prowler-cloud · alejandrobailo · Feb 27, 2026 · Feb 27, 2026 · Feb 27, 2026 · Mar 3, 2026
diff --git a/prowler/compliance/vercel/__init__.py b/prowler/compliance/vercel/__init__.py
diff --git a/prowler/compliance/vercel/cis_controls_v8_vercel.json b/prowler/compliance/vercel/cis_controls_v8_vercel.json
@@ -0,0 +1,141 @@
+{
+  "Framework": "CIS-Controls-v8",
+  "Name": "CIS Controls v8 - Vercel",
+  "Version": "8",
+  "Provider": "vercel",
+  "Description": "CIS Controls v8 mapping for Vercel provider checks. Maps Vercel security checks to CIS Controls for establishing a secure baseline configuration.",
+  "Requirements": [
+    {
+      "Id": "3.3",
+      "Name": "3.3 Configure Data Access Control Lists",
+      "Description": "Configure data access control lists based on a user's need to know. Apply data access control lists, also known as access permissions, to local and remote file systems, databases, and applications.",
+      "Attributes": [
+        {
+          "ItemId": "3.3",
+          "Section": "3 - Data Protection",
+          "Service": "project",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "environment_sensitive_vars_encrypted",
+        "environment_no_secrets_in_plain_type",
+        "environment_production_vars_not_in_preview",
+        "environment_no_overly_broad_target"
+      ]
+    },
+    {
+      "Id": "4.1",
+      "Name": "4.1 Establish and Maintain a Secure Configuration Process",
+      "Description": "Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile, non-computing/IoT devices, and servers) and software (operating systems and applications).",
+      "Attributes": [
+        {
+          "ItemId": "4.1",
+          "Section": "4 - Secure Configuration of Enterprise Assets and Software",
+          "Service": "project",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "project_auto_expose_system_env_disabled",
+        "project_directory_listing_disabled",
+        "project_skew_protection_enabled",
+        "project_git_fork_protection_enabled"
+      ]
+    },
+    {
+      "Id": "5.4",
+      "Name": "5.4 Restrict Administrator Privileges to Dedicated Administrator Accounts",
+      "Description": "Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user's primary, non-privileged account.",
+      "Attributes": [
+        {
+          "ItemId": "5.4",
+          "Section": "5 - Account Management",
+          "Service": "team",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "team_member_role_least_privilege",
+        "team_member_no_stale_access",
+        "team_no_stale_invitations"
+      ]
+    },
+    {
+      "Id": "6.3",
+      "Name": "6.3 Require MFA for Externally-Exposed Applications",
+      "Description": "Require all externally-exposed enterprise or third-party applications to enforce MFA, where supported. Enforcing MFA through a directory service or SSO provider is a satisfactory implementation of this Safeguard.",
+      "Attributes": [
+        {
+          "ItemId": "6.3",
+          "Section": "6 - Access Control Management",
+          "Service": "team",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "team_saml_sso_enabled",
+        "team_saml_sso_enforced",
+        "team_directory_sync_enabled"
+      ]
+    },
+    {
+      "Id": "6.5",
+      "Name": "6.5 Require MFA for Administrative Access",
+      "Description": "Require MFA for all administrative access accounts, where supported, on all enterprise assets, whether managed on-site or through a third-party provider.",
+      "Attributes": [
+        {
+          "ItemId": "6.5",
+          "Section": "6 - Access Control Management",
+          "Service": "project",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "project_deployment_protection_enabled",
+        "project_production_deployment_protection_enabled",
+        "deployment_preview_not_publicly_accessible",
+        "project_password_protection_enabled"
+      ]
+    },
+    {
+      "Id": "13.6",
+      "Name": "13.6 Deploy a WAF",
+      "Description": "Deploy a WAF in front of all web applications and configure to block common web application attacks.",
+      "Attributes": [
+        {
+          "ItemId": "13.6",
+          "Section": "13 - Network Monitoring and Defense",
+          "Service": "security",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "security_waf_enabled",
+        "security_managed_rulesets_enabled",
+        "security_rate_limiting_configured",
+        "security_ip_blocking_rules_configured",
+        "security_custom_rules_configured"
+      ]
+    },
+    {
+      "Id": "9.4",
+      "Name": "9.4 Protect Recovery Data with Strong Encryption",
+      "Description": "Ensure that recovery data is stored using strong encryption.",
+      "Attributes": [
+        {
+          "ItemId": "9.4",
+          "Section": "9 - Data Recovery",
+          "Service": "domain",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "domain_ssl_certificate_valid",
+        "domain_verified",
+        "domain_dns_properly_configured",
+        "domain_no_wildcard_dns_exposure"
+      ]
+    }
+  ]
+}
diff --git a/prowler/compliance/vercel/iso27001_2013_vercel.json b/prowler/compliance/vercel/iso27001_2013_vercel.json
@@ -0,0 +1,121 @@
+{
+  "Framework": "ISO27001",
+  "Name": "ISO/IEC 27001:2013 - Vercel",
+  "Version": "2013",
+  "Provider": "vercel",
+  "Description": "ISO/IEC 27001:2013 mapping for Vercel provider checks. Vercel holds ISO 27001:2013 certification; these mappings assess the customer-side of Vercel's shared responsibility model.",
+  "Requirements": [
+    {
+      "Id": "A.9.1",
+      "Name": "A.9.1 Business Requirements of Access Control",
+      "Description": "To limit access to information and information processing facilities.",
+      "Attributes": [
+        {
+          "ItemId": "A.9.1",
+          "Section": "A.9 Access Control",
+          "Service": "team",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "team_saml_sso_enabled",
+        "team_saml_sso_enforced",
+        "project_deployment_protection_enabled"
+      ]
+    },
+    {
+      "Id": "A.9.2",
+      "Name": "A.9.2 User Access Management",
+      "Description": "To ensure authorized user access and to prevent unauthorized access to systems and services.",
+      "Attributes": [
+        {
+          "ItemId": "A.9.2",
+          "Section": "A.9 Access Control",
+          "Service": "team",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "team_member_role_least_privilege",
+        "team_member_no_stale_access",
+        "team_no_stale_invitations",
+        "team_directory_sync_enabled"
+      ]
+    },
+    {
+      "Id": "A.9.4",
+      "Name": "A.9.4 System and Application Access Control",
+      "Description": "To prevent unauthorized access to systems and applications.",
+      "Attributes": [
+        {
+          "ItemId": "A.9.4",
+          "Section": "A.9 Access Control",
+          "Service": "authentication",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "authentication_token_not_expired",
+        "authentication_no_stale_tokens",
+        "project_password_protection_enabled"
+      ]
+    },
+    {
+      "Id": "A.10.1",
+      "Name": "A.10.1 Cryptographic Controls",
+      "Description": "To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.",
+      "Attributes": [
+        {
+          "ItemId": "A.10.1",
+          "Section": "A.10 Cryptography",
+          "Service": "project",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "environment_sensitive_vars_encrypted",
+        "environment_no_secrets_in_plain_type",
+        "domain_ssl_certificate_valid"
+      ]
+    },
+    {
+      "Id": "A.13.1",
+      "Name": "A.13.1 Network Security Management",
+      "Description": "To ensure the protection of information in networks and its supporting information processing facilities.",
+      "Attributes": [
+        {
+          "ItemId": "A.13.1",
+          "Section": "A.13 Communications Security",
+          "Service": "security",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "security_waf_enabled",
+        "security_managed_rulesets_enabled",
+        "security_rate_limiting_configured",
+        "security_ip_blocking_rules_configured",
+        "domain_dns_properly_configured"
+      ]
+    },
+    {
+      "Id": "A.14.2",
+      "Name": "A.14.2 Security in Development and Support Processes",
+      "Description": "To ensure that information security is designed and implemented within the development lifecycle of information systems.",
+      "Attributes": [
+        {
+          "ItemId": "A.14.2",
+          "Section": "A.14 System Acquisition, Development and Maintenance",
+          "Service": "project",
+          "Type": "automated"
+        }
+      ],
+      "Checks": [
+        "project_git_fork_protection_enabled",
+        "project_auto_expose_system_env_disabled",
+        "environment_production_vars_not_in_preview",
+        "deployment_production_uses_stable_target"
+      ]
+    }
+  ]
+}