菜单
Manages changelog entries for Prowler components following keepachangelog.com format. Trigger: When creating PRs, adding changelog entries, or working with any CHANGELOG.md file in ui/, api/, mcp_server/, or prowler/.
基于 SOC 职业分类
Keeps product-tour definitions aligned with the UI features they describe. Trigger: When modifying UI components that have associated tours, editing tour definition files, or renaming data-tour-id attributes.
Django REST Framework patterns. Trigger: When implementing generic DRF APIs (ViewSets, serializers, routers, permissions, filtersets). For Prowler API specifics (RLS/RBAC/Providers), also use prowler-api.
Reviews Django migration files for PostgreSQL best practices specific to Prowler. Trigger: When creating migrations, running makemigrations/pgmakemigrations, reviewing migration PRs, adding indexes or constraints to database tables, modifying existing migration files, or writing data backfill migrations. Always use this skill when you see AddIndex, CreateModel, AddConstraint, RunPython, bulk_create, bulk_update, or backfill operations in migration files.
Create and maintain GitHub Agentic Workflows (gh-aw) for Prowler. Trigger: When creating agentic workflows, modifying gh-aw frontmatter, configuring safe-outputs, setting up MCP servers in workflows, importing Copilot Custom Agents, or debugging gh-aw compilation.
Strict JSON:API v1.1 specification compliance. Trigger: When creating or modifying API endpoints, reviewing API responses, or validating JSON:API compliance.
Next.js 16 App Router patterns. Trigger: When working in Next.js App Router (app/), Server Components vs Client Components, Server Actions, Route Handlers, proxy.ts, caching/revalidation, Cache Components, and streaming/Suspense.
| name | prowler-changelog |
| description | Manages changelog entries for Prowler components following keepachangelog.com format. Trigger: When creating PRs, adding changelog entries, or working with any CHANGELOG.md file in ui/, api/, mcp_server/, or prowler/. |
| license | Apache-2.0 |
| metadata | {"author":"prowler-cloud","version":"1.0","scope":["root","ui","api","sdk","mcp_server"],"auto_invoke":["Add changelog entry for a PR or feature","Update CHANGELOG.md in any component","Create PR that requires changelog entry","Review changelog format and conventions"]} |
| allowed-tools | Read, Edit, Write, Glob, Grep, Bash |
| Component | File | Version Prefix | Current Version |
|---|---|---|---|
| UI | ui/CHANGELOG.md | None | 1.x.x |
| API | api/CHANGELOG.md | None | 1.x.x |
| MCP Server | mcp_server/CHANGELOG.md | None | 0.x.x |
| SDK | prowler/CHANGELOG.md | None | 5.x.x |
## [X.Y.Z] (Prowler vA.B.C) OR (Prowler UNRELEASED)
### Added
### Changed
### Deprecated
### Removed
### Fixed
### Security
| Section | Emoji | Usage |
|---|---|---|
| Added | ### 🚀 Added | New features, checks, endpoints |
| Changed | ### 🔄 Changed | Modifications to existing functionality |
| Deprecated | ### ⚠️ Deprecated | Features marked for removal |
| Removed | ### ❌ Removed | Deleted features |
| Fixed | ### 🐞 Fixed | Bug fixes |
| Security | ### 🔐 Security | Security patches, CVE fixes |
### Added
- Existing entry one [(#XXXX)](https://github.com/prowler-cloud/prowler/pull/XXXX)
- Existing entry two [(#YYYY)](https://github.com/prowler-cloud/prowler/pull/YYYY)
- NEW ENTRY GOES HERE at the BOTTOM [(#ZZZZ)](https://github.com/prowler-cloud/prowler/pull/ZZZZ)
### Changed
- Existing change [(#AAAA)](https://github.com/prowler-cloud/prowler/pull/AAAA)
- NEW CHANGE ENTRY at BOTTOM [(#BBBB)](https://github.com/prowler-cloud/prowler/pull/BBBB)
Rules:
---)https://github.com/prowler-cloud/prowler/pull/N. Linking to /issues/N is FORBIDDEN, even when the PR fixes an issue. The issue↔PR relationship belongs in the PR body (Fixes #N), not in the changelog. If a fix has no PR yet, do not add the entry until the PR exists.Prowler follows semver.org:
| Change Type | Version Bump | Example |
|---|---|---|
| Bug fixes, patches | PATCH (x.y.Z) | 1.16.1 → 1.16.2 |
| New features (backwards compatible) | MINOR (x.Y.0) | 1.16.2 → 1.17.0 |
| Breaking changes, removals | MAJOR (X.0.0) | 1.17.0 → 2.0.0 |
CRITICAL: ### ❌ Removed entries MUST only appear in MAJOR version releases. Removing features is a breaking change.
NEVER modify already released versions. Once a version is released (has a Prowler version tag like v5.16.0), its changelog section is frozen.
Common issue: A PR is created during release cycle X, includes a changelog entry, but merges after release. The entry is now in the wrong section.
## [1.16.0] (Prowler v5.16.0) ← RELEASED, DO NOT MODIFY
### Added
- Feature from merged PR [(#9999)] ← WRONG! PR merged after release
## [1.17.0] (Prowler UNRELEASED) ← Move entry HERE
Fix: Move the entry from the released version to the UNRELEASED section.
## [1.17.0] (Prowler UNRELEASED) # For unreleased changes
## [1.16.0] (Prowler v5.16.0) # For released versions
--- # Horizontal rule between versions
Before editing any CHANGELOG.md, always inspect the active release boundary:
awk '/^## \[/{n++} n<=4 {print}' ui/CHANGELOG.md
(Prowler UNRELEASED).(Prowler vX.Y.Z) as immutable. Do not add, move, reword, reorder, or deduplicate entries there.Do not trust the current topmost matching section name. A released block can contain the same section heading (### 🚀 Added, ### 🔄 Changed, etc.). Always anchor edits to the Prowler UNRELEASED version block first.
Before creating or editing any changelog file (CHANGELOG.md), the agent MUST stop and get explicit user confirmation. This applies even when the changelog gate is failing, the required edit seems obvious, or the user asked to "fix the changelog".
Present the proposed changelog action before writing:
Only proceed after an explicit approval such as "confirm", "approved", "sí", or equivalent. If the user rejects or does not answer, do not edit or create the changelog. Offer alternatives such as adding no-changelog when appropriate.
# Check which files changed
git diff main...HEAD --name-only
| Path Pattern | Component |
|---|---|
ui/** | UI |
api/** | API |
mcp_server/** | MCP Server |
prowler/** | SDK |
| Multiple | Update ALL affected changelogs |
| Change | Section |
|---|---|
| New feature, check, endpoint | 🚀 Added |
| Behavior change, refactor | 🔄 Changed |
| Bug fix | 🐞 Fixed |
| CVE patch, security improvement | 🔐 Security |
| Feature removal | ❌ Removed |
| Deprecation notice | ⚠️ Deprecated |
CRITICAL: Add new entries at the BOTTOM of each section, NOT at the top.
CRITICAL: The link MUST point to the PR (/pull/N). Linking to /issues/N is FORBIDDEN. If the PR closes an issue, that mapping goes in the PR body via Fixes #N — never in the changelog entry.
## [1.17.0] (Prowler UNRELEASED)
### 🐞 Fixed
- Existing fix one [(#9997)](https://github.com/prowler-cloud/prowler/pull/9997)
- Existing fix two [(#9998)](https://github.com/prowler-cloud/prowler/pull/9998)
- Button alignment in dashboard header [(#9999)](https://github.com/prowler-cloud/prowler/pull/9999) ← NEW ENTRY AT BOTTOM
### 🔐 Security
This maintains chronological order within each section (oldest at top, newest at bottom).
### 🚀 Added
- Search bar when adding a provider [(#9634)](https://github.com/prowler-cloud/prowler/pull/9634)
### 🐞 Fixed
- OCI update credentials form failing silently due to missing provider UID [(#9746)](https://github.com/prowler-cloud/prowler/pull/9746)
### 🔐 Security
- Node.js from 20.x to 24.13.0 LTS, patching 8 CVEs [(#9797)](https://github.com/prowler-cloud/prowler/pull/9797)
# GOOD - Technical but readable
### 🐞 Fixed
- `POST /api/v1/scans` no longer intermittently fails with `Scan matching query does not exist`; scan dispatch now publishes the `scan-perform` Celery task after the transaction commits [(#11122)](https://github.com/prowler-cloud/prowler/pull/11122)
- `entra_users_mfa_capable` no longer flags disabled guest users; Microsoft Graph is now the source of truth for `account_enabled` because EXO `Get-User` omits guest users [(#11002)](https://github.com/prowler-cloud/prowler/pull/11002)
# BAD - Wrong section order (Fixed before Added)
### 🐞 Fixed
- Some bug fix [(#123)](...)
### 🚀 Added
- Some new feature [(#456)](...)
- Fixed bug. # Too vague, has period
- Added new feature for users # Missing PR link, redundant verb
- Add search bar [(#123)] # Redundant verb (section already says "Added")
- This PR adds a cool new thing (#123) # Wrong link format, conversational
- Some bug fix [(#123)](https://github.com/prowler-cloud/prowler/issues/123) # FORBIDDEN: must link to /pull/N, never /issues/N
- POST /api/v1/scanswas intermittently failing withScan matching query does not existin thescan-performworker (#11122) # Missing spaces/backticks, unreadable
- entra_users_mfa_capable no longer flags disabled guest users by requesting accountEnabled and userType from Microsoft Graph via $select and using Graph as the source of truth for account_enabled (EXO Get-User does not return guest users) (#11002) # Run-on sentence, identifiers not formatted
The pr-check-changelog.yml workflow enforces changelog entries:
ui/, api/, mcp_server/, or prowler/ MUST update the corresponding changelogno-changelog label to bypass (use sparingly for docs-only, CI-only changes)# Check which changelogs need updates based on changed files
git diff main...HEAD --name-only | grep -E '^(ui|api|mcp_server|prowler)/' | cut -d/ -f1 | sort -u
# View current UNRELEASED section
head -50 ui/CHANGELOG.md
head -50 api/CHANGELOG.md
head -50 mcp_server/CHANGELOG.md
head -50 prowler/CHANGELOG.md
API, MCP Server, and SDK changelogs currently lack emojis. When editing these files, add emoji prefixes to section headers as you update them:
# Before (legacy)
### Added
# After (standardized)
### 🚀 Added