prowler-cloud
feat(cloudflare): Add Cloudflare provider with zones service and critical security checks
Context
This PR introduces the Cloudflare provider to Prowler, enabling security assessments for Cloudflare-managed infrastructure. This is part 1 of 4 PRs that will add complete Cloudflare support.
- This one
- https://github.com/prowler-cloud/prowler/pull/9424
- https://github.com/prowler-cloud/prowler/pull/9425
- https://github.com/prowler-cloud/prowler/pull/9426
Description
Adds the Cloudflare provider with core infrastructure and 5 critical security checks:
Core Infrastructure:
CloudflareProviderwith API token authentication- Zones service for fetching zone configurations (SSL settings, DNSSEC, security headers)
- CLI integration (parser arguments, outputs, HTML reports)
- Mutelist support and configuration files
- Exception handling and service base classes
Critical Security Checks (5):
| Check | Description |
|---|---|
zones_ssl_strict |
Ensures SSL/TLS encryption mode is set to Full (Strict) |
zones_min_tls_version_secure |
Validates minimum TLS version is 1.2 or higher |
zones_dnssec_enabled |
Validates DNSSEC is enabled for the zone |
zones_https_redirect_enabled |
Ensures automatic HTTPS redirect is enabled |
zones_hsts_enabled |
Validates HTTP Strict Transport Security is enabled |
Steps to review
- Review the provider structure in
prowler/providers/cloudflare/ - Verify CLI integration in
prowler/lib/cli/parser.py - Check the zones service implementation in
prowler/providers/cloudflare/services/zones/ - Review each of the 5 security checks for correctness
- Test locally with a Cloudflare API token:
prowler cloudflare --api-token <token>
Checklist
- Are there new checks included in this PR? Yes
- If so, do we need to update permissions for the provider? No - uses standard Cloudflare API token permissions
- [x] Review if the code is being covered by tests.
- [x] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
- [ ] Review if backport is needed.
- [ ] Review if is needed to change the Readme.md
- [ ] Ensure new entries are added to CHANGELOG.md, if applicable.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:
apiprowler
Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
✅ Conflict Markers Resolved
All conflict markers have been successfully resolved in this pull request.
🔒 Container Security Scan
Image: prowler-api:bda0fba
Last scan: 2025-12-16 11:44:00 UTC
📊 Vulnerability Summary
| Severity | Count |
|---|---|
| 🔴 Critical | 4 |
| Total | 4 |
3 package(s) affected
⚠️ Action Required
Critical severity vulnerabilities detected. These should be addressed before merging:
- Review the detailed scan results
- Update affected packages to patched versions
- Consider using a different base image if updates are unavailable
📋 Resources:
- Download full report (see artifacts)
- View in Security tab
- Scanned with Trivy
🔒 Container Security Scan
Image: prowler:bda0fba
Last scan: 2025-12-16 11:45:10 UTC
📊 Vulnerability Summary
| Severity | Count |
|---|---|
| 🔴 Critical | 3 |
| Total | 3 |
3 package(s) affected
⚠️ Action Required
Critical severity vulnerabilities detected. These should be addressed before merging:
- Review the detailed scan results
- Update affected packages to patched versions
- Consider using a different base image if updates are unavailable
📋 Resources:
- Download full report (see artifacts)
- View in Security tab
- Scanned with Trivy
Codecov Report
:x: Patch coverage is 30.88235% with 47 lines in your changes missing coverage. Please review.
:white_check_mark: Project coverage is 87.00%. Comparing base (bfce602) to head (c612637).
:warning: Report is 53 commits behind head on master.
Additional details and impacted files
@@ Coverage Diff @@
## master #9423 +/- ##
==========================================
- Coverage 92.95% 87.00% -5.95%
==========================================
Files 126 1657 +1531
Lines 3024 69571 +66547
==========================================
+ Hits 2811 60532 +57721
- Misses 213 9039 +8826
Flags with carried forward coverage won't be shown. Click here to find out more.
| Components | Coverage Δ | |
|---|---|---|
| prowler | 84.38% <30.88%> (-8.58%) |
:arrow_down: |
| api | 92.43% <ø> (∅) |
:rocket: New features to boost your workflow:
- :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
- :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}