feat(googleworkspace): add Gmail consequence-based checks for attachment safety and spoofing

[lydiavilchez]

Context

Second batch of Gmail checks for the Google Workspace provider. PR 1 implemented the service infrastructure and 9 boolean-based checks. This PR adds the remaining 8 automatable checks that evaluate paired boolean + consequence fields from the Policy API.

Description

Implements 8 CIS Google Workspace Gmail controls covering attachment safety and spoofing/authentication protections:

Attachment Safety (3):

• 3.1.3.4.1.1 — Protection against encrypted attachments from untrusted senders: PASS if enabled AND consequence is not NO_ACTION
• 3.1.3.4.1.2 — Protection against attachments with scripts from untrusted senders: PASS if enabled AND consequence is not NO_ACTION
• 3.1.3.4.1.3 — Protection against anomalous attachment types: PASS if enabled AND consequence is not NO_ACTION

Spoofing and Authentication (5):

• 3.1.3.4.3.1 — Protection against domain spoofing based on similar domain names: PASS if enabled AND consequence is not NO_ACTION
• 3.1.3.4.3.2 — Protection against spoofing of employee names: PASS if enabled AND consequence is not NO_ACTION
• 3.1.3.4.3.3 — Protection against inbound emails spoofing your domain: PASS if enabled AND consequence is not NO_ACTION
• 3.1.3.4.3.4 — Protection against any unauthenticated emails: PASS if enabled AND consequence is not NO_ACTION
• 3.1.3.4.3.5 — Groups protected from inbound emails spoofing your domain: PASS if enabled AND consequence is not NO_ACTION

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes / No
  • If so, do we need to update permissions for the provider? Please review this carefully.

UI

• All issue/task requirements work as expected on the UI
• Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
• Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
• Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
• Ensure new entries are added to CHANGELOG.md, if applicable.

API

• All issue/task requirements work as expected on the API
• Endpoint response output (if applicable)
• EXPLAIN ANALYZE output for new/modified queries or indexes (if applicable)
• Performance test results (if applicable)
• Any other relevant evidence of the implementation (if applicable)
• Verify if API specs need to be regenerated.
• Check if version updates are required (e.g., specs, Poetry, etc.).
• Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• gmail_anomalous_attachment_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_domain_spoofing_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_employee_name_spoofing_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_encrypted_attachment_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_groups_spoofing_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_inbound_domain_spoofing_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_script_attachment_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace
• gmail_unauthenticated_email_protection_enabled (googleworkspace): cis_1.3_googleworkspace, cisa_scuba_0.6_googleworkspace

Use the no-compliance-check label to skip this check.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 96.74419% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 94.52%. Comparing base (921f49a) to head (3825313).
⚠️ Report is 26 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #10980       +/-   ##
===========================================
+ Coverage    7.71%   94.52%   +86.80%     
===========================================
  Files         850       47      -803     
  Lines       24669     1315    -23354     
===========================================
- Hits         1904     1243      -661     
+ Misses      22765       72    -22693     

Flag	Coverage Δ
prowler-py3.10-aws	?
prowler-py3.10-googleworkspace	94.52% <96.74%> (?)
prowler-py3.11-aws	?
prowler-py3.11-googleworkspace	94.52% <96.74%> (?)
prowler-py3.12-aws	?
prowler-py3.12-googleworkspace	94.52% <96.74%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	94.52% <96.74%> (+86.80%)	⬆️
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:9918686
Last scan: 2026-05-07 10:38:47 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	4
Total	4

4 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy

[danibarranqueroo]

Really good job! 🚀 Just one additional thing:

Could you double-check the None cases in these checks against Google’s documented Policy API defaults? I think it’d be good to confirm that every missing field is being interpreted the right way. You can use this page as reference https://docs.cloud.google.com/identity/docs/concepts/policy-api-concepts?hl=es#default_field_values

[danibarranqueroo]

Thanks for this, really good job! 🚀

[pedrooot]

Thanks for this! 🥇