
  • Finding details (severity, status, check ID, check title)
  • Resource information (name, type, UID, region, account, service, provider)
  • Risk description
  • Remediation recommendations with documentation URLs
  • Remediation code examples (AWS CLI, Terraform, Other)
  • Resource tags
  • Compliance framework mappings
  • Link back to finding in Prowler UI

Changes Include:

New Backend Files:

• prowler/providers/aws/lib/sns/sns.py - Main SNS client class (~550 lines)
• prowler/providers/aws/lib/sns/exceptions/exceptions.py - Custom exception classes
• prowler/providers/aws/lib/sns/__init__.py - Package exports
• prowler/providers/aws/lib/sns/exceptions/__init__.py - Exception exports

Modified Backend Files:

• api/src/backend/api/models.py - Add SNS to Integration choices
• api/src/backend/api/filters.py - Add IntegrationSNSFindingsFilter with comprehensive filtering
• api/src/backend/api/utils.py - Add SNS integration initialization and connection testing
• api/src/backend/api/v1/serializer_utils/integrations.py - Add SNS serializers
• api/src/backend/api/v1/serializers.py - Add SNS dispatch serializer and validation
• api/src/backend/api/v1/urls.py - Add SNS integration routing
• api/src/backend/api/v1/views.py - Add IntegrationSNSViewSet
• api/src/backend/tasks/tasks.py - Add sns_integration_task
• api/src/backend/tasks/jobs/integrations.py - Add send_findings_to_sns job

API Endpoints

Create SNS Integration:

POST /api/v1/integrations
{
  "integration_type": "sns",
  "enabled": true,
  "credentials": {
    "role_arn": "arn:aws:iam::123456789012:role/prowler-sns-role",  // optional
    "aws_access_key_id": "AKIA...",  // optional
    "aws_secret_access_key": "...",  // optional
    "aws_session_token": "...",  // optional
    "session_duration": 3600,  // optional
    "external_id": "...",  // optional
    "role_session_name": "prowler-sns"  // optional
  },
  "configuration": {
    "topic_arn": "arn:aws:sns:us-east-1:123456789012:prowler-alerts"
  },
  "providers": []
}

Test Connection:

POST /api/v1/integrations/{integration_id}/connection

Send Findings to SNS:

POST /api/v1/integrations/{integration_id}/sns/dispatches?filter[severity]=critical&filter[provider_type]=aws&filter[region]=us-east-1
{
  "data": {
    "type": "integrations-sns-dispatches",
    "attributes": {}
  }
}

Steps to Review

1. Review SNS Client (prowler/providers/aws/lib/sns/sns.py):

   • Check AWS authentication implementation
   • Review SNS topic validation
   • Verify email message formatting with proper text layout
   • Review error handling

2. Review Backend Integration:

   • Check model changes in api/models.py
   • Review serializers and validators in api/v1/serializer_utils/integrations.py
   • Verify ViewSet implementation in api/v1/views.py
   • Check URL routing in api/v1/urls.py

3. Review Filtering:

   • Check IntegrationSNSFindingsFilter in api/filters.py
   • Verify support for severity, provider, region, resource name, and tag filtering

4. Review Async Tasks:

   • Check task definition in tasks/tasks.py
   • Review job logic in tasks/jobs/integrations.py
   • Verify connection testing in api/utils.py

5. Review Security:

   • Verify AWS credential encryption with Fernet
   • Check topic ARN validation
   • Review HTTPS usage in AWS API calls

Testing Checklist

Backend:

• Create SNS integration with valid AWS credentials
• Test connection returns success for valid topic
• Send single finding creates SNS message with correct format
• Send multiple findings in batch (async processing)
• Verify email rendering in SNS email subscriptions
• Test with severity filters (critical, high, medium, low)
• Test with region filters
• Test with provider filters
• Test with resource name and tag filters
• Test invalid credentials fail gracefully
• Test unauthorized topic access is rejected
• Update integration credentials works
• Delete integration removes configuration

Checklist

• Are there new checks included in this PR? No
• Review if the code is being covered by tests - Unit tests pending
• Review if code is being documented following Python docstring standards
• Review if backport is needed - Not applicable for new feature
• Review if README.md needs updates - Documentation pending
• Ensure new entries are added to CHANGELOG.md - To be added

API

• Verify if API specs need to be regenerated - New endpoints added
• Check if version updates are required
• Ensure new entries are added to api/CHANGELOG.md - To be added

Implementation Summary

Backend (~950 lines added):

• Complete SNS API client with AWS authentication
• Integration model updates and serializers
• ViewSet and URL routing for SNS endpoints
• Async task processing for bulk operations
• Connection testing and topic validation
• Comprehensive filtering support

Total: 9 files modified, 4 files created, ~950 lines added

Next Steps

1. Database Migration: Create Django migration for SNS integration type
2. Tests: Add unit and integration tests for backend
3. Documentation: Update README and add usage documentation
4. Changelog: Add entries to relevant CHANGELOG files
5. UI Components (future PR): Add SNS integration UI components following the pattern of Jira/GitHub integrations

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• api
• ui
• prowler

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.

[github-actions]

⚠️ Conflict Markers Detected

This pull request contains unresolved conflict markers in the following files:

• CLOUDFLARE_INTEGRATION_COMPLETE.md

Please resolve these conflicts by:

1. Locating the conflict markers: <<<<<<<, =======, and >>>>>>>
2. Manually editing the files to resolve the conflicts
3. Removing all conflict markers
4. Committing and pushing the changes

In general, to fix “explicit mixed with implicit returns,” ensure that every control flow path in the function ends with an explicit return statement, even if returning None or raising an error. For this function, the best fix without changing existing behavior for supported types is to make the “no matching integration type” path explicit. The two existing branches already return a client object or raise an error after updating DB state; the only problematic path is when integration.integration_type is neither JIRA nor SNS.

The minimal, behavior-preserving change is to add a final return None at the end of initialize_prowler_integration. This keeps the current observable behavior (unsupported integration types still yield None) but makes it explicit and silences the CodeQL warning about mixed returns. No new imports or helpers are required. All edits are in api/src/backend/api/utils.py within the shown function, adding one line at the end of the function body.

[github-actions]

🔒 Container Security Scan

Image: prowler-api:4126ece
Last scan: 2026-01-07 21:37:56 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	11
Total	11

10 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler:4126ece
Last scan: 2026-01-07 21:36:26 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	3
Total	3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

In general, to fix an unused state variable in React, either (a) remove the state hook if it truly isn’t used, or (b) start actually using it (e.g., wiring it into UI or logic). To avoid changing existing behavior, the safest fix is to remove only genuinely unused state, since it currently has no observable effect on the component.

Here, the best fix is to remove the isOperationLoading state line on line 45 entirely and leave all other state hooks intact. No other code in the shown snippet refers to isOperationLoading, so removing that line does not change runtime behavior. No new imports or methods are required.

Concretely:

• Edit ui/components/integrations/sns/sns-integrations-manager.tsx.
• Delete the line: const [isOperationLoading, setIsOperationLoading] = useState(false);
• Keep all surrounding code and imports unchanged.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 268 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.03%. Comparing base (df8d823) to head (43918cc).
⚠️ Report is 38 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9733      +/-   ##
==========================================
- Coverage   92.46%   89.03%   -3.44%     
==========================================
  Files         160     1058     +898     
  Lines       22814    29412    +6598     
==========================================
+ Hits        21096    26187    +5091     
- Misses       1718     3225    +1507     

Flag	Coverage Δ
api	?
prowler-py3.10-aws	89.55% <0.00%> (?)
prowler-py3.10-azure	88.99% <0.00%> (?)
prowler-py3.11-aws	89.52% <0.00%> (?)
prowler-py3.11-azure	88.96% <0.00%> (?)
prowler-py3.12-aws	89.58% <0.00%> (?)
prowler-py3.12-azure	89.01% <0.00%> (?)
prowler-py3.9-aws	89.55% <0.00%> (?)
prowler-py3.9-azure	88.98% <0.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	89.03% <0.00%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jfagoagas]

I'm closing this as requested. We'll work on this once prioritised.