fix(api): align latest_resources scan selection with completed_at

[AdriiiPRodri]

Context

/finding-groups/latest/<check_id>/resources and /finding-groups/latest were disagreeing about which scan represents the "latest state" for a provider, which showed up as diverging delta/new_count values between the two endpoints on the same finding group.

Reproduced against a tenant with two overlapping completed scans for the same AWS provider:

scan	inserted_at	completed_at
long	2026-04-15 14:42	2026-04-16 06:15
short	2026-04-15 18:47	2026-04-15 19:26

• /latest/<check_id>/resources returned 4 resources with delta=new (findings from the short scan).
• /latest for the same check_id returned new_count=1 / new_fail_count=1 (summed from the long scan's daily summary).
• Re-running reaggregate_finding_groups_for_provider did not fix it, because that command also orders by -completed_at and therefore refreshes the long scan's summary every time.

Root cause: latest_resources picked the latest completed scan per provider by -inserted_at, while the /latest summary path reads the FindingGroupDailySummary row with the greatest inserted_at (which the upsert keys on midnight(scan.completed_at)), and the reaggregation management command orders by -completed_at, -inserted_at. Whenever two scans overlap, the two criteria resolve to different scans and the two endpoints report counts derived from different underlying data.

Description

Change FindingGroupViewSet.latest_resources (api/src/backend/api/v1/views.py) to order candidate completed scans by -completed_at, -inserted_at before distinct("provider_id"), matching the criterion already used by the /latest summary path and by reaggregate_finding_groups_for_provider. After the fix all three paths always converge on the same scan for a given provider.

Added a regression test TestFindingGroupViewSet::test_latest_resources_picks_scan_by_completed_at_when_overlap that builds the overlapping-scan shape above in the fixture, creates one finding in each scan for the same check_id, and asserts the endpoint returns the finding from the scan with the greatest completed_at (not the greatest inserted_at).

No schema, serializer, or response-shape change. Other endpoints that also pick "latest scan per provider" by -inserted_at (e.g. resources listings at views.py:2970, 3107, 3688, 3716, 5028, 5085, 5138) are left untouched in this PR and can be aligned separately.

Steps to review

1. Check out the branch and run the regression test:

   cd api
   poetry run pytest src/backend/api/tests/test_views.py::TestFindingGroupViewSet::test_latest_resources_picks_scan_by_completed_at_when_overlap -x --tb=short

2. To validate end-to-end against a tenant that has overlapping scans, run the reaggregation first and then hit both endpoints for the same check_id; /latest totals should match the sum of delta=new rows in /latest/<check_id>/resources:

   poetry run python src/backend/manage.py reaggregate_finding_groups_for_provider --tenant <TENANT_UUID>
   curl ".../api/v1/finding-groups/latest?filter[check_id]=<check_id>"
   curl ".../api/v1/finding-groups/latest/<check_id>/resources?filter[status]=FAIL"

3. Inspect the one-line change in views.py and confirm the ordering is now ("provider_id", "-completed_at", "-inserted_at").

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

API (if applicable)

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable) — see Context table
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable) — not applicable, ordering change on an already-indexed column
• Performance test results (if applicable) — not applicable
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated. — not needed, no schema change
• Check if version updates are required.
• Ensure new entries are added to api/CHANGELOG.md

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-api:cce403c
Last scan: 2026-04-20 15:04:59 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.47%. Comparing base (6ffe4e9) to head (2ca42a7).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master   #10802   +/-   ##
=======================================
  Coverage   93.47%   93.47%           
=======================================
  Files         228      228           
  Lines       32027    32055   +28     
=======================================
+ Hits        29936    29964   +28     
  Misses       2091     2091           

Flag	Coverage Δ
api	93.47% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.47% <100.00%> (+<0.01%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[josema-xyz]

👍

[prowler-bot]

💚 All backports created successfully

Status	Branch	Result
✅	v5.24

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details