prowler-cloud
diff --git a/‎api/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions b/‎api/CHANGELOG.md‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎api/src/backend/api/filters.py‎
Lines changed: 34 additions & 0 deletions b/‎api/src/backend/api/filters.py‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎api/src/backend/api/migrations/0057_threatscoresnapshot.py‎
Lines changed: 170 additions & 0 deletions b/‎api/src/backend/api/migrations/0057_threatscoresnapshot.py‎
Lines changed: 170 additions & 0 deletions
diff --git a/‎api/src/backend/api/models.py‎
Lines changed: 134 additions & 0 deletions b/‎api/src/backend/api/models.py‎
Lines changed: 134 additions & 0 deletions
@@ -14,6 +14,7 @@ All notable changes to the **Prowler API** are documented in this file.
 - Support muting findings based on simple rules with custom reason [(#9051)](https://github.com/prowler-cloud/prowler/pull/9051)
 - Support C5 compliance framework for the GCP provider [(#9097)](https://github.com/prowler-cloud/prowler/pull/9097)
 - Support for Amazon Bedrock and OpenAI compatible providers in Lighthouse AI [(#8957)](https://github.com/prowler-cloud/prowler/pull/8957)
+- Tenant-wide ThreatScore overview aggregation and snapshot persistence with backfill support [(#9148)](https://github.com/prowler-cloud/prowler/pull/9148)
 - Support for MongoDB Atlas provider [(#9167)](https://github.com/prowler-cloud/prowler/pull/9167)
 
 ---
 
@@ -47,6 +47,7 @@
     StatusChoices,
     Task,
     TenantAPIKey,
+    ThreatScoreSnapshot,
     User,
 )
 from api.rls import Tenant
@@ -998,3 +999,36 @@ class Meta:
             "inserted_at": ["gte", "lte"],
             "updated_at": ["gte", "lte"],
         }
+
+
+class ThreatScoreSnapshotFilter(FilterSet):
+    """
+    Filter for ThreatScore snapshots.
+    Allows filtering by scan, provider, compliance_id, and date ranges.
+    """
+
+    inserted_at = DateFilter(field_name="inserted_at", lookup_expr="date")
+    scan_id = UUIDFilter(field_name="scan__id", lookup_expr="exact")
+    scan_id__in = UUIDInFilter(field_name="scan__id", lookup_expr="in")
+    provider_id = UUIDFilter(field_name="provider__id", lookup_expr="exact")
+    provider_id__in = UUIDInFilter(field_name="provider__id", lookup_expr="in")
+    provider_type = ChoiceFilter(
+        field_name="provider__provider", choices=Provider.ProviderChoices.choices
+    )
+    provider_type__in = ChoiceInFilter(
+        field_name="provider__provider",
+        choices=Provider.ProviderChoices.choices,
+        lookup_expr="in",
+    )
+    compliance_id = CharFilter(field_name="compliance_id", lookup_expr="exact")
+    compliance_id__in = CharInFilter(field_name="compliance_id", lookup_expr="in")
+
+    class Meta:
+        model = ThreatScoreSnapshot
+        fields = {
+            "scan": ["exact", "in"],
+            "provider": ["exact", "in"],
+            "compliance_id": ["exact", "in"],
+            "inserted_at": ["date", "gte", "lte"],
+            "overall_score": ["exact", "gte", "lte"],
+        }
@@ -0,0 +1,170 @@
+# Generated by Django 5.1.13 on 2025-10-31 09:04
+
+import uuid
+
+import django.db.models.deletion
+from django.db import migrations, models
+
+import api.rls
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("api", "0056_remove_provider_unique_provider_uids_and_more"),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="ThreatScoreSnapshot",
+            fields=[
+                (
+                    "id",
+                    models.UUIDField(
+                        default=uuid.uuid4,
+                        editable=False,
+                        primary_key=True,
+                        serialize=False,
+                    ),
+                ),
+                ("inserted_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "compliance_id",
+                    models.CharField(
+                        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
+                        max_length=100,
+                    ),
+                ),
+                (
+                    "overall_score",
+                    models.DecimalField(
+                        decimal_places=2,
+                        help_text="Overall ThreatScore percentage (0-100)",
+                        max_digits=5,
+                    ),
+                ),
+                (
+                    "score_delta",
+                    models.DecimalField(
+                        blank=True,
+                        decimal_places=2,
+                        help_text="Score change compared to previous snapshot (positive = improvement)",
+                        max_digits=5,
+                        null=True,
+                    ),
+                ),
+                (
+                    "section_scores",
+                    models.JSONField(
+                        blank=True,
+                        default=dict,
+                        help_text="ThreatScore breakdown by section",
+                    ),
+                ),
+                (
+                    "critical_requirements",
+                    models.JSONField(
+                        blank=True,
+                        default=list,
+                        help_text="List of critical failed requirements (risk >= 4)",
+                    ),
+                ),
+                (
+                    "total_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Total number of requirements evaluated"
+                    ),
+                ),
+                (
+                    "passed_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Number of requirements with PASS status"
+                    ),
+                ),
+                (
+                    "failed_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Number of requirements with FAIL status"
+                    ),
+                ),
+                (
+                    "manual_requirements",
+                    models.IntegerField(
+                        default=0, help_text="Number of requirements with MANUAL status"
+                    ),
+                ),
+                (
+                    "total_findings",
+                    models.IntegerField(
+                        default=0,
+                        help_text="Total number of findings across all requirements",
+                    ),
+                ),
+                (
+                    "passed_findings",
+                    models.IntegerField(
+                        default=0, help_text="Number of findings with PASS status"
+                    ),
+                ),
+                (
+                    "failed_findings",
+                    models.IntegerField(
+                        default=0, help_text="Number of findings with FAIL status"
+                    ),
+                ),
+                (
+                    "provider",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="threatscore_snapshots",
+                        related_query_name="threatscore_snapshot",
+                        to="api.provider",
+                    ),
+                ),
+                (
+                    "scan",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="threatscore_snapshots",
+                        related_query_name="threatscore_snapshot",
+                        to="api.scan",
+                    ),
+                ),
+                (
+                    "tenant",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE, to="api.tenant"
+                    ),
+                ),
+            ],
+            options={
+                "db_table": "threatscore_snapshots",
+                "abstract": False,
+            },
+        ),
+        migrations.AddIndex(
+            model_name="threatscoresnapshot",
+            index=models.Index(
+                fields=["tenant_id", "scan_id"], name="threatscore_snap_t_scan_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="threatscoresnapshot",
+            index=models.Index(
+                fields=["tenant_id", "provider_id"], name="threatscore_snap_t_prov_idx"
+            ),
+        ),
+        migrations.AddIndex(
+            model_name="threatscoresnapshot",
+            index=models.Index(
+                fields=["tenant_id", "inserted_at"], name="threatscore_snap_t_time_idx"
+            ),
+        ),
+        migrations.AddConstraint(
+            model_name="threatscoresnapshot",
+            constraint=api.rls.RowLevelSecurityConstraint(
+                "tenant_id",
+                name="rls_on_threatscoresnapshot",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ),
+    ]
@@ -2239,3 +2239,137 @@ class Meta(RowLevelSecurityProtectedModel.Meta):
 
     class JSONAPIMeta:
         resource_name = "lighthouse-models"
+
+
+class ThreatScoreSnapshot(RowLevelSecurityProtectedModel):
+    """
+    Stores historical ThreatScore metrics for a given scan.
+    Snapshots are created automatically after each ThreatScore report generation.
+    """
+
+    objects = models.Manager()
+    all_objects = models.Manager()
+
+    id = models.UUIDField(primary_key=True, default=uuid4, editable=False)
+    inserted_at = models.DateTimeField(auto_now_add=True, editable=False)
+
+    scan = models.ForeignKey(
+        Scan,
+        on_delete=models.CASCADE,
+        related_name="threatscore_snapshots",
+        related_query_name="threatscore_snapshot",
+    )
+
+    provider = models.ForeignKey(
+        Provider,
+        on_delete=models.CASCADE,
+        related_name="threatscore_snapshots",
+        related_query_name="threatscore_snapshot",
+    )
+
+    compliance_id = models.CharField(
+        max_length=100,
+        blank=False,
+        null=False,
+        help_text="Compliance framework ID (e.g., 'prowler_threatscore_aws')",
+    )
+
+    # Overall ThreatScore metrics
+    overall_score = models.DecimalField(
+        max_digits=5,
+        decimal_places=2,
+        help_text="Overall ThreatScore percentage (0-100)",
+    )
+
+    # Score improvement/degradation compared to previous snapshot
+    score_delta = models.DecimalField(
+        max_digits=5,
+        decimal_places=2,
+        null=True,
+        blank=True,
+        help_text="Score change compared to previous snapshot (positive = improvement)",
+    )
+
+    # Section breakdown stored as JSON
+    # Format: {"1. IAM": 85.5, "2. Attack Surface": 92.3, ...}
+    section_scores = models.JSONField(
+        default=dict,
+        blank=True,
+        help_text="ThreatScore breakdown by section",
+    )
+
+    # Critical requirements metadata stored as JSON
+    # Format: [{"requirement_id": "...", "risk_level": 5, "weight": 150, ...}, ...]
+    critical_requirements = models.JSONField(
+        default=list,
+        blank=True,
+        help_text="List of critical failed requirements (risk >= 4)",
+    )
+
+    # Summary statistics
+    total_requirements = models.IntegerField(
+        default=0,
+        help_text="Total number of requirements evaluated",
+    )
+
+    passed_requirements = models.IntegerField(
+        default=0,
+        help_text="Number of requirements with PASS status",
+    )
+
+    failed_requirements = models.IntegerField(
+        default=0,
+        help_text="Number of requirements with FAIL status",
+    )
+
+    manual_requirements = models.IntegerField(
+        default=0,
+        help_text="Number of requirements with MANUAL status",
+    )
+
+    total_findings = models.IntegerField(
+        default=0,
+        help_text="Total number of findings across all requirements",
+    )
+
+    passed_findings = models.IntegerField(
+        default=0,
+        help_text="Number of findings with PASS status",
+    )
+
+    failed_findings = models.IntegerField(
+        default=0,
+        help_text="Number of findings with FAIL status",
+    )
+
+    def __str__(self):
+        return f"ThreatScore {self.overall_score}% for scan {self.scan_id} ({self.inserted_at})"
+
+    class Meta(RowLevelSecurityProtectedModel.Meta):
+        db_table = "threatscore_snapshots"
+
+        constraints = [
+            RowLevelSecurityConstraint(
+                field="tenant_id",
+                name="rls_on_%(class)s",
+                statements=["SELECT", "INSERT", "UPDATE", "DELETE"],
+            ),
+        ]
+
+        indexes = [
+            models.Index(
+                fields=["tenant_id", "scan_id"],
+                name="threatscore_snap_t_scan_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "provider_id"],
+                name="threatscore_snap_t_prov_idx",
+            ),
+            models.Index(
+                fields=["tenant_id", "inserted_at"],
+                name="threatscore_snap_t_time_idx",
+            ),
+        ]
+
+    class JSONAPIMeta:
+        resource_name = "threatscore-snapshots"