feat(compliance): add NCSC Cyber Essentials framework for Azure

[AlexanderSanin]

Summary

Adds the NCSC Cyber Essentials compliance framework for the Azure provider, resolving #11579.

Cyber Essentials is the UK government-backed baseline cybersecurity certification scheme, widely required for UK public sector contracts and beneficial for any UK-based Azure user. This implementation follows the official Cyber Essentials Requirements for IT Infrastructure v3.1 and maps all five control themes to existing Prowler Azure checks.

File added: prowler/compliance/azure/cyber_essentials_azure.json

Coverage: 22 requirements × 5 themes × 74 unique Azure checks

Theme	Requirements	Example checks
A.1 Firewalls	A.1.1–A.1.5	network_rdp_internet_access_restricted, network_ssh_internet_access_restricted, network_bastion_host_exists
A.2 Secure Configuration	A.2.1–A.2.6	entra_security_defaults_enabled, storage_ensure_minimum_tls_version_12, app_ftp_deployment_disabled
A.3 Security Update Management	A.3.1–A.3.3	defender_ensure_system_updates_are_applied, defender_auto_provisioning_vulnerabilty_assessments_machines_on
A.4 User Access Control	A.4.1–A.4.5	entra_privileged_user_has_mfa, iam_role_user_access_admin_restricted, entra_conditional_access_policy_require_mfa_for_admin_portals
A.5 Malware Protection	A.5.1–A.5.3	defender_assessments_vm_endpoint_protection_installed, defender_ensure_wdatp_is_enabled, defender_ensure_defender_for_containers_is_on

Requirements that are device/endpoint-level controls with no Azure control-plane equivalent (e.g. A.2.2 remove unnecessary software, A.3.1/A.3.2 licensed-software inventory for on-prem) are included with the closest available Defender for Cloud checks.

No new checks, service changes, or additional API permissions are required — this PR only adds the framework JSON.

Test plan

• Validated JSON parses correctly and matches the compliance framework schema
• Verified all 74 referenced check names exist under prowler/providers/azure/services/
• Confirmed framework follows the same attribute structure as existing Azure frameworks (HIPAA, NIS2, RBI, etc.)
• Run prowler azure --compliance cyber_essentials_azure against a test Azure subscription to confirm framework loads and produces results

Summary by CodeRabbit

• New Features
  • Added NCSC Cyber Essentials v3.1 compliance framework for Azure, covering all 5 control themes with 22 requirements mapped to 74 existing security checks.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: ee3141c2-e01e-4f07-b9ef-f08f48999631

📥 Commits

Reviewing files that changed from the base of the PR and between 37bcf61 and 6839838.

⛔ Files ignored due to path filters (1)

• prowler/compliance/azure/cyber_essentials_azure.json is excluded by !prowler/compliance/**/*.json

📒 Files selected for processing (1)

• prowler/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

A single changelog entry is added to the unreleased 5.27.0 section of CHANGELOG.md, documenting the new NCSC Cyber Essentials v3.1 compliance framework for the Azure provider, covering 5 control themes with 22 requirements mapped to 74 existing Azure checks.

Changes

NCSC Cyber Essentials v3.1 Changelog Entry

Layer / File(s)	Summary
Changelog entry prowler/CHANGELOG.md	Adds a bullet in the 5.27.0 unreleased Added section for the NCSC Cyber Essentials v3.1 Azure compliance framework, referencing 5 control themes, 22 requirements, and 74 checks.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Possibly related issues

• Add NCSC Cyber Essentials compliance framework (Azure) #11579: The changelog entry directly documents the NCSC Cyber Essentials v3.1 compliance framework for Azure that this issue requested.

Suggested reviewers

• danibarranqueroo

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: adding the NCSC Cyber Essentials compliance framework for Azure, which aligns directly with the changeset.
Description check	✅ Passed	The PR description includes Context (issue reference and motivation), Description (summary with detailed coverage table), and Steps to review (test plan with validation checkboxes); all major template sections are addressed.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[AlexanderSanin]

Hey @danibarranqueroo @jfagoagas @HugoPBrito. Could you, please, have a look at this?

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.44%. Comparing base (37aa290) to head (6839838).
⚠️ Report is 206 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (37aa290) and HEAD (6839838). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (37aa290)	HEAD (6839838)
api	1	0

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11586      +/-   ##
==========================================
- Coverage   93.96%   87.44%   -6.53%     
==========================================
  Files         236      227       -9     
  Lines       34777     6004   -28773     
==========================================
- Hits        32678     5250   -27428     
+ Misses       2099      754    -1345     

Flag	Coverage Δ
api	?
prowler-py3.10-azure	87.44% <ø> (?)
prowler-py3.11-azure	87.44% <ø> (?)
prowler-py3.12-azure	87.40% <ø> (?)
prowler-py3.13-azure	87.44% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.44% <ø> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[AlexanderSanin]

CI status update after fix:

• ✅ check-changelog — fixed by adding a changelog entry to prowler/CHANGELOG.md
• ❌ sdk-container-build-and-scan — 14 critical CVEs in the base container image; this failure was introduced by ci: fail PR checks on critical container image and dependency vulnerabilities #11580 / ci: always run container and dependency vulnerability scans on PRs #11582 (which added container vulnerability scanning to PR checks) and affects all current open PRs until the base image is updated. PR fix(ui): patch vulnerable dependencies #11581 appears to be addressing this.
• ❌ sdk-security-scans (vulture) — dead code in tests/lib/cli/redact_test.py and skills/django-drf/assets/security_patterns.py; neither file was touched by this PR. These appear to be pre-existing in the current master.
• ⚠️ codecov/project — expected; this branch is 175 commits behind master so coverage baselines differ.

Our change is only prowler/compliance/azure/cyber_essentials_azure.json and prowler/CHANGELOG.md.

[HugoPBrito]

Thanks for the contribution. The framework structure is mostly fine, but the compliance definition should follow Prowler's compliance structure: include the full official framework, map only the checks that directly match each requirement, and leave the rest unassigned with Checks: [].

Please do not reduce the framework to only the requirements that Prowler can currently check, and also do not map indirectly related checks just to increase automated coverage. Requirements without a direct Prowler check should stay in the JSON with an empty Checks array.

Reference: Prowler compliance framework documentation.

[HugoPBrito]

This should likely be Checks: [].

Network Watcher and flow logs provide visibility, but they do not directly prove default-deny firewall behavior. Keep the requirement in the compliance file, but leave it unassigned unless there is a direct check for this control.

[HugoPBrito]

This should likely be Checks: [].

These checks do not verify removal or disabling of unnecessary user accounts. Keep the requirement, but only map checks that directly validate account lifecycle cleanup.

[HugoPBrito]

This should likely be Checks: [].

entra_security_defaults_enabled does not verify account auto-lock after inactivity. Keep the requirement in the framework, but leave it unassigned unless a direct inactivity-lock check exists.

[HugoPBrito]

This should likely be Checks: [].

Defender plan enablement does not prove that all software is supported or licensed. Keep the official requirement, but do not map indirect checks to it.

[HugoPBrito]

This should likely be Checks: [].

The mapped checks do not prove that high or critical updates are applied within 14 days of release. Keep the requirement, but leave it unassigned unless a check directly validates that timeframe.

[HugoPBrito]

This should likely be Checks: [].

RBAC checks do not verify named approval, one account per identified individual, or account removal when no longer required. Keep the requirement, but only map direct lifecycle or approval checks.

[HugoPBrito]

This should likely be Checks: [].

These checks do not prove that administrators use separate admin and standard user accounts. Keep the requirement, but leave it unassigned unless there is a direct check for account separation.

[AlexanderSanin]

Addressed all 7 inline review comments from @HugoPBrito — thank you for the careful review.

Cleared Checks: [] for requirements where the mapped checks were indirect rather than direct validators:

• A.1.2 — network_watcher_enabled / flow logs provide visibility but don't prove default-deny behaviour
• A.2.1 — Entra policy restriction checks don't validate account lifecycle cleanup
• A.2.4 — entra_security_defaults_enabled doesn't verify inactivity auto-lock
• A.3.1 — Defender plan enablement doesn't prove software is supported/licensed
• A.3.3 — defender_ensure_system_updates_are_applied doesn't prove the 14-day patch window
• A.4.1 — RBAC checks don't verify named approval or per-individual account assignment
• A.4.2 — These checks don't prove admin/standard account separation

Updated in commit 6839838.