feat(googleworkspace): add groups service checks

[lydiavilchez]

Context

Groups service checks for the Google Workspace provider. This PR implements the 3 automatable CIS controls for Groups for Business using the Cloud Identity Policy API (groups_for_business.groups_sharing setting).

Description

Implements 3 CIS Google Workspace Groups controls covering external access, group creation restrictions, and conversation visibility:

Groups (3):

• 3.1.6.1 — Accessing groups from outside the organization: PASS if collaboration_capability is DOMAIN_USERS_ONLY or absent (secure default)
• 3.1.6.2 — Group creation restricted to admins: PASS if create_groups_access_level is ADMIN_ONLY, owners_can_allow_external_members is false, and owners_can_allow_incoming_mail_from_public is false
• 3.1.6.3 — Default permission to view conversations: PASS if view_topics_default_access_level is GROUP_MEMBERS

Default field values from the Policy API are handled explicitly: fields absent from the API response are treated according to their documented defaults (DOMAIN_USERS_ONLY is secure for 3.1.6.1; USERS_IN_DOMAIN and true for incoming mail are insecure for 3.1.6.2; DOMAIN_USERS is insecure for 3.1.6.3).

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• If this PR adds or updates npm dependencies, include package-health evidence (maintenance, popularity, known vulnerabilities, license, release age) and explain why existing/native alternatives are insufficient.
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, uv, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• groups_creation_restricted (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• groups_external_access_restricted (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• groups_view_conversations_restricted (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace

Use the no-compliance-check label to skip this check.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.58%. Comparing base (3410fc9) to head (d69e23b).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #11186      +/-   ##
==========================================
+ Coverage   93.65%   95.58%   +1.92%     
==========================================
  Files         232       60     -172     
  Lines       33968     1630   -32338     
==========================================
- Hits        31813     1558   -30255     
+ Misses       2155       72    -2083     

Flag	Coverage Δ
api	?
prowler-py3.10-googleworkspace	95.58% <100.00%> (?)
prowler-py3.11-googleworkspace	95.58% <100.00%> (?)
prowler-py3.12-googleworkspace	95.58% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	95.58% <100.00%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:0e3b65e
Last scan: 2026-05-15 11:57:45 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	6
Total	6

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[danibarranqueroo]

Good job! Please review this two little suggestions.

[pedrooot]

🔝

[danibarranqueroo]

CIS 3.1.6.2 (in cis_1.3_googleworkspace.json, edited in this PR) documents the opposite default:

"DefaultValue": "... • Group owners can allow incoming email from outside the organization is unchecked"
It's also inconsistent within the same check: the adjacent toggle ownersCanAllowExternalMembers — listed right next to it in the same CIS DefaultValue ("unchecked") — is correctly treated as
default=False (if external_members is True: doesn't fire on None). Both are admin-console booleans on the same screen with the same documented default; treating only one as insecure-on-absence
will FAIL tenants whose config matches the CIS default and is compliant.

Suggested Fix:

• In the check: change if incoming_mail is None or incoming_mail is True: → if incoming_mail is True:, and drop the (default) rendering branch.
• In groups_creation_restricted_test.py:152-186 (test_fail_all_defaults_none): with everything None, only the create_groups_access_level issue should be reported (USERS_IN_DOMAIN is the genuine insecure default). Update the docstring and remove the assert "incoming email" in findings[0].status_extended. Consider splitting into two cases — "all-None → FAIL only on creation level" and "creation_level=ADMIN_ONLY, others None → PASS" — to lock the corrected default in.
• PR description: the line "USERS_IN_DOMAIN and true for incoming mail are insecure for 3.1.6.2" propagates the same wrong assumption and should be updated.