feat(sdk): Enhance dynamic provider loading and compliance framework

[StylusFrost]

Context

Enables external and custom providers to be discovered and integrated through Python
entry points, without modifying Prowler's core codebase.

Description

External and custom providers can now register themselves through Python entry points and
run through the same flows as built-in providers — output formatting, compliance,
mutelist, and check resolution — with no changes to Prowler's core.

• External providers, their checks, and their compliance frameworks are discovered via
  entry points and merged with the built-ins.
• A provider contract on the Provider base class lets a plug-in supply its own CLI
  parsing, output, compliance, and mutelist behavior; anything it does not implement falls
  back to sensible defaults.
• Built-in providers always take precedence on a name collision: a plug-in registered
  under a built-in's name is ignored with a warning and never executed.
• prowler --help lists installed external providers alongside the built-ins.

No behavior change for built-in providers.

Deferred follow-ups: surfacing plug-in override events; a fixer-module contract for
external providers.

Steps to review

1. Built-in providers behave exactly as before: prowler aws --list-checks,
   prowler aws --list-compliance.
2. prowler --help lists any installed external providers in the usage/epilog.
3. A plug-in registered under a built-in name (e.g. aws) is ignored with a warning and
   never executed.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 97.71429% with 8 lines in your changes missing coverage. Please review.
✅ Project coverage is 73.96%. Comparing base (061fbaa) to head (fb22107).
⚠️ Report is 4 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (061fbaa) and HEAD (fb22107). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (061fbaa)	HEAD (fb22107)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10700       +/-   ##
===========================================
- Coverage   93.96%   73.96%   -20.01%     
===========================================
  Files         243      110      -133     
  Lines       35653     8492    -27161     
===========================================
- Hits        33503     6281    -27222     
- Misses       2150     2211       +61     

Flag	Coverage Δ
api	?
prowler-py3.10-config	73.96% <97.71%> (?)
prowler-py3.10-external	21.77% <91.42%> (?)
prowler-py3.10-lib	73.65% <96.28%> (?)
prowler-py3.11-config	73.96% <97.71%> (?)
prowler-py3.11-external	21.77% <91.42%> (?)
prowler-py3.11-lib	73.65% <96.28%> (?)
prowler-py3.12-config	73.96% <97.71%> (?)
prowler-py3.12-external	21.77% <91.42%> (?)
prowler-py3.12-lib	73.65% <96.28%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	73.92% <97.71%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:8ab4460
Last scan: 2026-06-08 15:36:54 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	13
Total	13

8 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[HugoPBrito]

Request changes — see inline comments for the specifics. One cross-cutting issue that doesn't anchor to any single line in the diff:

YAML namespace unwrap only knows about 5 providers

prowler/config/config.py:244-253 only sniffs aws, gcp, azure, kubernetes and m365. Prowler ships 16+ built-ins, so twelve are outside the list (nhn, github, googleworkspace, cloudflare, iac, llm, image, mongodbatlas, oraclecloud, openstack, alibabacloud, vercel).

A github user writing a namespaced config:

github:
  token: abc

The sniff finds none of the five keys, falls into the else at line 250, github isn't in the safeguard at line 252, and the function returns {'github': {'token': 'abc'}} whole. github_provider receives the wrapped dict instead of the inner block.

This is a latent bug in master for 12 built-ins; the PR inherits it and additionally blocks any external plug-in from using the namespaced format. One change covers both:

if provider in config_file:
    config = config_file.get(provider, {})
else:
    config = config_file if config_file else {}

[HugoPBrito]

Functionally tested this branch in an isolated venv (PR head): built-in no-regression, external provider E2E (local-template), external checks on aws, built-in-name precedence, and the PR test suite (235 passed). Two confirmed issues below, both reproduced by running prowler — the rest of the contract works as expected.

[pedrooot]

Good job! 👏🏼