feat(okta): add provider to the SDK with 1 security check

[danibarranqueroo]

Context

Adds Okta as a new Prowler provider following the established SDK pattern. This is the first PR in a planned multi-PR Okta rollout.

Phase 1 scope (this PR):

• OAuth 2.0 (private-key JWT) authentication only
• One service: signon
• One check: signon_global_session_idle_timeout_15min (DISA STIG V-273186)

Deferred to follow-up PRs: additional services and checks, the stig_v1_okta compliance framework, API integration, UI integration.

Description

• New prowler/providers/okta/ package with provider class, signon service, and the first check.
• Authentication via OAuth 2.0 service application using private-key JWT (Client Credentials grant). Read-only by scope (okta.policies.read). Identity is synthesized from org_url + client_id; credentials are validated at provider init via a list_policies(limit=1) probe.
• SDK dependency: okta==3.4.2 (the OpenAPI-generated v3 SDK).
• CheckReportOkta added to prowler/lib/check/models.py.
• Provider registered in prowler/lib/cli/parser.py usage/epilog.
• Exception code range 14000–14999.
• Pydantic v2 models throughout the provider.
• Configurable check threshold via audit_config.get("okta_max_session_idle_minutes", 15).
• 38 unit tests, 95% line coverage on the provider package.
• CI workflow extended with an Okta pytest + Codecov upload step.
• Tutorial added at docs/user-guide/providers/okta/getting-started-okta.mdx (service-app setup, scope grants, "Public client app admins" warning, env-var configuration, troubleshooting).

Steps to review

1. Review prowler/providers/okta/okta_provider.py for the auth flow (validate_arguments → setup_session → setup_identity with credential probe).
2. Review prowler/providers/okta/services/signon/signon_service.py for the SDK call shape (list_policies(type="OKTA_SIGN_ON")) and link-header pagination.
3. Review the check at prowler/providers/okta/services/signon/signon_global_session_idle_timeout_15min/signon_global_session_idle_timeout_15min.py.
4. Run poetry run pytest tests/providers/okta/ --cov=prowler/providers/okta — expect 38 passed, ~95% coverage.
5. Run poetry run python prowler-cli.py okta --list-checks and --list-services — expect the bundled check and signon service.
6. Live-tenant smoke test (cannot be done in CI): set OKTA_ORG_URL, OKTA_CLIENT_ID, OKTA_PRIVATE_KEY_FILE against a real Identity Engine org and run --check signon_global_session_idle_timeout_15min

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
prowler	🟢 Ready	View Preview	May 8, 2026, 7:27 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks not mapped to any compliance framework in this PR

• signon_global_session_idle_timeout_15min (okta)

Please review whether these checks should be added to compliance framework requirements in prowler/compliance/<provider>/. Each compliance JSON has a Checks array inside each requirement — add the check ID there if it satisfies that requirement.

Use the no-compliance-check label to skip this check.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

🔒 Container Security Scan

Image: prowler:ac5e8fc
Last scan: 2026-05-08 12:06:36 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[codecov]

Codecov Report

❌ Patch coverage is 94.92063% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 87.16%. Comparing base (e585ae4) to head (fd7bbae).
⚠️ Report is 11 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11079      +/-   ##
==========================================
+ Coverage   85.16%   87.16%   +1.99%     
==========================================
  Files         961     1638     +677     
  Lines       32652    49599   +16947     
==========================================
+ Hits        27808    43231   +15423     
- Misses       4844     6368    +1524     

Flag	Coverage Δ
prowler-py3.10-aws	90.02% <ø> (?)
prowler-py3.10-azure	89.39% <ø> (?)
prowler-py3.10-gcp	89.75% <ø> (?)
prowler-py3.10-github	89.05% <ø> (?)
prowler-py3.10-kubernetes	89.41% <ø> (?)
prowler-py3.10-nhn	89.05% <94.92%> (?)
prowler-py3.10-okta	89.10% <94.92%> (?)
prowler-py3.11-aws	90.02% <ø> (+<0.01%)	⬆️
prowler-py3.11-azure	89.39% <ø> (?)
prowler-py3.11-gcp	89.75% <ø> (?)
prowler-py3.11-github	89.05% <ø> (?)
prowler-py3.11-googleworkspace	87.32% <94.92%> (?)
prowler-py3.11-iac	88.65% <94.92%> (?)
prowler-py3.11-kubernetes	89.41% <ø> (?)
prowler-py3.11-lib	?
prowler-py3.11-m365	88.88% <94.92%> (?)
prowler-py3.11-mongodbatlas	88.56% <94.92%> (?)
prowler-py3.11-nhn	89.05% <94.92%> (?)
prowler-py3.11-okta	89.10% <94.92%> (?)
prowler-py3.11-openstack	87.12% <94.92%> (?)
prowler-py3.11-oraclecloud	86.87% <94.92%> (?)
prowler-py3.11-vercel	87.15% <94.92%> (?)
prowler-py3.12-aws	90.02% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	87.16% <94.92%> (+1.99%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.