feat(sdk): add provider identity fields to OCSF unmapped output (#10240)

andoniaf · jfagoagas · web-flow · commit b61b6cba53e9 · 2026-03-03T16:42:08.000+01:00
Co-authored-by: Pepe Fagoaga &lt;pepe@prowler.com&gt;
diff --git a/prowler/CHANGELOG.md b/prowler/CHANGELOG.md
@@ -42,6 +42,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 - OpenStack image service with 6 security checks [(#10096)](https://github.com/prowler-cloud/prowler/pull/10096)
 - IaC `--provider-uid` flag to specify the provider UID for the IaC provider [(#10233)](https://github.com/prowler-cloud/prowler/pull/10233)
 - `provider_uid` field in OCSF `unmapped` output for provider identification [(#10231)](https://github.com/prowler-cloud/prowler/pull/10231)
+- `provider` field in OCSF `unmapped` output for provider name availability regardless of cloud object presence [(#10240)](https://github.com/prowler-cloud/prowler/pull/10240)
 
 ### 🔄 Changed
 
diff --git a/prowler/lib/outputs/ocsf/ocsf.py b/prowler/lib/outputs/ocsf/ocsf.py
@@ -179,6 +179,7 @@ def transform(self, findings: List[Finding]) -> None:
                         "compliance": finding.compliance,
                         "scan_id": str(scan_id),
                         "provider_uid": finding.provider_uid or finding.account_uid,
+                        "provider": finding.provider,
                     },
                 )
                 if finding.provider != "kubernetes":
diff --git a/tests/lib/outputs/ocsf/ocsf_test.py b/tests/lib/outputs/ocsf/ocsf_test.py
@@ -114,6 +114,7 @@ def test_transform(self):
             "notes": findings[0].metadata.Notes,
             "compliance": findings[0].compliance,
             "provider_uid": findings[0].account_uid,
+            "provider": findings[0].provider,
         }
 
         # Test with int timestamp (UNIX timestamp)
@@ -221,6 +222,7 @@ def test_batch_write_data_to_file(self):
                     "notes": "test-notes",
                     "compliance": {"test-compliance": "test-compliance"},
                     "provider_uid": "123456789012",
+                    "provider": "aws",
                 },
                 "activity_name": "Create",
                 "activity_id": 1,
@@ -357,6 +359,7 @@ def test_finding_output_cloud_pass_low_muted(self):
             "notes": finding_output.metadata.Notes,
             "compliance": finding_output.compliance,
             "provider_uid": finding_output.account_uid,
+            "provider": finding_output.provider,
         }
 
         # ResourceDetails
@@ -438,6 +441,7 @@ def test_finding_output_kubernetes(self):
             "namespace: ", ""
         )
         assert finding_ocsf.unmapped["provider_uid"] == "test-k8s-context"
+        assert finding_ocsf.unmapped["provider"] == "kubernetes"
 
     def test_finding_output_cloud_fail_low_not_muted(self):
         finding_output = generate_finding_output(

Original file line number	Diff line number	Diff line change
`@@ -179,6 +179,7 @@ def transform(self, findings: List[Finding]) -> None:`
`179`	`179`	`"compliance": finding.compliance,`
`180`	`180`	`"scan_id": str(scan_id),`
`181`	`181`	`"provider_uid": finding.provider_uid or finding.account_uid,`
	`182`	`+ "provider": finding.provider,`
`182`	`183`	`},`
`183`	`184`	`)`
`184`	`185`	`if finding.provider != "kubernetes":`