feat(sdk): add Vercel provider with 30 security checks

[alejandrobailo]

Chain Info

Key	Value
Main PR	#10188
Position	1 of 3
Blocked by	—
Blocks	API PR, UI PR

feat/vercel (Main PR #10188 → master)
├── ★ PR #1: feat/vercel-sdk  ← you are here
├── PR #2: feat/vercel-api
└── PR #3: feat/vercel-ui

Context

Prowler supports multiple cloud providers (AWS, Azure, GCP, Kubernetes, etc.). This PR adds Vercel as a new provider, following the same SDK architecture as existing providers like Cloudflare and MongoDB Atlas.

Description

• Add VercelProvider with API token authentication and team-scoped scan support
• Implement base service with paginated HTTP client, retry logic, and rate limiting
• Add 6 services covering Vercel's security surface:
  • Authentication (2 checks): token expiry, stale token detection
  • Deployment (2 checks): preview access protection, stable production targets
  • Domain (4 checks): DNS verification, SSL certificates, wildcard exposure
  • Project (10 checks): deployment protection, env var encryption, fork protection, directory listing
  • Security (5 checks): WAF enablement, managed rulesets, rate limiting, IP blocking, custom rules
  • Team (7 checks): SSO enforcement, directory sync, member least privilege, stale access/invitations
• Add CheckReportVercel dataclass to prowler/lib/check/models.py
• Add Vercel finding output mapping to prowler/lib/outputs/finding.py
• Add 5 compliance frameworks: CIS Controls v8, ISO 27001:2013, NIST 800-53 Rev5, PCI DSS 4.0, SOC 2
• Add unit tests: provider init, mutelist, and 1 representative check per service (10 test files)
• Use timezone-aware datetimes (tz=timezone.utc) across all timestamp parsing

Steps to Review

1. Start with prowler/providers/vercel/vercel_provider.py — the provider entry point
2. Review prowler/providers/vercel/lib/service/service.py — base HTTP service with pagination
3. Review prowler/providers/vercel/models.py — data models shared across services
4. Spot-check 1-2 services (e.g., project/project_service.py, security/security_service.py)
5. Spot-check 1-2 checks and their .metadata.json files
6. Review core SDK changes: prowler/lib/check/models.py (CheckReportVercel) and prowler/lib/outputs/finding.py
7. Review compliance framework mappings in prowler/compliance/vercel/
8. Run tests: pytest tests/providers/vercel/ -v

Checklist

• Code follows Prowler SDK conventions (provider, services, checks pattern)
• All checks have .metadata.json with severity, description, and remediation
• Unit tests cover provider initialization and representative checks
• Timezone-aware datetimes used throughout
• No secrets or credentials in code
• Error handling follows Prowler exception patterns (error codes 13000-13999)

[andoniaf]

Awesome work Alex!

I'm still reviewing but in the meantime, ask an agent to review the Metadata format based in this docs. Is not yet applied to al current providers, so prob got it wrong for others.

Some examples:

• ResourceIdTemplate must be ""
• RelatedUrl values should move to AdditionalURLs

[HugoPBrito]

In addition, please delete all __init__.py files from test folders, and compliance files. We should create the full compliance files and then map the checks. The current mapping could be right though.

[alejandrobailo]

Done! Set ResourceIdTemplate to "" across all 30 checks and moved RelatedUrl values into AdditionalURLs. See commit 67fb058.

[alejandrobailo]

Done! Test __init__.py files were already removed in 842dfc19b. Compliance files + their __init__.py now deleted in f363e74. Will recreate the full frameworks separately and map checks then.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler:fdb8e18
Last scan: 2026-03-20 15:49:27 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 75.07962% with 313 lines in your changes missing coverage. Please review.
✅ Project coverage is 67.69%. Comparing base (2fe92cf) to head (db18e47).
⚠️ Report is 4 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (2fe92cf) and HEAD (db18e47). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (2fe92cf)	HEAD (db18e47)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10189       +/-   ##
===========================================
- Coverage   93.37%   67.69%   -25.68%     
===========================================
  Files         219      142       -77     
  Lines       30412     8030    -22382     
===========================================
- Hits        28396     5436    -22960     
- Misses       2016     2594      +578     

Flag	Coverage Δ
api	?
prowler-py3.10-config	67.69% <75.07%> (?)
prowler-py3.10-lib	67.51% <75.05%> (?)
prowler-py3.10-vercel	77.37% <77.19%> (?)
prowler-py3.11-config	67.69% <75.07%> (?)
prowler-py3.11-lib	67.51% <75.05%> (?)
prowler-py3.11-vercel	77.37% <77.19%> (?)
prowler-py3.12-config	67.69% <75.07%> (?)
prowler-py3.12-lib	67.51% <75.05%> (?)
prowler-py3.12-vercel	77.37% <77.19%> (?)
prowler-py3.9-config	67.69% <75.07%> (?)
prowler-py3.9-lib	67.51% <75.05%> (?)
prowler-py3.9-vercel	77.37% <77.19%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	67.69% <75.07%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.