feat(compliance): add Cyber Essentials 3.3 for Azure

[m-khan-97]

Context

Related to #11579.

NCSC Cyber Essentials is the UK government-backed cybersecurity certification scheme. There is currently no Cyber Essentials coverage for Azure in Prowler.

I noticed PR #11586 also proposes a Cyber Essentials framework for Azure, using the legacy provider-specific schema (prowler/compliance/azure/...json, v3.1). This PR offers an alternative implementation using the universal compliance schema (the schema recommended for new frameworks per the Security Compliance Framework guide), targeting the current Cyber Essentials version (3.3, April 2026). Posting this so maintainers can compare approaches and pick whichever fits best — happy to close this if #11586 is preferred, or to adjust based on feedback.

Description

Adds prowler/compliance/cyber_essentials.json, a new universal compliance framework covering NCSC Cyber Essentials: Requirements for IT Infrastructure v3.3.

• 28 requirements across all 5 Cyber Essentials themes: Firewalls, Secure Configuration, Security Update Management, User Access Control, and Malware Protection.
• Each requirement includes Theme, AssessmentStatus (Automated/Manual), CloudApplicability (full/partial/non-applicable), RemediationProcedure, and References attributes.
• Requirements that are cloud-applicable and automatable are mapped to existing Azure checks (31 unique checks referenced in total, all verified to exist).
• Requirements that are out of cloud scope (e.g. end-user device hardening, physical network device admin passwords) are included with empty check lists and AssessmentStatus: "Manual" / CloudApplicability: "non-applicable", per the framework spec requirement that every requirement be present even when no check can automate it.
• outputs config groups by Theme and includes a PDF chart summarizing compliance by theme.

Adds tests/lib/check/universal_compliance_models_test.py::TestCyberEssentialsFramework covering schema validity, provider support, theme coverage, unique requirement IDs, and attribute/enum consistency.

Adds a CHANGELOG.md entry under ### 🚀 Added.

Steps to review

• uv run pytest -q tests/lib/check/universal_compliance_models_test.py -k cyber_essentials — runs the new tests.
• uv run python prowler-cli.py azure --list-compliance — confirms cyber_essentials is discovered.
• uv run python prowler-cli.py azure --list-compliance-requirements cyber_essentials — lists all 28 requirements with descriptions and check mappings.

Checklist

• This feature/issue is listed in Add NCSC Cyber Essentials compliance framework (Azure) #11579
• Review if the code is being covered by tests.
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No — this PR only adds a compliance framework mapping to existing checks.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

• New Features

  • Added support for the NCSC Cyber Essentials 3.3 compliance framework, including Azure provider coverage across all five themes.

• Tests

  • Added a new test suite validating framework metadata (name/version), Azure-only provider availability, exact five-theme coverage, unique requirement IDs, and that assessment/status and cloud applicability use allowed values (including manual assessment when Azure checks are absent).

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f02c777a-2143-40f5-8fc3-f1da50293646

📥 Commits

Reviewing files that changed from the base of the PR and between 110bc03 and 34ca675.

⛔ Files ignored due to path filters (1)

• prowler/compliance/cyber_essentials.json is excluded by !prowler/compliance/**/*.json

📒 Files selected for processing (1)

• prowler/CHANGELOG.md

---

📝 Walkthrough

Walkthrough

Adds a TestCyberEssentialsFramework test class for cyber_essentials.json validation and a changelog entry for NCSC Cyber Essentials 3.3 with Azure coverage.

Changes

NCSC Cyber Essentials 3.3 Azure Framework

Layer / File(s)	Summary
Framework validation tests and changelog entry tests/lib/check/universal_compliance_models_test.py, prowler/CHANGELOG.md	TestCyberEssentialsFramework checks framework name and version, Azure-only provider coverage, all five Cyber Essentials themes, unique requirement IDs, and allowed AssessmentStatus/CloudApplicability values with a manual-status condition when no Azure checks exist. The changelog records the framework addition.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

• prowler-cloud/prowler#11579: This PR adds the Cyber Essentials framework validation test coverage and changelog entry described by the related issue.

Suggested reviewers

• danibarranqueroo
• alejandrobailo
• cesararroba

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely matches the main change: adding Cyber Essentials 3.3 coverage for Azure.
Description check	✅ Passed	The description follows the template well, with context, summary, review steps, checklist items, and license included.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tests/lib/check/universal_compliance_models_test.py`:
- Around line 938-942: The assertion validating
req.attributes["CloudApplicability"] is incomplete and missing a valid enum
value. Add "limited" to the set of accepted values in the assertion so it
includes all four valid values from the
ASDEssentialEight_Requirement_Attribute_CloudApplicability enum: "full",
"partial", "limited", and "non-applicable". Alternatively, validate directly
against the actual enum definition instead of hardcoding the set of values to
prevent this from happening again if the enum is updated.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 39c228a2-a5c4-44c3-8534-9c5144da438f

📥 Commits

Reviewing files that changed from the base of the PR and between 252e830 and 70f884a.

⛔ Files ignored due to path filters (1)

• prowler/compliance/cyber_essentials.json is excluded by !prowler/compliance/**/*.json

📒 Files selected for processing (2)

• prowler/CHANGELOG.md
• tests/lib/check/universal_compliance_models_test.py