Files
prowler/docs/developer-guide/security-compliance-framework.md
T
dcanotrad e8a829b75e docs(dev-guide): improve quality redrive (#7718)
Co-authored-by: Rubén De la Torre Vico <ruben@prowler.com>
Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
Co-authored-by: Andoni Alonso <14891798+andoniaf@users.noreply.github.com>
Co-authored-by: Rubén De la Torre Vico <rubendltv22@gmail.com>
2025-06-17 09:28:22 +02:00

2.6 KiB
Raw Blame History

Creating a New Security Compliance Framework in Prowler

Introduction

To create or contribute a custom security framework for Prowler—or to integrate a public framework—you must ensure the necessary checks are available. If they are missing, they must be implemented before proceeding.

Each framework is defined in a compliance file per provider. The file should follow the structure used in prowler/compliance/<provider>/ and be named <framework>_<version>_<provider>.json. Follow the format below to create your own.

Compliance Framework

Compliance Framework Structure

Each compliance framework file consists of structured metadata that identifies the framework and maps security checks to requirements or controls. Please note that a single requirement can be linked to multiple Prowler checks:

  • Framework: string The distinguished name of the framework (e.g., CIS).
  • Provider: string The cloud provider where the framework applies (AWS, Azure, OCI).
  • Version: string The framework version (e.g., 1.4 for CIS).
  • Requirements: array of objects. Defines security requirements and their mapping to Prowler checks. All requirements or controls are to be included with the mapping to Prowler.
  • Requirements_Id: string A unique identifier for each requirement within the framework
  • Requirements_Description: string The requirement description as specified in the framework.
  • Requirements_Attributes: array of objects. Contains relevant metadata such as security levels, sections, and any additional data needed for reporting with the result of the findings. Attributes should be derived directly from the frameworks own terminology, ensuring consistency with its established definitions.
  • Requirements_Checks: array. The Prowler checks that are needed to prove this requirement. It can be one or multiple checks. In case automation is not feasible, this can be empty.
{
  "Framework": "<framework>-<provider>",
  "Version": "<version>",
  "Requirements": [
    {
      "Id": "<unique-id>",
      "Description": "Full description of the requirement",
      "Checks": [
        "Here is the prowler check or checks that will be executed"
      ],
      "Attributes": [
        {
         <Add here your custom attributes.>
        }
      ]
    },
    ...
  ]
}

Finally, to have a proper output file for your reports, your framework data model has to be created in prowler/lib/outputs/models.py and also the CLI table output in prowler/lib/outputs/compliance.py. Also, you need to add a new conditional in prowler/lib/outputs/file_descriptors.py if creating a new CSV model.