feat(sdk): add Vercel provider with 30 security checks

[alejandrobailo]

Chain Info

Key	Value
Main PR	#10188
Position	1 of 3
Blocked by	—
Blocks	API PR, UI PR

feat/vercel (Main PR #10188 → master)
├── ★ PR #1: feat/vercel-sdk  ← you are here
├── PR #2: feat/vercel-api
└── PR #3: feat/vercel-ui

Context

Prowler supports multiple cloud providers (AWS, Azure, GCP, Kubernetes, etc.). This PR adds Vercel as a new provider, following the same SDK architecture as existing providers like Cloudflare and MongoDB Atlas.

Description

• Add VercelProvider with API token authentication and team-scoped scan support
• Implement base service with paginated HTTP client, retry logic, and rate limiting
• Add 6 services covering Vercel's security surface:
  • Authentication (2 checks): token expiry, stale token detection
  • Deployment (2 checks): preview access protection, stable production targets
  • Domain (4 checks): DNS verification, SSL certificates, wildcard exposure
  • Project (10 checks): deployment protection, env var encryption, fork protection, directory listing
  • Security (5 checks): WAF enablement, managed rulesets, rate limiting, IP blocking, custom rules
  • Team (7 checks): SSO enforcement, directory sync, member least privilege, stale access/invitations
• Add CheckReportVercel dataclass to prowler/lib/check/models.py
• Add Vercel finding output mapping to prowler/lib/outputs/finding.py
• Add 5 compliance frameworks: CIS Controls v8, ISO 27001:2013, NIST 800-53 Rev5, PCI DSS 4.0, SOC 2
• Add unit tests: provider init, mutelist, and 1 representative check per service (10 test files)
• Use timezone-aware datetimes (tz=timezone.utc) across all timestamp parsing

Steps to Review

1. Start with prowler/providers/vercel/vercel_provider.py — the provider entry point
2. Review prowler/providers/vercel/lib/service/service.py — base HTTP service with pagination
3. Review prowler/providers/vercel/models.py — data models shared across services
4. Spot-check 1-2 services (e.g., project/project_service.py, security/security_service.py)
5. Spot-check 1-2 checks and their .metadata.json files
6. Review core SDK changes: prowler/lib/check/models.py (CheckReportVercel) and prowler/lib/outputs/finding.py
7. Review compliance framework mappings in prowler/compliance/vercel/
8. Run tests: pytest tests/providers/vercel/ -v

Checklist

• Code follows Prowler SDK conventions (provider, services, checks pattern)
• All checks have .metadata.json with severity, description, and remediation
• Unit tests cover provider initialization and representative checks
• Timezone-aware datetimes used throughout
• No secrets or credentials in code
• Error handling follows Prowler exception patterns (error codes 13000-13999)

[andoniaf]

Awesome work Alex!

I'm still reviewing but in the meantime, ask an agent to review the Metadata format based in this docs. Is not yet applied to al current providers, so prob got it wrong for others.

Some examples:

• ResourceIdTemplate must be ""
• RelatedUrl values should move to AdditionalURLs

[HugoPBrito]

In addition, please delete all __init__.py files from test folders, and compliance files. We should create the full compliance files and then map the checks. The current mapping could be right though.

[alejandrobailo]

Done! Set ResourceIdTemplate to "" across all 30 checks and moved RelatedUrl values into AdditionalURLs. See commit 67fb058.

[alejandrobailo]

Done! Test __init__.py files were already removed in 842dfc19b. Compliance files + their __init__.py now deleted in f363e74. Will recreate the full frameworks separately and map checks then.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[codecov]

Codecov Report

❌ Patch coverage is 74.07102% with 314 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.22%. Comparing base (4bb1e5c) to head (2513d84).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #10189      +/-   ##
==========================================
- Coverage   72.14%   67.22%   -4.92%     
==========================================
  Files         206      142      -64     
  Lines       10510     8146    -2364     
==========================================
- Hits         7582     5476    -2106     
+ Misses       2928     2670     -258     

Flag	Coverage Δ
prowler-py3.10-config	67.22% <74.07%> (?)
prowler-py3.10-github	?
prowler-py3.10-iac	?
prowler-py3.10-lib	67.04% <74.04%> (-5.10%)	⬇️
prowler-py3.10-mongodbatlas	?
prowler-py3.10-nhn	?
prowler-py3.10-vercel	76.45% <76.22%> (?)
prowler-py3.11-config	67.22% <74.07%> (?)
prowler-py3.11-github	?
prowler-py3.11-iac	?
prowler-py3.11-lib	67.04% <74.04%> (-5.10%)	⬇️
prowler-py3.11-mongodbatlas	?
prowler-py3.11-nhn	?
prowler-py3.11-openstack	?
prowler-py3.11-vercel	76.45% <76.22%> (?)
prowler-py3.12-config	67.22% <74.07%> (?)
prowler-py3.12-github	?
prowler-py3.12-iac	?
prowler-py3.12-lib	67.04% <74.04%> (-5.10%)	⬇️
prowler-py3.12-mongodbatlas	?
prowler-py3.12-nhn	?
prowler-py3.12-vercel	76.45% <76.22%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	67.22% <74.07%> (-4.92%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks not mapped to any compliance framework in this PR

• authentication_no_stale_tokens (vercel)
• authentication_token_not_expired (vercel)
• deployment_production_uses_stable_target (vercel)
• domain_dns_properly_configured (vercel)
• domain_ssl_certificate_valid (vercel)
• domain_verified (vercel)
• project_auto_expose_system_env_disabled (vercel)
• project_deployment_protection_enabled (vercel)
• project_directory_listing_disabled (vercel)
• project_environment_no_overly_broad_target (vercel)
• project_environment_no_secrets_in_plain_type (vercel)
• project_environment_production_vars_not_in_preview (vercel)
• project_git_fork_protection_enabled (vercel)
• project_password_protection_enabled (vercel)
• project_production_deployment_protection_enabled (vercel)
• project_skew_protection_enabled (vercel)
• security_custom_rules_configured (vercel)
• security_ip_blocking_rules_configured (vercel)
• security_managed_rulesets_enabled (vercel)
• security_rate_limiting_configured (vercel)
• security_waf_enabled (vercel)
• team_directory_sync_enabled (vercel)
• team_member_role_least_privilege (vercel)
• team_no_stale_invitations (vercel)
• team_saml_sso_enabled (vercel)
• team_saml_sso_enforced (vercel)

Please review whether these checks should be added to compliance framework requirements in prowler/compliance/<provider>/. Each compliance JSON has a Checks array inside each requirement — add the check ID there if it satisfies that requirement.

Use the no-compliance-check label to skip this check.