feat(compliance): add NCSC Cyber Essentials framework for Azure

[AlexanderSanin]

Summary

Adds the NCSC Cyber Essentials compliance framework for the Azure provider, resolving #11579.

Cyber Essentials is the UK government-backed baseline cybersecurity certification scheme, widely required for UK public sector contracts and beneficial for any UK-based Azure user. This implementation follows the official Cyber Essentials Requirements for IT Infrastructure v3.1 and maps all five control themes to existing Prowler Azure checks.

File added: prowler/compliance/azure/cyber_essentials_azure.json

Coverage: 22 requirements × 5 themes × 74 unique Azure checks

Theme	Requirements	Example checks
A.1 Firewalls	A.1.1–A.1.5	network_rdp_internet_access_restricted, network_ssh_internet_access_restricted, network_bastion_host_exists
A.2 Secure Configuration	A.2.1–A.2.6	entra_security_defaults_enabled, storage_ensure_minimum_tls_version_12, app_ftp_deployment_disabled
A.3 Security Update Management	A.3.1–A.3.3	defender_ensure_system_updates_are_applied, defender_auto_provisioning_vulnerabilty_assessments_machines_on
A.4 User Access Control	A.4.1–A.4.5	entra_privileged_user_has_mfa, iam_role_user_access_admin_restricted, entra_conditional_access_policy_require_mfa_for_admin_portals
A.5 Malware Protection	A.5.1–A.5.3	defender_assessments_vm_endpoint_protection_installed, defender_ensure_wdatp_is_enabled, defender_ensure_defender_for_containers_is_on

Requirements that are device/endpoint-level controls with no Azure control-plane equivalent (e.g. A.2.2 remove unnecessary software, A.3.1/A.3.2 licensed-software inventory for on-prem) are included with the closest available Defender for Cloud checks.

No new checks, service changes, or additional API permissions are required — this PR only adds the framework JSON.

Test plan

• Validated JSON parses correctly and matches the compliance framework schema
• Verified all 74 referenced check names exist under prowler/providers/azure/services/
• Confirmed framework follows the same attribute structure as existing Azure frameworks (HIPAA, NIS2, RBI, etc.)
• Run prowler azure --compliance cyber_essentials_azure against a test Azure subscription to confirm framework loads and produces results

Summary by CodeRabbit

• New Features
  • Added NCSC Cyber Essentials v3.1 compliance framework for Azure, covering all 5 control themes with 22 requirements mapped to 74 existing security checks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: de31e461-1ef6-4e8a-bfa3-984bbf94dbd8

📥 Commits

Reviewing files that changed from the base of the PR and between f83eae6 and 37bcf61.

⛔ Files ignored due to path filters (1)

• prowler/compliance/azure/cyber_essentials_azure.json is excluded by !prowler/compliance/**/*.json

📒 Files selected for processing (1)

• prowler/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

A single changelog entry is added to the unreleased 5.27.0 section of CHANGELOG.md, documenting the new NCSC Cyber Essentials v3.1 compliance framework for the Azure provider, covering 5 control themes with 22 requirements mapped to 74 existing Azure checks.

Changes

NCSC Cyber Essentials v3.1 Changelog Entry

Layer / File(s)	Summary
Changelog entry prowler/CHANGELOG.md	Adds a bullet in the 5.27.0 unreleased Added section for the NCSC Cyber Essentials v3.1 Azure compliance framework, referencing 5 control themes, 22 requirements, and 74 checks.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Possibly related issues

• Add NCSC Cyber Essentials compliance framework (Azure) #11579: The changelog entry directly documents the NCSC Cyber Essentials v3.1 compliance framework for Azure that this issue requested.

Suggested reviewers

• danibarranqueroo

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding the NCSC Cyber Essentials compliance framework for the Azure provider.
Description check	✅ Passed	The description is comprehensive, covering context, implementation details, coverage mapping, and test validation. Most template sections are addressed though some checklist items are incomplete.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AlexanderSanin]

Hey @danibarranqueroo @jfagoagas @HugoPBrito. Could you, please, have a look at this?

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.36%. Comparing base (37aa290) to head (37bcf61).
⚠️ Report is 177 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (37aa290) and HEAD (37bcf61). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (37aa290)	HEAD (37bcf61)
api	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11586      +/-   ##
==========================================
- Coverage   93.96%   87.36%   -6.61%     
==========================================
  Files         236      225      -11     
  Lines       34777     5967   -28810     
==========================================
- Hits        32678     5213   -27465     
+ Misses       2099      754    -1345     

Flag	Coverage Δ
api	?
prowler-py3.10-azure	87.36% <ø> (?)
prowler-py3.11-azure	87.36% <ø> (?)
prowler-py3.12-azure	87.33% <ø> (?)
prowler-py3.13-azure	87.36% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.36% <ø> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AlexanderSanin]

CI status update after fix:

• ✅ check-changelog — fixed by adding a changelog entry to prowler/CHANGELOG.md
• ❌ sdk-container-build-and-scan — 14 critical CVEs in the base container image; this failure was introduced by ci: fail PR checks on critical container image and dependency vulnerabilities #11580 / ci: always run container and dependency vulnerability scans on PRs #11582 (which added container vulnerability scanning to PR checks) and affects all current open PRs until the base image is updated. PR fix(ui): patch vulnerable dependencies #11581 appears to be addressing this.
• ❌ sdk-security-scans (vulture) — dead code in tests/lib/cli/redact_test.py and skills/django-drf/assets/security_patterns.py; neither file was touched by this PR. These appear to be pre-existing in the current master.
• ⚠️ codecov/project — expected; this branch is 175 commits behind master so coverage baselines differ.

Our change is only prowler/compliance/azure/cyber_essentials_azure.json and prowler/CHANGELOG.md.