feat(api): replace _provider_id property with label-based isolation and regex injection for custom queries

[josema-xyz]

Description

• Replace the _provider_id property with _Provider_{uuid} label-based isolation across the Attack Paths module.
• Predefined queries no longer need explicit property filters: the Internet node is reached via CAN_ACCESS path connectivity, and ProwlerFinding drops its redundant provider_uid filter.
• Custom queries get automatic provider scoping through a new regex-based label injector (cypher_rewriter.py).
• Post-query filtering, subgraph operations, and schema lookups all switch from property checks to label checks.
• Two unused indexes are removed.

Steps to review

Run tests and a local scan on an AWS provider using the UI. Then run Attack Paths pre-defined queries and some custom ones.

Checklist

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the README.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[Copilot]

Pull request overview

This PR refactors Attack Paths provider isolation from the _provider_id property to dynamic provider labels (_Provider_{uuid}), and adds a Cypher rewriter to automatically scope custom user-supplied queries by injecting the provider label into node patterns.

Changes:

• Replace _provider_id property-based isolation with _Provider_{uuid} label-based isolation across sync, schema lookups, and API graph serialization.
• Update predefined Attack Paths queries/templates and remove now-redundant provider filters/indexes.
• Add a regex-based Cypher rewriter with unit tests to inject provider scoping into custom Cypher queries.

Reviewed changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
api/src/backend/tasks/jobs/attack_paths/sync.py	Stops writing _provider_id to synced nodes/relationships; relies on dynamic labels + _provider_element_id.
api/src/backend/tasks/jobs/attack_paths/queries.py	Removes provider property usage from sync templates and findings cleanup; adjusts findings templates.
api/src/backend/tasks/jobs/attack_paths/indexes.py	Removes indexes tied to removed provider properties (incl. findings provider_uid).
api/src/backend/tasks/jobs/attack_paths/config.py	Removes _provider_id isolation property constant; keeps _provider_element_id and label helpers.
api/src/backend/api/tests/test_cypher_rewriter.py	Adds unit tests for provider-label injection behavior in custom queries.
api/src/backend/api/tests/test_attack_paths.py	Updates tests to reflect label-based filtering and custom query rewriting.
api/src/backend/api/attack_paths/views_helpers.py	Uses label-based filtering for serialization; injects provider label into custom queries; schema query now label-scoped.
api/src/backend/api/attack_paths/queries/schema.py	Builds Cartography schema query scoped via provider label.
api/src/backend/api/attack_paths/queries/aws.py	Removes redundant provider filters from predefined AWS queries.
api/src/backend/api/attack_paths/database.py	Updates provider subgraph operations to match by provider label instead of property.
api/src/backend/api/attack_paths/cypher_rewriter.py	Introduces regex-based Cypher rewriting to inject provider labels into node patterns.
api/CHANGELOG.md	Documents the provider-isolation refactor and custom-query rewriting change.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[github-actions]

🔒 Container Security Scan

Image: prowler-api:13703c4
Last scan: 2026-03-19 18:34:08 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 99.60317% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 93.42%. Comparing base (ad6368a) to head (43ea881).

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10402      +/-   ##
==========================================
+ Coverage   93.37%   93.42%   +0.04%     
==========================================
  Files         219      221       +2     
  Lines       30426    30655     +229     
==========================================
+ Hits        28409    28638     +229     
  Misses       2017     2017              

Flag	Coverage Δ
api	93.42% <99.60%> (+0.04%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.42% <99.60%> (+0.04%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.