Skip to content

feat(compliance): add Cyber Essentials 3.3 for Azure#11588

Open
m-khan-97 wants to merge 2 commits into
prowler-cloud:masterfrom
m-khan-97:feat/cyber-essentials-compliance-azure
Open

feat(compliance): add Cyber Essentials 3.3 for Azure#11588
m-khan-97 wants to merge 2 commits into
prowler-cloud:masterfrom
m-khan-97:feat/cyber-essentials-compliance-azure

Conversation

@m-khan-97

@m-khan-97 m-khan-97 commented Jun 15, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown

Context

Related to #11579.

NCSC Cyber Essentials is the UK government-backed cybersecurity certification scheme. There is currently no Cyber Essentials coverage for Azure in Prowler.

I noticed PR #11586 also proposes a Cyber Essentials framework for Azure, using the legacy provider-specific schema (prowler/compliance/azure/...json, v3.1). This PR offers an alternative implementation using the universal compliance schema (the schema recommended for new frameworks per the Security Compliance Framework guide), targeting the current Cyber Essentials version (3.3, April 2026). Posting this so maintainers can compare approaches and pick whichever fits best — happy to close this if #11586 is preferred, or to adjust based on feedback.

Description

Adds prowler/compliance/cyber_essentials.json, a new universal compliance framework covering NCSC Cyber Essentials: Requirements for IT Infrastructure v3.3.

  • 28 requirements across all 5 Cyber Essentials themes: Firewalls, Secure Configuration, Security Update Management, User Access Control, and Malware Protection.
  • Each requirement includes Theme, AssessmentStatus (Automated/Manual), CloudApplicability (full/partial/non-applicable), RemediationProcedure, and References attributes.
  • Requirements that are cloud-applicable and automatable are mapped to existing Azure checks (31 unique checks referenced in total, all verified to exist).
  • Requirements that are out of cloud scope (e.g. end-user device hardening, physical network device admin passwords) are included with empty check lists and AssessmentStatus: "Manual" / CloudApplicability: "non-applicable", per the framework spec requirement that every requirement be present even when no check can automate it.
  • outputs config groups by Theme and includes a PDF chart summarizing compliance by theme.

Adds tests/lib/check/universal_compliance_models_test.py::TestCyberEssentialsFramework covering schema validity, provider support, theme coverage, unique requirement IDs, and attribute/enum consistency.

Adds a CHANGELOG.md entry under ### 🚀 Added.

Steps to review

  • uv run pytest -q tests/lib/check/universal_compliance_models_test.py -k cyber_essentials — runs the new tests.
  • uv run python prowler-cli.py azure --list-compliance — confirms cyber_essentials is discovered.
  • uv run python prowler-cli.py azure --list-compliance-requirements cyber_essentials — lists all 28 requirements with descriptions and check mappings.

Checklist

SDK/CLI

  • Are there new checks included in this PR? No — this PR only adds a compliance framework mapping to existing checks.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

  • New Features

    • Added NCSC Cyber Essentials 3.3 compliance framework support for Azure provider.

  • Tests

    • Added validation tests for the new compliance framework, including framework metadata, provider support, and requirement attributes verification.

@m-khan-97
feat(compliance): add NCSC Cyber Essentials 3.3 for Azure
48cf213 
Adds a new universal compliance framework mapping all 28 sub-requirements
across the five Cyber Essentials themes (Firewalls, Secure Configuration,
Security Update Management, User Access Control, Malware Protection) to
existing Azure checks where automatable, with manual/non-applicable
attributes for requirements outside cloud scope.
@m-khan-97 m-khan-97 requested review from a team as code owners June 15, 2026 09:31
@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4129b868-65ff-4e49-b967-c2cf4ed72dd7

📥 Commits

Reviewing files that changed from the base of the PR and between 9465b82 and 252e830.

⛔ Files ignored due to path filters (1)
  • prowler/compliance/cyber_essentials.json is excluded by !prowler/compliance/**/*.json
📒 Files selected for processing (2)
  • prowler/CHANGELOG.md
  • tests/lib/check/universal_compliance_models_test.py
📝 Walkthrough

Walkthrough

Adds a TestCyberEssentialsFramework test class to the universal compliance models test suite, validating cyber_essentials.json for framework metadata, Azure-only provider support, five-theme requirement coverage, unique requirement IDs, and enum conformance. A corresponding changelog entry is added for the NCSC Cyber Essentials 3.3 Azure framework.

Changes

NCSC Cyber Essentials 3.3 Azure Framework

Layer / File(s) Summary
Framework validation tests and changelog entry
tests/lib/check/universal_compliance_models_test.py, prowler/CHANGELOG.md		 TestCyberEssentialsFramework asserts correct framework name/version, azure-only provider, all five Cyber Essentials theme values present across requirements, uniqueness of requirement IDs, and valid AssessmentStatus/CloudApplicability enum values — with AssessmentStatus == "Manual" enforced when a requirement has no azure checks. Changelog records the framework addition.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

Possibly related PRs

  • prowler-cloud/prowler#11490: Both PRs extend the universal compliance-model loader test path in tests/lib/check/universal_compliance_models_test.py, with this PR adding Cyber Essentials assertions and the referenced PR adding universal entry-point discovery/loading behavior.

Suggested reviewers

  • pedrooot
  • alejandrobailo
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and clearly summarizes the main change: adding Cyber Essentials 3.3 compliance framework for Azure, which matches the primary objective of this PR.
Description check ✅ Passed The PR description covers context, detailed implementation notes, testing steps, and a completed checklist; it addresses all critical sections per the template.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added the compliance Issues/PRs related with the Compliance Frameworks label Jun 15, 2026
@github-actions

github-actions Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

compliance Issues/PRs related with the Compliance Frameworks

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@m-khan-97