feat(sdk): discover external universal compliance frameworks via entry points

[StylusFrost]

Context

External plug-ins can register per-provider compliance via the prowler.compliance entry point, but there was no way to ship multi-provider (universal-schema) frameworks. This adds that, building on the universal compliance support already in the SDK.

Scope

• Includes: prowler.compliance.universal entry-point group, built-in precedence on name collisions, fatal flag on load_compliance_framework
• Excludes: dashboard rendering, API consumption

Autonomy

• CI is expected to pass for this PR branch
• This PR has one deliverable scope
• This PR can be rolled back without unrelated changes
• Tests cover this unit

Description

• get_bulk_compliance_frameworks_universal now scans a dedicated prowler.compliance.universal entry point group, so external plug-ins can ship universal-schema frameworks. Kept separate from the per-provider prowler.compliance group, so the legacy per-provider loader never parses a universal JSON.
• Built-ins load first and win on a framework-name collision. Multiple packages registering under the same provider name are merged, not collided.
• load_compliance_framework gains a fatal flag: an external JSON that fails the legacy schema is skipped with a warning instead of aborting the run (previously a sys.exit that the surrounding except Exception could not catch).

SDK-only change in prowler/lib/check/compliance_models.py plus tests.

Steps to review

1. A universal-schema framework registered under prowler.compliance.universal is returned by get_bulk_compliance_frameworks_universal.
2. Built-ins win on a name collision; multiple packages under the same provider name are merged.
3. A universal JSON wrongly registered under prowler.compliance is skipped with a warning and prowler aws --compliance does not crash.

Checklist

• Are there new checks included in this PR? No
• Review if the code is being covered by tests.
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Summary by CodeRabbit

• New Features

  • Added support for external and multi-provider compliance frameworks that can be dynamically registered and discovered

• Improvements

  • Invalid external compliance files are now logged as warnings and skipped, rather than halting execution

[pedrooot]

Amazing work 👏🏼

The base branch was changed.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 74.28571% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 74.30%. Comparing base (1f7caa6) to head (cd65963).
⚠️ Report is 2 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (1f7caa6) and HEAD (cd65963). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (1f7caa6)	HEAD (cd65963)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #11490       +/-   ##
===========================================
- Coverage   93.97%   74.30%   -19.68%     
===========================================
  Files         241      110      -131     
  Lines       35441     8522    -26919     
===========================================
- Hits        33305     6332    -26973     
- Misses       2136     2190       +54     

Flag	Coverage Δ
api	?
prowler-py3.10-config	74.30% <74.28%> (?)
prowler-py3.10-external	21.93% <57.14%> (?)
prowler-py3.10-lib	73.99% <74.28%> (?)
prowler-py3.11-config	74.30% <74.28%> (?)
prowler-py3.11-external	21.93% <57.14%> (?)
prowler-py3.11-lib	73.99% <74.28%> (?)
prowler-py3.12-config	74.30% <74.28%> (?)
prowler-py3.12-external	21.93% <57.14%> (?)
prowler-py3.12-lib	73.99% <74.28%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	74.26% <74.28%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:3335083
Last scan: 2026-06-09 10:58:27 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	13
Total	13

8 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 4eee2915-d2ca-4714-b8df-07e7c6f9970d

📥 Commits

Reviewing files that changed from the base of the PR and between 7e60e8f and cd65963.

📒 Files selected for processing (5)

• prowler/CHANGELOG.md
• prowler/config/config.py
• prowler/lib/check/compliance_models.py
• tests/lib/check/universal_compliance_models_test.py
• tests/providers/external/test_dynamic_provider_loading.py

---

📝 Walkthrough

Walkthrough

This PR extends Prowler's compliance framework system to support external universal (multi-provider) frameworks via entry points. The implementation adds graceful error handling for invalid external schemas, discovers frameworks through the prowler.compliance.universal entry-point group, and includes comprehensive tests validating discovery, deduplication, and bulk-loading behavior.

Changes

Universal Compliance Frameworks

Layer / File(s)	Summary
Framework loading error tolerance foundation prowler/lib/check/compliance_models.py	load_compliance_framework() gains fatal: bool = True parameter and returns Optional[Compliance]; when fatal=False, invalid schemas log warning and return None instead of exiting. Compliance.get_bulk() calls the loader with fatal=False to tolerate external framework errors.
Universal framework discovery via entry points prowler/config/config.py, prowler/lib/check/compliance_models.py	get_available_compliance_frameworks() discovers universal frameworks from prowler.compliance.universal entry points, resolves module paths, scans for JSON files, and filters by supports_provider(). get_bulk_compliance_frameworks_universal() loads discovered JSONs with collision avoidance against built-in frameworks.
Universal bulk loading test suite tests/lib/check/universal_compliance_models_test.py	TestGetBulkUniversalEntryPoints validates bulk loading: external frameworks are discovered, built-in frameworks override external on name collision, all JSONs in a single entry-point directory are loaded, and frameworks from multiple packages merge by provider.
Integration tests for discovery and filtering tests/providers/external/test_dynamic_provider_loading.py	Tests verify get_available_compliance_frameworks includes universal frameworks for both specific and unspecified providers; Compliance.get_bulk correctly excludes non-legacy external universal-schema frameworks.
Changelog documentation prowler/CHANGELOG.md	Version 5.30.0 release notes document support for registering external multi-provider compliance frameworks via prowler.compliance.universal entry point group.

---

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 68.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding discovery of external universal compliance frameworks via entry points, which is the primary objective of this SDK-focused PR.
Description check	✅ Passed	The PR description covers all required template sections: Context explains the motivation, Description details the changes with specific scope, Steps to review provide validation guidance, and Checklist is completed with license confirmation.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch PROWLER-1444-multi-provider-compliance-entry-points

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}