feat(sdk): Enhance dynamic provider loading and compliance framework

.github/workflows/sdk-tests.yml

@@ -516,6 +516,32 @@ jobs:
           flags: prowler-py${{ matrix.python-version }}-vercel
           files: ./vercel_coverage.xml
 
+      # External Provider (dynamic loading)
+      - name: Check if External Provider files changed
+        if: steps.check-changes.outputs.any_changed == 'true'
+        id: changed-external
+        uses: tj-actions/changed-files@22103cc46bda19c2b464ffe86db46df6922fd323 # v47.0.5
+        with:
+          files: |
+            ./prowler/providers/common/**
+            ./prowler/config/**
+            ./prowler/lib/**
+            ./tests/providers/external/**
+            ./poetry.lock
+
+      - name: Run External Provider tests
+        if: steps.changed-external.outputs.any_changed == 'true'
+        run: poetry run pytest -n auto --cov=./prowler/providers/common --cov=./prowler/config --cov=./prowler/lib --cov-report=xml:external_coverage.xml tests/providers/external
+
+      - name: Upload External Provider coverage to Codecov
+        if: steps.changed-external.outputs.any_changed == 'true'
+        uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        with:
+          flags: prowler-py${{ matrix.python-version }}-external
+          files: ./external_coverage.xml
+
       # Lib
       - name: Check if Lib files changed
         if: steps.check-changes.outputs.any_changed == 'true'

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- Support for external/custom providers, checks, and compliance frameworks without modifying core code [(#10700)](https://github.com/prowler-cloud/prowler/pull/10700)
 - SARIF output format for the IaC provider, enabling GitHub Code Scanning integration via `--output-formats sarif` [(#10626)](https://github.com/prowler-cloud/prowler/pull/10626)
 
 ---

prowler/__main__.py

@@ -411,6 +411,9 @@ def prowler():
         output_options = VercelOutputOptions(
             args, bulk_checks_metadata, global_provider.identity
         )
+    else:
+        # Dynamic fallback: any external/custom provider
+        output_options = global_provider.get_output_options(args, bulk_checks_metadata)
 
     # Run the quick inventory for the provider if available
     if hasattr(args, "quick_inventory") and args.quick_inventory:
@@ -1295,6 +1298,30 @@ def streaming_callback(findings_batch):
                 )
                 generated_outputs["compliance"].append(generic_compliance)
                 generic_compliance.batch_write_data_to_file()
+    else:
+        # Dynamic fallback: any external/custom provider
+        try:
+            global_provider.generate_compliance_output(
+                finding_outputs,
+                bulk_compliance_frameworks,
+                input_compliance_frameworks,
+                output_options,
+                generated_outputs,
+            )
+        except NotImplementedError:
+            # Last resort: generic compliance
+            for compliance_name in input_compliance_frameworks:
+                filename = (
+                    f"{output_options.output_directory}/compliance/"
+                    f"{output_options.output_filename}_{compliance_name}.csv"
+                )
+                generic_compliance = GenericCompliance(
+                    findings=finding_outputs,
+                    compliance=bulk_compliance_frameworks[compliance_name],
+                    file_path=filename,
+                )
+                generated_outputs["compliance"].append(generic_compliance)
+                generic_compliance.batch_write_data_to_file()
 
     # AWS Security Hub Integration
     if provider == "aws":

prowler/config/config.py

@@ -1,3 +1,4 @@
+import importlib.metadata
 import os
 import pathlib
 from datetime import datetime, timezone
@@ -76,13 +77,38 @@ class Provider(str, Enum):
 actual_directory = pathlib.Path(os.path.dirname(os.path.realpath(__file__)))
 
 
+def _get_ep_compliance_dirs() -> dict:
+    """Discover compliance directories from entry points. Returns {provider: path}."""
+    dirs = {}
+    for ep in importlib.metadata.entry_points(group="prowler.compliance"):
+        try:
+            module = ep.load()
+            if hasattr(module, "__path__"):
+                dirs[ep.name] = module.__path__[0]
+            elif hasattr(module, "__file__"):
+                dirs[ep.name] = os.path.dirname(module.__file__)
+        except Exception as error:
+            logger.warning(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    return dirs
+
+
 def get_available_compliance_frameworks(provider=None):
     available_compliance_frameworks = []
-    providers = [p.value for p in Provider]
+    # Built-in compliance
+    compliance_base = f"{actual_directory}/../compliance"
     if provider:
         providers = [provider]
-    for provider in providers:
-        compliance_dir = f"{actual_directory}/../compliance/{provider}"
+    else:
+        # Scan compliance directory for all provider subdirectories
+        providers = []
+        if os.path.isdir(compliance_base):
+            for entry in os.scandir(compliance_base):
+                if entry.is_dir():
+                    providers.append(entry.name)
+    for prov in providers:
+        compliance_dir = f"{compliance_base}/{prov}"
         if not os.path.isdir(compliance_dir):
             continue
         with os.scandir(compliance_dir) as files:
@@ -91,6 +117,17 @@ def get_available_compliance_frameworks(provider=None):
                     available_compliance_frameworks.append(
                         file.name.removesuffix(".json")
                     )
+    # External compliance via entry points
+    ep_dirs = _get_ep_compliance_dirs()
+    for prov, path in ep_dirs.items():
+        if provider and prov != provider:
+            continue
+        if os.path.isdir(path):
+            for file in os.scandir(path):
+                if file.is_file() and file.name.endswith(".json"):
+                    available_compliance_frameworks.append(
+                        file.name.removesuffix(".json")
+                    )
     return available_compliance_frameworks
 
 

prowler/lib/check/check.py

@@ -362,6 +362,29 @@ def import_check(check_path: str) -> ModuleType:
     return lib
 
 
+def _resolve_check_module(
+    provider_type: str, service: str, check_name: str
+) -> ModuleType:
+    """Resolve and import a check module — tries built-in path first, then entry points."""
+    # Built-in path
+    builtin_path = f"prowler.providers.{provider_type}.services.{service}.{check_name}.{check_name}"
+    try:
+        return import_check(builtin_path)
+    except ModuleNotFoundError:
+        pass
+
+    # Entry point lookup
+    import importlib.metadata
+
+    for ep in importlib.metadata.entry_points(group=f"prowler.checks.{provider_type}"):
+        if ep.name == check_name:
+            return importlib.import_module(ep.value)
+
+    raise ModuleNotFoundError(
+        f"Check '{check_name}' not found for provider '{provider_type}'"
+    )
+
+
 def run_fixer(check_findings: list) -> int:
     """
     Run the fixer for the check if it exists and there are any FAIL findings
@@ -502,9 +525,10 @@ def execute_checks(
             service = check_name.split("_")[0]
             try:
                 try:
-                    # Import check module
-                    check_module_path = f"prowler.providers.{global_provider.type}.services.{service}.{check_name}.{check_name}"
-                    lib = import_check(check_module_path)
+                    # Import check module (built-in or entry point)
+                    lib = _resolve_check_module(
+                        global_provider.type, service, check_name
+                    )
                     # Recover functions from check
                     check_to_execute = getattr(lib, check_name)
                     check = check_to_execute()
@@ -582,9 +606,10 @@ def execute_checks(
                 )
                 try:
                     try:
-                        # Import check module
-                        check_module_path = f"prowler.providers.{global_provider.type}.services.{service}.{check_name}.{check_name}"
-                        lib = import_check(check_module_path)
+                        # Import check module (built-in or entry point)
+                        lib = _resolve_check_module(
+                            global_provider.type, service, check_name
+                        )
                         # Recover functions from check
                         check_to_execute = getattr(lib, check_name)
                         check = check_to_execute()
@@ -722,6 +747,9 @@ def execute(
                 is_finding_muted_args["tenancy_id"] = (
                     global_provider.identity.tenancy_id
                 )
+            else:
+                # External/custom provider — delegate identity args
+                is_finding_muted_args = global_provider.get_mutelist_finding_args()
             for finding in check_findings:
                 if global_provider.type == "cloudflare":
                     is_finding_muted_args["account_id"] = finding.account_id

prowler/lib/check/compliance_models.py

@@ -1,3 +1,4 @@
+import importlib.metadata
 import json
 import os
 import sys
@@ -391,26 +392,55 @@ def get_bulk(provider: str) -> dict:
         """Bulk load all compliance frameworks specification into a dict"""
         try:
             bulk_compliance_frameworks = {}
+            # Built-in compliance from prowler/compliance/{provider}/
             available_compliance_framework_modules = list_compliance_modules()
             for compliance_framework in available_compliance_framework_modules:
                 if provider in compliance_framework.name:
                     compliance_specification_dir_path = (
                         f"{compliance_framework.module_finder.path}/{provider}"
                     )
-                    # for compliance_framework in available_compliance_framework_modules:
                     for filename in os.listdir(compliance_specification_dir_path):
                         file_path = os.path.join(
                             compliance_specification_dir_path, filename
                         )
-                        # Check if it is a file and ti size is greater than 0
                         if os.path.isfile(file_path) and os.stat(file_path).st_size > 0:
-                            # Open Compliance file in JSON
-                            # cis_v1.4_aws.json --> cis_v1.4_aws
                             compliance_framework_name = filename.split(".json")[0]
-                            # Store the compliance info
                             bulk_compliance_frameworks[compliance_framework_name] = (
                                 load_compliance_framework(file_path)
                             )
+
+            # External compliance via entry points
+            for ep in importlib.metadata.entry_points(group="prowler.compliance"):
+                if ep.name == provider:
+                    try:
+                        module = ep.load()
+                        compliance_dir = (
+                            module.__path__[0]
+                            if hasattr(module, "__path__")
+                            else os.path.dirname(module.__file__)
+                        )
+                        for filename in os.listdir(compliance_dir):
+                            if filename.endswith(".json"):
+                                file_path = os.path.join(compliance_dir, filename)
+                                if (
+                                    os.path.isfile(file_path)
+                                    and os.stat(file_path).st_size > 0
+                                ):
+                                    compliance_framework_name = filename.split(".json")[
+                                        0
+                                    ]
+                                    if (
+                                        compliance_framework_name
+                                        not in bulk_compliance_frameworks
+                                    ):
+                                        bulk_compliance_frameworks[
+                                            compliance_framework_name
+                                        ] = load_compliance_framework(file_path)
+                    except Exception as error:
+                        logger.warning(
+                            f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+                        )
+
         except Exception as e:
             logger.error(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}] -- {e}")
 

prowler/lib/check/models.py

@@ -11,10 +11,11 @@
 from pydantic.v1 import BaseModel, Field, ValidationError, validator
 from pydantic.v1.error_wrappers import ErrorWrapper
 
-from prowler.config.config import EXTERNAL_TOOL_PROVIDERS, Provider
+from prowler.config.config import EXTERNAL_TOOL_PROVIDERS
 from prowler.lib.check.compliance_models import Compliance
 from prowler.lib.check.utils import recover_checks_from_provider
 from prowler.lib.logger import logger
+from prowler.providers.common.provider import Provider as ProviderABC
 
 # Valid ResourceGroup values as defined in the RFC
 VALID_RESOURCE_GROUPS = frozenset(
@@ -466,7 +467,7 @@ def list(
         # If the bulk checks metadata is not provided, get it
         if not bulk_checks_metadata:
             bulk_checks_metadata = {}
-            available_providers = [p.value for p in Provider]
+            available_providers = ProviderABC.get_available_providers()
             for provider_name in available_providers:
                 bulk_checks_metadata.update(CheckMetadata.get_bulk(provider_name))
         if provider:
@@ -491,7 +492,7 @@ def list(
             # Loaded here, as it is not always needed
             if not bulk_compliance_frameworks:
                 bulk_compliance_frameworks = {}
-                available_providers = [p.value for p in Provider]
+                available_providers = ProviderABC.get_available_providers()
                 for provider in available_providers:
                     bulk_compliance_frameworks = Compliance.get_bulk(provider=provider)
             checks_from_compliance_framework = (

prowler/lib/check/utils.py

@@ -1,10 +1,32 @@
 import importlib
+import importlib.metadata
+import os
 import sys
 from pkgutil import walk_packages
 
 from prowler.lib.logger import logger
 
 
+def _recover_ep_checks(provider: str) -> list[tuple]:
+    """Discover external checks registered via entry points for a provider.
+
+    Uses find_spec to locate the check module without importing it,
+    avoiding service client initialization at discovery time.
+    """
+    checks = []
+    for ep in importlib.metadata.entry_points(group=f"prowler.checks.{provider}"):
+        try:
+            spec = importlib.util.find_spec(ep.value)
+            if spec and spec.origin:
+                check_path = os.path.dirname(spec.origin)
+                checks.append((ep.name, check_path))
+        except Exception as error:
+            logger.warning(
+                f"{error.__class__.__name__}[{error.__traceback__.tb_lineno}]: {error}"
+            )
+    return checks
+
+
 def recover_checks_from_provider(
     provider: str, service: str = None, include_fixers: bool = False
 ) -> list[tuple]:
@@ -19,24 +41,34 @@ def recover_checks_from_provider(
             return []
 
         checks = []
-        modules = list_modules(provider, service)
-        for module_name in modules:
-            # Format: "prowler.providers.{provider}.services.{service}.{check_name}.{check_name}"
-            check_module_name = module_name.name
-            # We need to exclude common shared libraries in services
-            if (
-                check_module_name.count(".") == 6
-                and ".lib." not in check_module_name
-                and (not check_module_name.endswith("_fixer") or include_fixers)
-            ):
-                check_path = module_name.module_finder.path
-                # Check name is the last part of the check_module_name
-                check_name = check_module_name.split(".")[-1]
-                check_info = (check_name, check_path)
-                checks.append(check_info)
-    except ModuleNotFoundError:
-        logger.critical(f"Service {service} was not found for the {provider} provider.")
-        sys.exit(1)
+        # Built-in checks from prowler.providers.{provider}.services
+        try:
+            modules = list_modules(provider, service)
+            for module_name in modules:
+                # Format: "prowler.providers.{provider}.services.{service}.{check_name}.{check_name}"
+                check_module_name = module_name.name
+                # We need to exclude common shared libraries in services
+                if (
+                    check_module_name.count(".") == 6
+                    and ".lib." not in check_module_name
+                    and (not check_module_name.endswith("_fixer") or include_fixers)
+                ):
+                    check_path = module_name.module_finder.path
+                    check_name = check_module_name.split(".")[-1]
+                    check_info = (check_name, check_path)
+                    checks.append(check_info)
+        except ModuleNotFoundError:
+            if service:
+                logger.critical(
+                    f"Service {service} was not found for the {provider} provider."
+                )
+                sys.exit(1)
+            # No built-in services for this provider (e.g., external provider)
+
+        # External checks registered via entry points
+        if not service:
+            checks.extend(_recover_ep_checks(provider))
+
     except Exception as e:
         logger.critical(f"{e.__class__.__name__}[{e.__traceback__.tb_lineno}]: {e}")
         sys.exit(1)