feat(compliance): add SecNumCloud for AWS (#10117)

2026-03-21 18:58:04 +00:00 · 2026-02-26 09:31:19 +01:00
parent d15cabee20
commit fac089ab78
11 changed files with 1615 additions and 3 deletions
--- a/dashboard/compliance/secnumcloud_3_2_aws.py
+++ b/dashboard/compliance/secnumcloud_3_2_aws.py
@@ -0,0 +1,24 @@
+import warnings
+
+from dashboard.common_methods import get_section_containers_format3
+
+warnings.filterwarnings("ignore")
+
+
+def get_table(data):
+    aux = data[
+        [
+            "REQUIREMENTS_ID",
+            "REQUIREMENTS_DESCRIPTION",
+            "REQUIREMENTS_ATTRIBUTES_SECTION",
+            "CHECKID",
+            "STATUS",
+            "REGION",
+            "ACCOUNTID",
+            "RESOURCEID",
+        ]
+    ].copy()
+
+    return get_section_containers_format3(
+        aux, "REQUIREMENTS_ATTRIBUTES_SECTION", "REQUIREMENTS_ID"
+    )
--- a/prowler/CHANGELOG.md
+++ b/prowler/CHANGELOG.md
@@ -31,6 +31,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - `entra_seamless_sso_disabled` check for m365 provider [(#10086)](https://github.com/prowler-cloud/prowler/pull/10086)
 - Registry scan mode for `image` provider: enumerate and scan all images from OCI standard, Docker Hub, and ECR [(#9985)](https://github.com/prowler-cloud/prowler/pull/9985)
 - Add file descriptor limits (`ulimits`) to Docker Compose worker services to prevent `Too many open files` errors [(#10107)](https://github.com/prowler-cloud/prowler/pull/10107)
+- SecNumCloud compliance framework for the AWS provider [(#10117)](https://github.com/prowler-cloud/prowler/pull/10117)
 - CIS 6.0 for the AWS provider [(#10127)](https://github.com/prowler-cloud/prowler/pull/10127)
 - `entra_require_mfa_for_management_api` check for m365 provider [(#10150)](https://github.com/prowler-cloud/prowler/pull/10150)
 - OpenStack provider multiple regions support [(#10135)](https://github.com/prowler-cloud/prowler/pull/10135)
--- a/prowler/compliance/aws/secnumcloud_3.2_aws.json
+++ b/prowler/compliance/aws/secnumcloud_3.2_aws.json
--- a/prowler/lib/check/compliance_models.py
+++ b/prowler/lib/check/compliance_models.py
@@ -62,6 +62,7 @@ class Generic_Compliance_Requirement_Attribute(BaseModel):
    SubGroup: Optional[str] = None
    Service: Optional[str] = None
    Type: Optional[str] = None
+    Comment: Optional[str] = None


 class CIS_Requirement_Attribute_Profile(str, Enum):
--- a/prowler/lib/outputs/compliance/generic/generic.py
+++ b/prowler/lib/outputs/compliance/generic/generic.py
@@ -53,6 +53,7 @@ class GenericCompliance(ComplianceOutput):
                            Requirements_Attributes_SubGroup=attribute.SubGroup,
                            Requirements_Attributes_Service=attribute.Service,
                            Requirements_Attributes_Type=attribute.Type,
+                            Requirements_Attributes_Comment=attribute.Comment,
                            Status=finding.status,
                            StatusExtended=finding.status_extended,
                            ResourceId=finding.resource_uid,
@@ -80,6 +81,7 @@ class GenericCompliance(ComplianceOutput):
                        Requirements_Attributes_SubGroup=attribute.SubGroup,
                        Requirements_Attributes_Service=attribute.Service,
                        Requirements_Attributes_Type=attribute.Type,
+                        Requirements_Attributes_Comment=attribute.Comment,
                        Status="MANUAL",
                        StatusExtended="Manual check",
                        ResourceId="manual_check",
--- a/prowler/lib/outputs/compliance/generic/models.py
+++ b/prowler/lib/outputs/compliance/generic/models.py
@@ -28,3 +28,4 @@ class GenericComplianceModel(BaseModel):
    ResourceName: str
    Framework: str
    Name: str
+    Requirements_Attributes_Comment: Optional[str] = None
--- a/tests/lib/outputs/compliance/generic/generic_aws_test.py
+++ b/tests/lib/outputs/compliance/generic/generic_aws_test.py
@@ -57,6 +57,7 @@ class TestAWSGenericCompliance:
            output_data.Requirements_Attributes_Type
            == NIST_800_53_REVISION_4_AWS.Requirements[0].Attributes[0].Type
        )
+        assert output_data.Requirements_Attributes_Comment is None
        assert output_data.Status == "PASS"
        assert output_data.StatusExtended == ""
        assert output_data.ResourceId == ""
@@ -99,6 +100,7 @@ class TestAWSGenericCompliance:
            output_data_manual.Requirements_Attributes_Type
            == NIST_800_53_REVISION_4_AWS.Requirements[1].Attributes[0].Type
        )
+        assert output_data_manual.Requirements_Attributes_Comment is None
        assert output_data_manual.Status == "MANUAL"
        assert output_data_manual.StatusExtended == "Manual check"
        assert output_data_manual.ResourceId == "manual_check"
@@ -124,6 +126,6 @@ class TestAWSGenericCompliance:

        mock_file.seek(0)
        content = mock_file.read()
-        expected_csv = f"PROVIDER;DESCRIPTION;ACCOUNTID;REGION;ASSESSMENTDATE;REQUIREMENTS_ID;REQUIREMENTS_DESCRIPTION;REQUIREMENTS_ATTRIBUTES_SECTION;REQUIREMENTS_ATTRIBUTES_SUBSECTION;REQUIREMENTS_ATTRIBUTES_SUBGROUP;REQUIREMENTS_ATTRIBUTES_SERVICE;REQUIREMENTS_ATTRIBUTES_TYPE;STATUS;STATUSEXTENDED;RESOURCEID;CHECKID;MUTED;RESOURCENAME;FRAMEWORK;NAME\r\naws;NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.;123456789012;eu-west-1;{datetime.now()};ac_2_4;Account Management;Access Control (AC);Account Management (AC-2);;aws;;PASS;;;service_test_check_id;False;;NIST-800-53-Revision-4;National Institute of Standards and Technology (NIST) 800-53 Revision 4\r\naws;NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.;;;{datetime.now()};ac_2_5;Account Management;Access Control (AC);Account Management (AC-2);;aws;;MANUAL;Manual check;manual_check;manual;False;Manual check;NIST-800-53-Revision-4;National Institute of Standards and Technology (NIST) 800-53 Revision 4\r\n"
+        expected_csv = f"PROVIDER;DESCRIPTION;ACCOUNTID;REGION;ASSESSMENTDATE;REQUIREMENTS_ID;REQUIREMENTS_DESCRIPTION;REQUIREMENTS_ATTRIBUTES_SECTION;REQUIREMENTS_ATTRIBUTES_SUBSECTION;REQUIREMENTS_ATTRIBUTES_SUBGROUP;REQUIREMENTS_ATTRIBUTES_SERVICE;REQUIREMENTS_ATTRIBUTES_TYPE;STATUS;STATUSEXTENDED;RESOURCEID;CHECKID;MUTED;RESOURCENAME;FRAMEWORK;NAME;REQUIREMENTS_ATTRIBUTES_COMMENT\r\naws;NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.;123456789012;eu-west-1;{datetime.now()};ac_2_4;Account Management;Access Control (AC);Account Management (AC-2);;aws;;PASS;;;service_test_check_id;False;;NIST-800-53-Revision-4;National Institute of Standards and Technology (NIST) 800-53 Revision 4;\r\naws;NIST 800-53 is a regulatory standard that defines the minimum baseline of security controls for all U.S. federal information systems except those related to national security. The controls defined in this standard are customizable and address a diverse set of security and privacy requirements.;;;{datetime.now()};ac_2_5;Account Management;Access Control (AC);Account Management (AC-2);;aws;;MANUAL;Manual check;manual_check;manual;False;Manual check;NIST-800-53-Revision-4;National Institute of Standards and Technology (NIST) 800-53 Revision 4;\r\n"

        assert content == expected_csv
--- a/ui/CHANGELOG.md
+++ b/ui/CHANGELOG.md
@@ -10,6 +10,7 @@ All notable changes to the **Prowler UI** are documented in this file.
 - PDF report available for the CSA CCM compliance framework [(#10088)](https://github.com/prowler-cloud/prowler/pull/10088)
 - Cloudflare provider support [(#9910)](https://github.com/prowler-cloud/prowler/pull/9910)
 - CSV and PDF download buttons in compliance views [(#10093)](https://github.com/prowler-cloud/prowler/pull/10093)
+- Add SecNumCloud compliance framework [(#10117)](https://github.com/prowler-cloud/prowler/pull/10117)
 - Attack Paths tools added to Lighthouse AI workflow allowed list [(#10175)](https://github.com/prowler-cloud/prowler/pull/10175)

 ### 🔄 Changed
--- a/ui/components/compliance/compliance-accordion/compliance-accordion-title.tsx
+++ b/ui/components/compliance/compliance-accordion/compliance-accordion-title.tsx
@@ -127,9 +127,9 @@ export const ComplianceAccordionTitle = ({
          size="sm"
          placement="top"
        >
-          <div className="text-default-600 min-w-[32px] text-center text-xs font-medium">
+          <span className="text-default-600 min-w-[32px] text-center text-xs font-medium">
            {total > 0 ? total : "—"}
-          </div>
+          </span>
        </Tooltip>
      </div>
    </div>
--- a/ui/components/icons/compliance/IconCompliance.tsx
+++ b/ui/components/icons/compliance/IconCompliance.tsx
@@ -1,3 +1,4 @@
+import ANSSILogo from "./anssi.png";
 import AWSLogo from "./aws.svg";
 import C5Logo from "./c5.svg";
 import CCCLogo from "./ccc.svg";
@@ -42,6 +43,7 @@ const COMPLIANCE_LOGOS = {
  c5: C5Logo,
  ccc: CCCLogo,
  csa: CSALogo,
+  secnumcloud: ANSSILogo,
 } as const;

 export const getComplianceIcon = (complianceTitle: string) => {
--- a/ui/components/icons/compliance/anssi.png
+++ b/ui/components/icons/compliance/anssi.png