fix(api): Attack Paths AWS region fallback and stale SCHEDULED cleanup

[josema-xyz]

Context

AWS Attack Paths scans were crashing with TypeError: 'NoneType' object is not iterable whenever the SDK couldn't enumerate enabled regions (missing ec2:DescribeRegions, transient AWS error). Separately, Attack Paths rows could sit in SCHEDULED forever when the parent Prowler scan crashed before dispatch or the broker lost the message.

Description

• AWS region resolution falls back to identity.audited_regions, then to all regions in the partition; _excluded_regions is still subtracted.
• Periodic cleanup now also handles stuck SCHEDULED rows: revokes the queued Celery task and marks the row FAILED. Only triggers when the parent Prowler scan is terminal or missing.
• Celery task_id is persisted at dispatch time so cleanup can target queued messages.
• Worker skips execution if the row is already in a terminal state, avoiding races between cleanup and in-flight messages.

Steps to review

Run tests and a local Attack Paths scan.

Checklist

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the README.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[Copilot]

Pull request overview

This PR hardens Attack Paths execution by adding AWS region-resolution fallbacks and expanding periodic cleanup to handle scans stuck before execution, improving reliability when AWS region enumeration fails or Celery messages are lost.

Changes:

• Add resolve_aws_regions() fallback logic when the SDK can’t enumerate enabled regions.
• Persist the Celery task id on AttackPathsScan at dispatch time and add stale cleanup for SCHEDULED scans (with worker-side idempotency guard).
• Update Attack Paths scan start flow to no longer set task id during the EXECUTING transition.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
api/src/backend/tasks/tests/test_attack_paths_scan.py	Updates unit test expectation for changed starting_attack_paths_scan() call signature.
api/src/backend/tasks/tasks.py	Persists the Celery task id on the Attack Paths scan row at dispatch time.
api/src/backend/tasks/jobs/attack_paths/scan.py	Adds terminal-state idempotency guard and adjusts scan-start call signature.
api/src/backend/tasks/jobs/attack_paths/db_utils.py	Introduces set_attack_paths_scan_task_id() and removes task id persistence from starting_attack_paths_scan().
api/src/backend/tasks/jobs/attack_paths/cleanup.py	Adds cleanup path for stale SCHEDULED scans and refactors stale cleanup helpers.
api/src/backend/tasks/jobs/attack_paths/aws.py	Uses new AWS region resolution helper to avoid crashes when enabled regions are unavailable.
api/CHANGELOG.md	Adds an UNRELEASED entry documenting the fixes.

Comments suppressed due to low confidence (1)

api/src/backend/tasks/jobs/attack_paths/scan.py:136

• In the fallback branch where the worker creates the AttackPathsScan row, the scan never gets associated to the current Celery task (task_id/task FK). Since starting_attack_paths_scan() no longer sets the task id, this row will remain without a task reference (hurting traceability and preventing queued-task revocation for this path). Consider persisting the current task_id to the row when it’s created here (or reintroduce setting it in starting_attack_paths_scan for the no-row-found case).

        if not attack_paths_scan:
            # Safety net: the dispatcher normally pre-creates this row buit fall back here for in-flight messages or direct task invocations
            logger.warning(
                f"No Attack Paths Scan found for scan {scan_id} and tenant {tenant_id}, let's create it then"
            )
            attack_paths_scan = db_utils.create_attack_paths_scan(
                tenant_id, scan_id, prowler_api_provider.id
            )

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

🔒 Container Security Scan

Image: prowler-api:8803b9c
Last scan: 2026-04-28 12:35:19 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 76.21622% with 44 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.63%. Comparing base (e252058) to head (b0c2c99).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10917      +/-   ##
==========================================
+ Coverage   88.14%   93.63%   +5.48%     
==========================================
  Files         131      230      +99     
  Lines        5542    33714   +28172     
==========================================
+ Hits         4885    31567   +26682     
- Misses        657     2147    +1490     

Flag	Coverage Δ
api	93.63% <76.21%> (?)
prowler-py3.10-m365	?
prowler-py3.11-m365	?
prowler-py3.12-m365	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.63% <75.80%> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.