fix(api): reaggregate resource inventory and attack surface after muting findings

[AdriiiPRodri]

Context

Follow-up to #10827, which made Overview and Finding Groups reflect newly-muted findings by extending reaggregate_all_finding_group_summaries_task. While validating that fix we saw that several other endpoints backed by their own pre-aggregated tables were still stale after muting:

• /overviews/resource-groups (resource inventory widget)
• /overviews/categories
• /overviews/attack-surfaces
• /overviews/findings-severity/timeseries (severity timeline)

Both the reaggregation dispatch and the underlying aggregators were affected.

Description

Two-part fix:

1. Dispatch: the post-mute reaggregate-all-finding-group-summaries task now also re-runs, for each latest scan per (provider, day):

   • backfill_scan_resource_group_summaries_task -> ScanGroupSummary
   • backfill_scan_category_summaries_task -> ScanCategorySummary
   • aggregate_attack_surface_task -> AttackSurfaceOverview

   Services watchlist and severity timeseries were already covered, since they read from ScanSummary and DailySeveritySummary which the pipeline was recomputing.

2. Idempotency: four aggregators used plain bulk_create (or a already backfilled short-circuit plus silent ignore_conflicts=True). The first post-mute run tripped the unique_* constraints, aborting the Celery chain and leaving the dependent aggregators unexecuted (observable as a PostgreSQL duplicate key value violates unique constraint "unique_scan_summary" during the first reaggregation attempt). They now delete the scan's existing rows before bulk_create so the write is atomic and re-runnable, and dropped combinations no longer linger in the summary table:

   • aggregate_findings (scan.py)
   • aggregate_attack_surface (scan.py)
   • backfill_scan_resource_group_summaries (backfill.py)
   • backfill_scan_category_summaries (backfill.py)

Other pre-aggregated tables (ResourceScanSummary, ComplianceOverviewSummary, ProviderComplianceScore) do not depend on Finding.muted and are intentionally left out of the reaggregation fan-out.

Steps to review

1. Run a scan that produces FAIL findings with resource groups (e.g. an AWS provider that yields S3/IAM FAILs so several resource_groups values are populated).
2. Hit /overviews/resource-groups, /overviews/categories, /overviews/attack-surfaces and /overviews/findings-severity/timeseries. Note the totals.
3. POST /mute-rules on a subset of those finding IDs.
4. Wait for the Celery overview queue to drain (docker compose logs worker | grep -E "reaggregate|scan-(summary|daily-severity|finding-group-summaries|resource-group-summaries|category-summaries|attack-surface)").
5. Hit the same overview endpoints again. Muted counts should go up, non-muted counts should go down by the same amount on every one of them.
6. Confirm no duplicate key value violates unique constraint errors appear in the worker log during step 4.

Automated:

cd api && poetry run pytest \
  src/backend/tasks/tests/test_backfill.py::TestBackfillScanCategorySummaries \
  src/backend/tasks/tests/test_backfill.py::TestBackfillScanGroupSummaries \
  src/backend/tasks/tests/test_tasks.py::TestReaggregateAllFindingGroupSummaries \
  src/backend/tasks/tests/test_scan.py::TestAggregateFindings \
  src/backend/tasks/tests/test_scan.py::TestAggregateAttackSurface \
  -x

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Review if code is being documented following https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required.
• Ensure new entries are added to api/CHANGELOG.md

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

🔒 Container Security Scan

Image: prowler-api:7883817
Last scan: 2026-04-27 09:02:41 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 98.23009% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.65%. Comparing base (2304bf0) to head (1884984).
⚠️ Report is 21 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10843      +/-   ##
==========================================
+ Coverage   93.64%   93.65%   +0.01%     
==========================================
  Files         230      230              
  Lines       32987    33058      +71     
==========================================
+ Hits        30890    30961      +71     
  Misses       2097     2097              

Flag	Coverage Δ
api	93.65% <98.23%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.65% <98.23%> (+0.01%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.