[Prowler App] Report Download Failed

[victor-babin-fti]

Steps to Reproduce

Hi,

Whenever I click "download" to generate and download a report in Prowler App, I get the below error:

A few other issues have been raised, recommending to change the .env and .yml file path; however, even after changing the paths to my current user and then re-deploying the containers, I get the same error, even though the folder gets created. Note that the folder gets created as root and after changing the permissions such that it is writeable, readable and executable to all users, I still get the same issue - so the issue does not seem to be at all access related.

.

.

Regarding the above screenshots, note that I have tried both:

• "/home/admin/prowler_api_output:/home/admin/prowler_api_output"; and
• "/home/admin/prowler_api_output:/tmp/prowler_api_output"

Below is the output of the following steps regarding debugging:

.

I get: "Failure writing output to destination"

If anyone could help fixing this issue, it would be awesome. Is there a way to locate/extract the output manually otherwise in the meantime?

Expected behavior

To download the zip output

Actual Result with Screenshots or Logs

.

How did you install Prowler?

Docker (docker pull toniblyx/prowler)

Environment Resource

EC2 instance (t2.2xlarge) - 8vCPU and 32GB
Debian GNU/Linux 12

OS used

Debian GNU/Linux 12

Prowler version

Latest

Pip version

N/A

Context

No response

[HugoPBrito]

Hi @victor-babin-fti,

The fix in the issue you mentioned should work. If it’s not working for you, it could be due to either an issue with docker pull or the token not being set correctly.

The token is inside the attributes":{"access" part of the response of the first command. Please try again carefully (I tested it and worked for me and other users as you could see).

If you set the token correctly and it still doesn't work, try deploying with docker compose and give it another go, as docker pull is not completely supported.

[victor-babin-fti]

Hi @HugoPBrito,

Thanks a lot for your response. Below is the output I now managed to get:

{
	"links": {
		"first": "http://localhost:8080/api/v1/tasks?filter%5Bname%5D=scan-report&page%5Bnumber%5D=1",
		"last": "http://localhost:8080/api/v1/tasks?filter%5Bname%5D=scan-report&page%5Bnumber%5D=1",
		"next": null,
		"prev": null
	},
	"data": [
		{
			"type": "tasks",
			"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
			"attributes": {
				"inserted_at": "2025-04-23T01:11:41Z",
				"completed_at": "2025-04-23T01:11:43Z",
				"name": "scan-report",
				"state": "failed",
				"result": {
					"exc_type": "AWSSessionTokenExpiredError",
					"exc_message": [
						"[1016] The provided AWS Session Token is expired - An error occurred (ExpiredToken) when calling the GetCallerIdentity operation: The security token included in the request is expired"
					],
					"exc_module": "prowler.providers.aws.exceptions.exceptions"
				},
				"task_args": {
					"scan_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
					"provider_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
				},
				"metadata": {}
			}
		},
...
		{
			"type": "tasks",
			"id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
			"attributes": {
				"inserted_at": "2025-04-23T01:11:21Z",
				"completed_at": "2025-04-23T01:11:22Z",
				"name": "scan-report",
				"state": "failed",
				"result": {
					"exc_type": "PermissionError",
					"exc_message": [
						13,
						"Permission denied"
					],
					"exc_module": "builtins"
				},
				"task_args": {
					"scan_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
					"provider_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx"
				},
				"metadata": {}
			}
		}
	],
	"meta": {
		"pagination": {
			"page": 1,
			"pages": 1,
			"count": 8
		},
		"version": "v1"
	}
}

Note that after doing a Test Connection on all cloud providers/accounts, all connections are up with up to date credentials.

[HugoPBrito]

Hi @victor-babin-fti,

It looks like your session token might have expired, which could explain part of the issue. Also, there might be a permissions problem. Just to clarify a couple of things:

• When running in ECS, you should be able to write to /tmp, so if you're targeting another directory (like /home/admin), make sure it’s writable.
• Ensure that the directory you’re trying to write to has 777 permissions.
• If you're running Prowler as a non-root user and trying to write to a root-owned directory (like /home/admin), that could also be causing issues.

We recommend trying to change the output path to a writable directory or double-checking the permissions and user context under which you're executing Prowler.

Let us know if that helps or if you keep running into problems.

[HugoPBrito]

Hi @victor-babin-fti,

Did you manage to solve the error? Please let us know if there's anything else you need, we’ll be happy to help.

[TobyAnscombe]

HI All - coming from the CLI version as the app will allow me to pass responsibility over to others ;-)

Same issue as others have seen. Setup with docker-compose, minimal changes to the .env file:

PROWLER_UI_VERSION="stable"
AUTH_URL=http://10.10.10.183:3000
API_BASE_URL=http://prowler-api:8080/api/v1
NEXT_PUBLIC_API_DOCS_URL=http://prowler-api:8080/api/v1/docs

# The path to the directory where scan output should be stored
DJANGO_TMP_OUTPUT_DIRECTORY="/home/htb-admin/prowler/prowler_api_output"

both places in the docker-compose updated:

    volumes:
      - "/home/htb-admin/prowler/prowler_api_output:/tmp/prowler_api_output"

have consciously added chmod 777 to the directory ;-)

API calls:
http://10.10.10.183:8080/api/v1/tokens - gives me a token
http://10.10.10.183:8080/api/v1/scans - gives me a list of scans
http://10.10.10.183:8080/api/v1/scans/0196f7a0-8db6-7dab-81ab-aced5acec597 - gives me details for a scan
http://10.10.10.183:8080/api/v1/scans/0196f7a0-8db6-7dab-81ab-aced5acec597/report - gives me

{
	"errors": {
		"detail": "The scan has no reports."
	}
}

any thoughts?

[pedrooot]

Hey! @TobyAnscombe could you try to run a new scan, and after it finishes get the report? If you have old scans (from previous versions) we can't generate a report with them

[TobyAnscombe]

Unfortunately no dice..

Can grab some logs if that would help?

[peter-fosseus-silicon]

Hi, I had the same issue, I think the advice is a bit confusing, this is how I fixed mine.
In the .env the value for:

# The path to the directory where scan output should be stored
DJANGO_TMP_OUTPUT_DIRECTORY="/tmp/prowler_api_output"

Needs to be left as /tmp/prowler_api_output as this is a folder inside the container and does not have a permissions issue.
If you change it to a directory that doesn't exist the output will fail.

Only change docker-compose.yml

services:
  api:
    ...
    volumes:
      - "/opt/prowler/api_output:/tmp/prowler_api_output"
...
worker:
    volumes:
      - "/opt/prowler/api_output:/tmp/prowler_api_output"
...

I have the docker-compose.yml file in /opt/prowler, and created a /opt/prowler/api_output folder with permissions:

drwxrwxrwx 3 ubuntu ubuntu 4096 Jun 4 13:25 api_output

Easiest way to test the setup is to:
$ docker ps
find the CONTAINER ID of the prowler-worker-1 pod (5c7d69d7cbcb) and exec into it

$ docker exec -it 5c7d69d7cbcb bash
$ touch /tmp/prowler_api_output/test.txt (this will simulate a report write)
$ exit (out of the container)
$ ls -al /opt/prowler/api_output 

You should see:
-rw-r--r-- 1 ubuntu ubuntu 0 Jun 4 14:27 test.txt

Run a scan, after a few minutes, the report should be downloadable and you will see it in the folder.
drwxr-xr-x 2 ubuntu ubuntu 4096 Jun 4 13:26 0be92bdd-281f-4af0-a7fc-ef040b434669

If you are in AWS on an EC2, give the IAM role attached to the instance S3 access and in .env change the following:

# The AWS region where your S3 bucket is located (e.g., "us-east-1")
DJANGO_OUTPUT_S3_AWS_DEFAULT_REGION="us-east-1"

# The name of the S3 bucket where scan output should be stored
DJANGO_OUTPUT_S3_AWS_OUTPUT_BUCKET="prowler-s3-bucket":

And the report should be in the S3 bucket ready for download.

[TobyAnscombe]

Good shout @peter-fosseus-silicon - hadn't thought to exec in and try to create a file..

but sad-face still..

permissions are fine:

root@Prowler:~# ls -lah /tmp/prowler_api_output/
total 8.0K
drwxrwxrwx  2 root root 4.0K Jun  5 07:30 .
drwxrwxrwt 13 root root 4.0K Jun  5 07:41 ..
-rw-r--r--  1 1000 1000    0 Jun  5 07:30 test.txt

but still no joy ;-(

In the api container I just get the following logs:

2025-06-05 07:38:51 [django.request] WARNING: (log) [module=log path=/home/prowler/.cache/pypoetry/virtualenvs/prowler-api-NnJNioq7-py3.12/lib/python3.12/site-packages/django/utils/log.py line=248 function=log_response process=46 thread=129849673259904 transaction-id=432b0dc3ed674c4e876e659d61ee2440] Not Found: /api/v1/scans/01973f02-0fe2-757a-a203-16ea5b1ffca1/report 404
2025-06-05 07:38:51 [django.request] WARNING: (log) [module=log path=/home/prowler/.cache/pypoetry/virtualenvs/prowler-api-NnJNioq7-py3.12/lib/python3.12/site-packages/django/utils/log.py line=248 function=log_response process=46 thread=129849673259904 transaction-id=432b0dc3ed674c4e876e659d61ee2440] Not Found: /api/v1/scans/01973f02-0fe2-757a-a203-16ea5b1ffca1/report 404

Using Insomnia I can get a token, log in, see the scan and even see the details but there is no report

		{
			"type": "scans",
			"id": "01973f02-0fe2-757a-a203-16ea5b1ffca1",
			"attributes": {
				"name": null,
				"trigger": "manual",
				"state": "completed",
				"unique_resource_count": 224,
				"progress": 100,
				"duration": 230,
				"inserted_at": "2025-06-05T07:33:09.219019Z",
				"started_at": "2025-06-05T07:33:09.287233Z",
				"completed_at": "2025-06-05T07:36:59.876058Z",
				"scheduled_at": null,
				"next_scan_at": null
			}

http://{{ _['base_url:'] }}:8080/api/v1/scans/01973f02-0fe2-757a-a203-16ea5b1ffca1/report

{
	"errors": {
		"detail": "The scan has no reports, or the report generation task has not started yet."
	}
}

I'll take another look later but the day-job is calling...