feat(cloudflare): add Cloudflare provider with 13 security checks

[toniblyx]

Summary

This PR adds complete Cloudflare provider integration to Prowler with 13 comprehensive security checks covering SSL/TLS, DNS, and firewall configurations.

Changes

New Provider

• Cloudflare provider with full CLI integration
• Supports API Token and API Key + Email authentication methods
• Zone-specific and account-wide scanning capabilities
• Session management and identity discovery
• Mutelist support for suppressing findings
• Complete output support (CSV, JSON-OCSF, HTML)

Security Checks (13 total)

SSL/TLS Service (8 checks)

• ssl_mode_full_strict - Ensure SSL/TLS mode is Full (strict) for end-to-end encryption
• ssl_tls_minimum_version - Ensure minimum TLS version is 1.2 or higher
• ssl_tls_1_3_enabled - Ensure TLS 1.3 is enabled for enhanced security
• ssl_hsts_enabled - Ensure HSTS with recommended max-age (6 months minimum)
• ssl_hsts_include_subdomains - Ensure HSTS includes subdomains directive
• ssl_always_use_https - Ensure Always Use HTTPS is enabled
• ssl_automatic_https_rewrites_enabled - Ensure Automatic HTTPS Rewrites enabled
• ssl_opportunistic_encryption_enabled - Ensure Opportunistic Encryption enabled

Firewall Service (4 checks)

• firewall_waf_enabled - Ensure Web Application Firewall (WAF) is enabled
• firewall_security_level_medium_or_higher - Ensure Security Level is Medium or higher
• firewall_browser_integrity_check_enabled - Ensure Browser Integrity Check is enabled
• firewall_challenge_passage_configured - Ensure Challenge Passage is configured (1 hour recommended)

DNS Service (1 check)

• dns_dnssec_enabled - Ensure DNSSEC is enabled to prevent DNS spoofing

Core Integration

• Added CheckReportCloudflare model to prowler/lib/check/models.py
• Added Cloudflare provider initialization to prowler/providers/common/provider.py
• Added CloudflareOutputOptions to prowler/__main__.py
• Added Cloudflare output mapping to prowler/lib/outputs/finding.py
• Added Cloudflare entity type to prowler/lib/outputs/summary_table.py

Usage

Authentication

API Token (Recommended)

prowler cloudflare --api-token YOUR_TOKEN

API Key + Email

prowler cloudflare --api-key YOUR_KEY --api-email your@email.com

Environment Variables

export CLOUDFLARE_API_TOKEN="YOUR_TOKEN"
prowler cloudflare

Scanning Options

Scan all zones

prowler cloudflare --api-token YOUR_TOKEN

Scan specific zones

prowler cloudflare --api-token YOUR_TOKEN --zone-id zone1 zone2

Run specific checks

prowler cloudflare --api-token YOUR_TOKEN -c ssl_tls_minimum_version dns_dnssec_enabled

List available checks

prowler cloudflare --list-checks

Test Results

Successfully tested with live Cloudflare account:

• ✅ 13 checks discovered and executed
• ✅ Scan completed in ~11 seconds
• ✅ CSV, JSON-OCSF, and HTML outputs generated correctly
• ✅ Summary table displays correctly
• ✅ All findings properly formatted with resource details

Sample output:

Executing 13 checks, please wait...
Scan completed in 11.5s

Overview Results:
┌───────────────────┬────────────────────┬────────────────┐
│ 23.08% (3) Failed │ 76.92% (10) Passed │ 0.0% (0) Muted │
└───────────────────┴────────────────────┴────────────────┘

Account a00f371dfa459394510132e95d2ff752 Scan Results:
┌────────────┬───────────┬──────────┬────────────┬────────┬──────────┬───────┬─────────┐
│ Provider   │ Service   │ Status   │   Critical │   High │   Medium │   Low │   Muted │
├────────────┼───────────┼──────────┼────────────┼────────┼──────────┼───────┼─────────┤
│ cloudflare │ dns       │ PASS (1) │          0 │      0 │        0 │     0 │       0 │
├────────────┼───────────┼──────────┼────────────┼────────┼──────────┼───────┼─────────┤
│ cloudflare │ firewall  │ FAIL (2) │          0 │      1 │        0 │     1 │       0 │
├────────────┼───────────┼──────────┼────────────┼────────┼──────────┼───────┼─────────┤
│ cloudflare │ ssl       │ FAIL (1) │          0 │      1 │        0 │     0 │       0 │
└────────────┴───────────┴──────────┴────────────┴────────┴──────────┴───────┴─────────┘

Implementation Details

Files Changed

• 67 files changed
• 2410 insertions, 1 deletion
• Follows Prowler's architecture patterns for providers
• All checks include comprehensive metadata with:
  • Detailed descriptions and risk assessments
  • Remediation steps with CLI commands
  • Terraform IaC examples
  • Links to Cloudflare documentation

Architecture

• Provider follows the same pattern as AWS, Azure, GCP, GitHub
• Services use base CloudflareService class with API client
• Checks inherit from Check base class
• Proper exception handling with custom Cloudflare exceptions
• Paginated API requests for zones and resources

Security Considerations

Based on Cloudflare's recommended security settings guide:

• SSL/TLS checks ensure proper encryption configuration
• HSTS checks prevent SSL stripping attacks
• DNSSEC checks prevent DNS spoofing
• WAF and security level checks protect against web attacks
• Browser integrity checks filter malicious bots

Checklist

• Code follows Prowler's architecture patterns
• All checks have comprehensive metadata
• Provider supports multiple authentication methods
• CLI arguments registered and validated
• Output options configured (CSV, JSON-OCSF, HTML)
• Mutelist support implemented
• Summary table integration working
• Exception handling implemented
• Successfully tested with live Cloudflare account
• Pre-commit hooks passed (black, isort, autoflake)
• README documentation included

Related Issues

Closes: (if applicable)

Additional Notes

This implementation provides comprehensive CSPM capabilities for Cloudflare, enabling organizations to:

• Audit SSL/TLS configurations across all zones
• Ensure DNS security with DNSSEC validation
• Verify WAF and firewall settings
• Generate compliance reports in multiple formats
• Track security posture over time

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• prowler

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 28.57143% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.40%. Comparing base (f8c8dee) to head (a534e50).
⚠️ Report is 23 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #9010      +/-   ##
==========================================
- Coverage   78.42%   71.40%   -7.02%     
==========================================
  Files         194       80     -114     
  Lines        8397     5665    -2732     
==========================================
- Hits         6585     4045    -2540     
+ Misses       1812     1620     -192     

Flag	Coverage Δ
prowler	71.40% <28.57%> (-7.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	71.40% <28.57%> (-7.02%)	⬇️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.