From b61b6cba53e9ea57a42cfe0a12586deb2060a126 Mon Sep 17 00:00:00 2001
From: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
Date: Tue, 3 Mar 2026 16:42:08 +0100
Subject: [PATCH] feat(sdk): add provider identity fields to OCSF unmapped
 output (#10240)

Co-authored-by: Pepe Fagoaga <pepe@prowler.com>
---
 prowler/CHANGELOG.md                | 1 +
 prowler/lib/outputs/ocsf/ocsf.py    | 1 +
 tests/lib/outputs/ocsf/ocsf_test.py | 4 ++++
 3 files changed, 6 insertions(+)

diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
index d5d27f93cc..62e9b0ab21 100644
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -42,6 +42,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - OpenStack image service with 6 security checks [(#10096)](https://github.com/prowler-cloud/prowler/pull/10096)
 - IaC `--provider-uid` flag to specify the provider UID for the IaC provider [(#10233)](https://github.com/prowler-cloud/prowler/pull/10233)
 - `provider_uid` field in OCSF `unmapped` output for provider identification [(#10231)](https://github.com/prowler-cloud/prowler/pull/10231)
+- `provider` field in OCSF `unmapped` output for provider name availability regardless of cloud object presence [(#10240)](https://github.com/prowler-cloud/prowler/pull/10240)
 
 ### 🔄 Changed
 
diff --git a/prowler/lib/outputs/ocsf/ocsf.py b/prowler/lib/outputs/ocsf/ocsf.py
index f5681f7e89..cac6a3766c 100644
--- a/prowler/lib/outputs/ocsf/ocsf.py
+++ b/prowler/lib/outputs/ocsf/ocsf.py
@@ -179,6 +179,7 @@ class OCSF(Output):
                         "compliance": finding.compliance,
                         "scan_id": str(scan_id),
                         "provider_uid": finding.provider_uid or finding.account_uid,
+                        "provider": finding.provider,
                     },
                 )
                 if finding.provider != "kubernetes":
diff --git a/tests/lib/outputs/ocsf/ocsf_test.py b/tests/lib/outputs/ocsf/ocsf_test.py
index 7942fca361..d465a3c0e4 100644
--- a/tests/lib/outputs/ocsf/ocsf_test.py
+++ b/tests/lib/outputs/ocsf/ocsf_test.py
@@ -114,6 +114,7 @@ class TestOCSF:
             "notes": findings[0].metadata.Notes,
             "compliance": findings[0].compliance,
             "provider_uid": findings[0].account_uid,
+            "provider": findings[0].provider,
         }
 
         # Test with int timestamp (UNIX timestamp)
@@ -221,6 +222,7 @@ class TestOCSF:
                     "notes": "test-notes",
                     "compliance": {"test-compliance": "test-compliance"},
                     "provider_uid": "123456789012",
+                    "provider": "aws",
                 },
                 "activity_name": "Create",
                 "activity_id": 1,
@@ -357,6 +359,7 @@ class TestOCSF:
             "notes": finding_output.metadata.Notes,
             "compliance": finding_output.compliance,
             "provider_uid": finding_output.account_uid,
+            "provider": finding_output.provider,
         }
 
         # ResourceDetails
@@ -438,6 +441,7 @@ class TestOCSF:
             "namespace: ", ""
         )
         assert finding_ocsf.unmapped["provider_uid"] == "test-k8s-context"
+        assert finding_ocsf.unmapped["provider"] == "kubernetes"
 
     def test_finding_output_cloud_fail_low_not_muted(self):
         finding_output = generate_finding_output(