prowler-test-api

Critical Rules

• ALWAYS use response.json()["data"] not response.data
• ALWAYS use content_type = "application/vnd.api+json" for PATCH/PUT requests
• ALWAYS use format="vnd.api+json" for POST requests
• ALWAYS test cross-tenant isolation - RLS returns 404, NOT 403
• NEVER skip RLS isolation tests when adding new endpoints
• NEVER use realistic-looking API keys in tests (TruffleHog will flag them)
• ALWAYS mock BOTH .delay() AND Task.objects.get for async task tests

1. Fixture Dependency Chain

create_test_user (session) ─► tenants_fixture (function) ─► authenticated_client
                                     │
                                     └─► providers_fixture ─► scans_fixture ─► findings_fixture