feat(compliance): add CIS pdf reporting

[pedrooot]

Description

This PR includes the needed changes to add the Prowler PDF compliance reports for the CIS compliance framework.

Steps to review

Please add a detailed description of how to review this PR.

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler-ui:fdbd2ba
Last scan: 2026-04-14 10:34:52 UTC

✅ No Vulnerabilities Detected

The container image passed all security checks. No known CVEs were found.

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[github-actions]

🔒 Container Security Scan

Image: prowler-api:fdbd2ba
Last scan: 2026-04-14 10:39:01 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	5
Total	5

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 95.15478% with 36 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.74%. Comparing base (0f4d8ff) to head (3108bdf).

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10650       +/-   ##
===========================================
+ Coverage    7.47%   93.74%   +86.27%     
===========================================
  Files         847      229      -618     
  Lines       24189    32663     +8474     
===========================================
+ Hits         1807    30619    +28812     
+ Misses      22382     2044    -20338     

Flag	Coverage Δ
api	93.74% <95.15%> (?)
prowler-py3.10-aws	?
prowler-py3.11-aws	?
prowler-py3.12-aws	?

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	∅ <ø> (∅)
api	93.74% <95.15%> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Alan-TheGentleman]

Two things to tighten up:

1. The new /cis/{name}/ endpoint accepts every CIS variant, but the report job only generates the latest one. cis() validates name against get_compliance_frameworks(scan.provider.provider), so cis_1.4_aws passes validation even if only cis_5.0_aws was produced. That means users get a file-not-found 404 for a variant the endpoint just accepted. Either restrict the endpoint contract to the selected variant, or fail earlier with a clearer 'only latest CIS version is generated' response.

2. The changelog entry is out of order. The PR adds 1.23.0 above 1.24.0, which will make the release history confusing. Put the new entry in the right chronological position before merging.

The dynamic variant selection is a good direction, and the path-safety validation on name is solid. Once the endpoint contract matches the generated artifacts, this will be much easier to reason about.