fix(api): skip scan tasks when provider was deleted (#11185)

api/CHANGELOG.md

@@ -13,6 +13,10 @@ All notable changes to the **Prowler API** are documented in this file.
 - Replace `poetry` with `uv` (`0.11.14`) as the API package manager; migrate `pyproject.toml` to `[dependency-groups]` and regenerate as `uv.lock` [(#10775)](https://github.com/prowler-cloud/prowler/pull/10775)
 - Remove orphaned `gin_resources_search_idx` declaration from `Resource.Meta.indexes` (DB index dropped in `0072_drop_unused_indexes`) [(#11001)](https://github.com/prowler-cloud/prowler/pull/11001)
 
+### 🐞 Fixed
+
+- `perform_scan_task` and `perform_scheduled_scan_task` now short-circuit with a warning and `return None` when the target provider no longer exists, instead of letting `handle_provider_deletion` raise `ProviderDeletedException`. `perform_scheduled_scan_task` also removes any orphan `PeriodicTask` it finds so beat stops re-firing scans for deleted providers. Prevents queued messages for deleted providers from being recorded as `FAILURE` and, in one-shot scan-worker deployments, from burning a fresh container per redelivery [(#11185)](https://github.com/prowler-cloud/prowler/pull/11185)
+
 ---
 
 ## [1.27.2] (Prowler UNRELEASED)

api/src/backend/tasks/tasks.py

@@ -69,7 +69,7 @@ from tasks.utils import (
 
 from api.compliance import get_compliance_frameworks
 from api.db_router import READ_REPLICA_ALIAS
-from api.db_utils import rls_transaction
+from api.db_utils import delete_related_daily_task, rls_transaction
 from api.decorators import handle_provider_deletion, set_tenant
 from api.models import Finding, Integration, Provider, Scan, ScanSummary, StateChoices
 from api.utils import initialize_prowler_provider
@@ -274,6 +274,17 @@ def perform_scan_task(
     Returns:
         dict: The result of the scan execution, typically including the status and results of the performed checks.
     """
+    with rls_transaction(tenant_id):
+        if not Provider.objects.filter(pk=provider_id).exists():
+            logger.warning(
+                "scan-perform skipped: provider %s no longer exists "
+                "(tenant=%s, scan=%s)",
+                provider_id,
+                tenant_id,
+                scan_id,
+            )
+            return None
+
     result = perform_prowler_scan(
         tenant_id=tenant_id,
         scan_id=scan_id,
@@ -310,6 +321,16 @@ def perform_scheduled_scan_task(self, tenant_id: str, provider_id: str):
     task_id = self.request.id
 
     with rls_transaction(tenant_id):
+        if not Provider.objects.filter(pk=provider_id).exists():
+            logger.warning(
+                "scheduled scan-perform skipped: provider %s no longer exists "
+                "(tenant=%s)",
+                provider_id,
+                tenant_id,
+            )
+            delete_related_daily_task(provider_id)
+            return None
+
         periodic_task_instance = PeriodicTask.objects.get(
             name=f"scan-perform-scheduled-{provider_id}"
         )

api/src/backend/tasks/tests/test_tasks.py

@@ -21,6 +21,7 @@ from tasks.tasks import (
     check_lighthouse_provider_connection_task,
     generate_outputs_task,
     perform_attack_paths_scan_task,
+    perform_scan_task,
     perform_scheduled_scan_task,
     reaggregate_all_finding_group_summaries_task,
     refresh_lighthouse_provider_models_task,
@@ -2454,6 +2455,57 @@ class TestPerformScheduledScanTask:
             == 1
         )
 
+    def test_no_op_when_provider_does_not_exist(self, tenants_fixture):
+        """Return None without raising when the provider was already deleted."""
+        tenant = tenants_fixture[0]
+        missing_provider_id = str(uuid.uuid4())
+        task_id = str(uuid.uuid4())
+        self._create_task_result(tenant.id, task_id)
+        # Orphan PeriodicTask left behind from a previous lifecycle.
+        self._create_periodic_task(missing_provider_id, tenant.id)
+        orphan_name = f"scan-perform-scheduled-{missing_provider_id}"
+        assert PeriodicTask.objects.filter(name=orphan_name).exists()
+
+        with (
+            patch("tasks.tasks.perform_prowler_scan") as mock_scan,
+            patch("tasks.tasks._perform_scan_complete_tasks") as mock_complete_tasks,
+            self._override_task_request(perform_scheduled_scan_task, id=task_id),
+        ):
+            result = perform_scheduled_scan_task.run(
+                tenant_id=str(tenant.id), provider_id=missing_provider_id
+            )
+
+        assert result is None
+        mock_scan.assert_not_called()
+        mock_complete_tasks.assert_not_called()
+        # Orphan PeriodicTask is cleaned up so beat stops re-firing it.
+        assert not PeriodicTask.objects.filter(name=orphan_name).exists()
+
+
+@pytest.mark.django_db
+class TestPerformScanTask:
+    """Unit tests for perform_scan_task."""
+
+    def test_no_op_when_provider_does_not_exist(self, tenants_fixture):
+        """Return None without raising when the provider was already deleted."""
+        tenant = tenants_fixture[0]
+        missing_provider_id = str(uuid.uuid4())
+        scan_id = str(uuid.uuid4())
+
+        with (
+            patch("tasks.tasks.perform_prowler_scan") as mock_scan,
+            patch("tasks.tasks._perform_scan_complete_tasks") as mock_complete_tasks,
+        ):
+            result = perform_scan_task.run(
+                tenant_id=str(tenant.id),
+                scan_id=scan_id,
+                provider_id=missing_provider_id,
+            )
+
+        assert result is None
+        mock_scan.assert_not_called()
+        mock_complete_tasks.assert_not_called()
+
 
 @pytest.mark.django_db
 class TestReaggregateAllFindingGroupSummaries:

docs/docs.json

@@ -353,7 +353,8 @@
             "group": "Cookbooks",
             "pages": [
               "user-guide/cookbooks/kubernetes-in-cluster",
-              "user-guide/cookbooks/cicd-pipeline"
+              "user-guide/cookbooks/cicd-pipeline",
+              "user-guide/cookbooks/powerbi-cis-benchmarks"
             ]
           }
         ]

docs/user-guide/cookbooks/powerbi-cis-benchmarks.mdx

@@ -0,0 +1,168 @@
+---
+title: "Visualize Multi-Cloud CIS Benchmarks With Power BI"
+description: "Ingest Prowler compliance CSV exports into a ready-made Microsoft Power BI template that surfaces CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes."
+---
+
+The Multi-Cloud CIS Benchmarks Power BI template turns Prowler compliance CSV exports into an interactive dashboard. The template ingests scan results from Prowler CLI or Prowler Cloud and renders cross-provider CIS Benchmark coverage, profile-level breakdowns, regional drill-downs, and time-series trends. Center for Internet Security (CIS) Benchmarks are industry-standard configuration baselines maintained by CIS.
+
+The template and its source files live in the Prowler repository under [`contrib/PowerBI/Multicloud CIS Benchmarks`](https://github.com/prowler-cloud/prowler/tree/master/contrib/PowerBI/Multicloud%20CIS%20Benchmarks).
+
+<img src="/images/powerbi/report-cover.png" alt="Multi-Cloud CIS Benchmarks Power BI report cover showing aggregated compliance posture across providers" width="900" />
+
+## Prerequisites
+
+The setup requires the following components:
+
+* **Microsoft Power BI Desktop:** free download from Microsoft.
+* **Prowler compliance CSV exports:** produced by Prowler CLI or downloaded from Prowler Cloud or Prowler App.
+* **Local directory:** holds the CSV exports that the template ingests at load time.
+
+## Supported CIS Benchmarks
+
+The template ships with predefined mappings for the following CIS Benchmark versions. Exports must match these versions for the dashboard to populate correctly:
+
+| Compliance Framework                           | Version  |
+| ---------------------------------------------- | -------- |
+| CIS Amazon Web Services Foundations Benchmark  | v6.0     |
+| CIS Microsoft Azure Foundations Benchmark      | v5.0     |
+| CIS Google Cloud Platform Foundation Benchmark | v4.0     |
+| CIS Kubernetes Benchmark                       | v1.12.0  |
+
+<Warning>
+Other CIS Benchmark versions are not recognized by the template. Confirm the framework version before running the scan or downloading the export.
+</Warning>
+
+## Setup
+
+### Step 1: Install Microsoft Power BI Desktop
+
+Download and install Microsoft Power BI Desktop from the official Microsoft site. The template is opened with this application.
+
+### Step 2: Generate Compliance CSV Exports
+
+Compliance CSV exports can be generated through Prowler CLI or downloaded from Prowler Cloud and Prowler App.
+
+#### Option A: Prowler CLI
+
+Run a scan with the `--compliance` flag pointing to the appropriate CIS framework, for example:
+
+```sh
+prowler aws --compliance cis_6.0_aws
+prowler azure --compliance cis_5.0_azure
+prowler gcp --compliance cis_4.0_gcp
+prowler kubernetes --compliance cis_1.12_kubernetes
+```
+
+The compliance CSV exports are written to `output/compliance/` by default.
+
+#### Option B: Prowler Cloud or Prowler App
+
+Open the Compliance section, select the desired CIS Benchmark, and download the CSV export.
+
+<img src="/images/powerbi/download-compliance-scan.png" alt="Compliance section in Prowler Cloud showing the CSV download option for a CIS Benchmark scan" width="900" />
+
+### Step 3: Create a Local Directory for the Exports
+
+Place every CSV export in a single local directory. The template parses filenames to detect the provider, so filenames must keep the provider keyword (`aws`, `azure`, `gcp`, or `kubernetes`).
+
+<Note>
+Time-series visualizations such as "Compliance Percent Over Time" require multiple scans from different dates in the same directory.
+</Note>
+
+### Step 4: Open the Power BI Template
+
+Download the template file [`Prowler Multicloud CIS Benchmarks.pbit`](https://github.com/prowler-cloud/prowler/raw/master/contrib/PowerBI/Multicloud%20CIS%20Benchmarks/Prowler%20Multicloud%20CIS%20Benchmarks.pbit) and open it. Power BI Desktop prompts for the full filepath to the directory created in step 3.
+
+### Step 5: Provide the Directory Filepath
+
+Enter the absolute filepath without quotation marks. The Windows "copy as path" feature wraps the path in quotation marks automatically; remove them before submitting.
+
+### Step 6: Save the Report as a `.pbix` File
+
+Once the filepath is submitted, the template ingests the CSV exports and renders the report. Save the populated report as a `.pbix` file for future use. Re-running the `.pbit` template generates a fresh report against an updated directory.
+
+## Validation
+
+To confirm the CSV exports were ingested correctly, open the "Configuration" tab inside the report.
+
+<img src="/images/powerbi/validation.png" alt="Configuration tab in the Power BI report displaying loaded CIS Benchmarks, the Prowler CSV folder path, and the list of ingested exports" width="900" />
+
+The "Configuration" tab exposes three tables:
+
+* **Loaded CIS Benchmarks:** lists the benchmarks and versions supported by the template. This table is defined by the template itself and is not editable. All benchmarks remain listed regardless of which provider exports were supplied.
+* **Prowler CSV Folder:** displays the absolute path provided during template load.
+* **Loaded Prowler Exports:** lists every CSV file detected in the directory. A green checkmark identifies the file used as the latest assessment for each provider and benchmark combination.
+
+## Report Sections
+
+The report is organized into three navigable pages:
+
+| Report Page | Purpose                                                                              |
+| ----------- | ------------------------------------------------------------------------------------ |
+| Overview    | Aggregates CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes.    |
+| Benchmark   | Focuses on a single CIS Benchmark with profile-level and regional filters.           |
+| Requirement | Drill-through page that surfaces details for a single benchmark requirement.         |
+
+### Overview Page
+
+The Overview page summarizes CIS Benchmark posture across every supported provider.
+
+<img src="/images/powerbi/overview-page.png" alt="Overview page in the Power BI report aggregating CIS Benchmark posture across AWS, Azure, Google Cloud, and Kubernetes" width="900" />
+
+The Overview page contains the following components:
+
+| Component                                | Description                                                                  |
+| ---------------------------------------- | ---------------------------------------------------------------------------- |
+| CIS Benchmark Overview                   | Table listing benchmark name, version, and overall compliance percentage.    |
+| Provider by Requirement Status           | Bar chart breaking down requirements by status and provider.                 |
+| Compliance Percent Heatmap               | Heatmap of compliance percentage by benchmark and profile level.             |
+| Profile Level by Requirement Status      | Bar chart breaking down requirements by status and profile level.            |
+| Compliance Percent Over Time by Provider | Line chart tracking overall compliance percentage over time by provider.     |
+
+### Benchmark Page
+
+The Benchmark page focuses on a single CIS Benchmark. The benchmark, profile level, and region can be selected through dropdown filters.
+
+<img src="/images/powerbi/benchmark-page.png" alt="Benchmark page in the Power BI report showing region heatmap, section breakdown, time-series trend, and the requirements table" width="900" />
+
+The Benchmark page contains the following components:
+
+| Component                                | Description                                                                                                                       |
+| ---------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| Compliance Percent Heatmap               | Heatmap of compliance percentage by region and profile level.                                                                     |
+| Benchmark Section by Requirement Status  | Bar chart of requirements grouped by benchmark section and status.                                                                |
+| Compliance Percent Over Time by Region   | Line chart tracking compliance percentage over time by region.                                                                    |
+| Benchmark Requirements                   | Table listing requirement section, requirement number, requirement title, number of resources tested, status, and failing checks. |
+
+### Requirement Page
+
+The Requirement page is a drill-through view that exposes the full context of a single requirement. To populate the page, right-click a row in the "Benchmark Requirements" table on the Benchmark page and select "Drill through" > "Requirement".
+
+<img src="/images/powerbi/requirement-page.png" alt="Requirement drill-through page in the Power BI report showing rationale, remediation, regional breakdown, and the resource-level check results" width="900" />
+
+The Requirement page contains the following components:
+
+| Component                                  | Description                                                                                  |
+| ------------------------------------------ | -------------------------------------------------------------------------------------------- |
+| Title                                      | Requirement title.                                                                           |
+| Rationale                                  | Rationale for the requirement.                                                               |
+| Remediation                                | Remediation guidance for the requirement.                                                    |
+| Region by Check Status                     | Bar chart of Prowler check results grouped by region and status.                             |
+| Resource Checks for Benchmark Requirements | Table listing resource ID, resource name, status, description, and the underlying Prowler check. |
+
+## Walkthrough Video
+
+A full walkthrough is available on YouTube:
+
+[![Multi-Cloud CIS Benchmarks Power BI walkthrough video thumbnail](/images/powerbi/walkthrough-video-thumb.png)](https://www.youtube.com/watch?v=lfKFkTqBxjU)
+
+## Related Resources
+
+<CardGroup cols={2}>
+  <Card title="Compliance Frameworks" icon="shield-check" href="/user-guide/compliance/tutorials/compliance">
+    Review the Compliance workflow across Prowler Cloud, Prowler App, and Prowler CLI.
+  </Card>
+  <Card title="Prowler Dashboard" icon="chart-line" href="/user-guide/cli/tutorials/dashboard">
+    Explore the built-in local dashboard for Prowler CSV exports.
+  </Card>
+</CardGroup>

docs/user-guide/providers/googleworkspace/authentication.mdx

@@ -18,7 +18,7 @@ Prowler requests the following read-only OAuth 2.0 scopes:
 | `https://www.googleapis.com/auth/admin.directory.domain.readonly` | Read access to domain information |
 | `https://www.googleapis.com/auth/admin.directory.customer.readonly` | Read access to customer information (Customer ID) |
 | `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | Read access to organizational unit hierarchy (identifies the root OU for policy filtering) |
-| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar service checks) |
+| `https://www.googleapis.com/auth/cloud-identity.policies.readonly` | Read access to domain-level application policies (required for Calendar, Gmail, Chat, and Drive service checks) |
 | `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | Read access to admin roles and role assignments |
 
 <Warning>
@@ -40,7 +40,7 @@ In the [Google Cloud Console](https://console.cloud.google.com), select the targ
 | API | Required For |
 |-----|--------------|
 | **Admin SDK API** | Directory service checks (users, roles, domains) |
-| **Cloud Identity API** | Calendar service checks (domain-level sharing and invitation policies) |
+| **Cloud Identity API** | Calendar, Gmail, Chat, and Drive service checks (domain-level application policies) |
 
 For each API:
 
@@ -49,7 +49,7 @@ For each API:
 3. Click **Enable**
 
 <Note>
-Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar checks will return no findings if the Cloud Identity API is not enabled.
+Both APIs must be enabled in the same GCP project that hosts the Service Account. Calendar, Gmail, Chat, and Drive checks will return no findings if the Cloud Identity API is not enabled.
 </Note>
 
 ### Step 3: Create a Service Account
@@ -176,9 +176,9 @@ If Prowler connects but returns empty results or permission errors for specific
 - Verify all scopes are authorized in the Admin Console
 - Ensure the delegated user is an active super administrator
 
-### Calendar Checks Return No Findings
+### Policy API Checks Return No Findings
 
-If the Directory checks run successfully but the Calendar checks (e.g., `calendar_external_sharing_primary_calendar`) return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:
+If the Directory checks run successfully but the Calendar, Gmail, Chat, or Drive checks return no findings, the Cloud Identity Policy API is not reachable for this Service Account. Verify:
 
 - The **Cloud Identity API** is enabled in the GCP project hosting the Service Account (Step 2)
 - The scope `https://www.googleapis.com/auth/cloud-identity.policies.readonly` is included in the Domain-Wide Delegation OAuth scopes list in the Admin Console (Step 5)

docs/user-guide/tutorials/PowerBI.mdx

@@ -1,115 +0,0 @@
-# Prowler Multicloud CIS Benchmarks PowerBI Template
-![Prowler Report](https://github.com/user-attachments/assets/560f7f83-1616-4836-811a-16963223c72f)
-
-## Getting Started
-
-1. Install Microsoft PowerBI Desktop
-
-   This report requires the Microsoft PowerBI Desktop software which can be downloaded for free from Microsoft.
-2. Run compliance scans in Prowler
-
-   The report uses compliance csv outputs from Prowler. Compliance scans be run using either [Prowler CLI](https://docs.prowler.com/projects/prowler-open-source/en/latest/#prowler-cli) or [Prowler Cloud/App](https://cloud.prowler.com/sign-in)
-   1. Prowler CLI -> Run a Prowler scan using the --compliance option
-   2. Prowler Cloud/App -> Navigate to the compliance section to download csv outputs
-![Download Compliance Scan](https://github.com/user-attachments/assets/42c11a60-8ce8-4c60-a663-2371199c052b)
-
-
-   The template supports the following CIS Benchmarks only:
-
-   | Compliance Framework                           | Version |
-   | ---------------------------------------------- | ------- |
-   | CIS Amazon Web Services Foundations Benchmark  | v4.0.1  |
-   | CIS Google Cloud Platform Foundation Benchmark | v3.0.0  |
-   | CIS Microsoft Azure Foundations Benchmark      | v3.0.0  |
-   | CIS Kubernetes Benchmark                       | v1.10.0 |
-
-   Ensure you run or download the correct benchmark versions.
-3. Create a local directory to store Prowler csvoutputs
-
-   Once downloaded, place your csv outputs in a directory on your local machine. If you rename the files, they must maintain the provider in the filename.
-
-   To use time-series capabilities such as "compliance percent over time" you'll need scans from multiple dates.
-4. Download and run the PowerBI template file (.pbit)
-
-   Running the .pbit file will open PowerBI Desktop and prompt you for the full filepath to the local directory
-5. Enter the full filepath to the directory created in step 3
-
-   Provide the full filepath from the root directory.
-
-   Ensure that the filepath is not wrapped in quotation marks (""). If you use Window's "copy as path" feature, it will automatically include quotation marks.
-6. Save the report as a PowerBI file (.pbix)
-
-   Once the filepath is entered, the template will automatically ingest and populate the report. You can then save this file as a new PowerBI report. If you'd like to generate another report, simply re-run the template file (.pbit) from step 4.
-
-## Validation
-
-After setting up your dashboard, you may want to validate the Prowler csv files were ingested correctly. To do this, navigate to the "Configuration" tab.
-
-The "loaded CIS Benchmarks" table shows the supported benchmarks and versions. This is defined by the template file and not editable by the user. All benchmarks will be loaded regardless of which providers you provided csv outputs for.
-
-The "Prowler CSV Folder" shows the path to the local directory you provided.
-
-The "Loaded Prowler Exports" table shows the ingested csv files from the local directory. It will mark files that are treated as the latest assessment with a green checkmark.
-
-![Prowler Validation](https://github.com/user-attachments/assets/a543ca9b-6cbe-4ad1-b32a-d4ac2163d447)
-
-## Report Sections
-
-The PowerBI Report is broken into three main report pages
-
-| Report Page | Description                                                                         |
-| ----------- | ----------------------------------------------------------------------------------- |
-| Overview    | Provides general CIS Benchmark overview across both AWS, Azure, GCP, and Kubernetes |
-| Benchmark   | Provides overview of a single CIS Benchmark                                         |
-| Requirement | Drill-through page to view details of a single requirement                          |
-
-
-### Overview Page
-
-The overview page is a general CIS Benchmark overview across both AWS, Azure, GCP, and Kubernetes.
-
-![image](https://github.com/user-attachments/assets/94164fa9-36a4-4bb9-890d-e9a9a63a3e7d)
-
-The page has the following components:
-
-| Component                                | Description                                                              |
-| ---------------------------------------- | ------------------------------------------------------------------------ |
-| CIS Benchmark Overview                   | Table with benchmark name, Version, and overall compliance percentage    |
-| Provider by Requirement Status           | Bar chart showing benchmark requirements by status by provider           |
-| Compliance Percent Heatmap               | Heatmap showing compliance percent by benchmark and profile level        |
-| Profile level by Requirement Status      | Bar chart showing requirements by status and profile level               |
-| Compliance Percent Over Time by Provider | Line chart showing overall compliance perecentage over time by provider. |
-
-### Benchmark Page
-
-The benchmark page provides an overview of a single CIS Benchmark. You can select the benchmark from the dropdown as well as scope down to specific profile levels or regions.
-
-![image](https://github.com/user-attachments/assets/34498ee8-317b-4b81-b241-c561451d8def)
-
-The page has the following components:
-
-| Component                               | Description                                                                                                                                |
-| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
-| Compliance Percent Heatmap              | Heatmap showing compliance percent by region and profile level                                                                             |
-| Benchmark Section by Requirement Status | Bar chart showing benchmark requirements by bennchmark section and status                                                                  |
-| Compliance percent Over Time by Region  | Line chart showing overall compliance percentage over time by region                                                                       |
-| Benchmark Requirements                  | Table showing requirement section, requirement number, reuqirement title, number of resources tested, status, and number of failing checks |
-
-### Requirement Page
-
-The requirement page is a drill-through page to view details of a single requirement. To populate the requirement page right click on a requiement from the "Benchmark Requirements" table on the benchmark page and select "Drill through" -> "Requirement".
-
-![image](https://github.com/user-attachments/assets/5c9172d9-56fe-4514-b341-7e708863fad6)
-
-The requirement page has the following components:
-
-| Component                                  | Description                                                                       |
-| ------------------------------------------ | --------------------------------------------------------------------------------- |
-| Title                                      | Title of the requirement                                                          |
-| Rationale                                  | Rationale of the requirement                                                      |
-| Remediation                                | Remedation guidance for the requirement                                           |
-| Region by Check Status                     | Bar chart showing Prowler checks by region and status                             |
-| Resource Checks for Benchmark Requirements | Table showing Resource ID, Resource Name, Status, Description, and Prowler Checkl |
-
-## Walkthrough Video
-[![image](https://github.com/user-attachments/assets/866642c6-43ac-4aac-83d3-bb625002da0b)](https://www.youtube.com/watch?v=lfKFkTqBxjU)

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- 6 Chat file sharing, external messaging, spaces, and apps access checks for Google Workspace provider using the Cloud Identity Policy API [(#11126)](https://github.com/prowler-cloud/prowler/pull/11126)
 - `entra_service_principal_no_secrets_for_permanent_tier0_roles` check for M365 provider [(#10788)](https://github.com/prowler-cloud/prowler/pull/10788)
 - `iam_user_access_not_stale_to_sagemaker` check for AWS provider with configurable `max_unused_sagemaker_access_days` (default 90) [(#11000)](https://github.com/prowler-cloud/prowler/pull/11000)
 - `cloudtrail_bedrock_logging_enabled` check for AWS provider [(#10858)](https://github.com/prowler-cloud/prowler/pull/10858)
@@ -31,6 +32,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 ### 🐞 Fixed
 
 - `entra_users_mfa_capable` and `entra_break_glass_account_fido2_security_key_registered` report a preventive FAIL per affected user (with the missing permission named) when the M365 service principal lacks `AuditLog.Read.All`, instead of mass false positives [(#10907)](https://github.com/prowler-cloud/prowler/pull/10907)
+- Update duplicated GCP CIS requirements IDs [(#11180)](https://github.com/prowler-cloud/prowler/pull/11180)
 
 ---
 

prowler/compliance/gcp/cis_4.0_gcp.json

@@ -914,7 +914,7 @@
       ]
     },
     {
-      "Id": "3.1",
+      "Id": "3.10",
       "Description": "Use Identity Aware Proxy (IAP) to Ensure Only Traffic From Google IP Addresses are 'Allowed'",
       "Checks": [],
       "Attributes": [
@@ -1132,7 +1132,7 @@
       ]
     },
     {
-      "Id": "4.1",
+      "Id": "4.10",
       "Description": "Ensure That App Engine Applications Enforce HTTPS Connections",
       "Checks": [],
       "Attributes": [

prowler/compliance/googleworkspace/cis_1.3_googleworkspace.json

@@ -1084,7 +1084,9 @@
     {
       "Id": "3.1.4.1.1",
       "Description": "Ensure external filesharing in Google Chat and Hangouts is disabled",
-      "Checks": [],
+      "Checks": [
+        "chat_external_file_sharing_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1105,7 +1107,9 @@
     {
       "Id": "3.1.4.1.2",
       "Description": "Ensure internal filesharing in Google Chat and Hangouts is disabled",
-      "Checks": [],
+      "Checks": [
+        "chat_internal_file_sharing_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1126,7 +1130,9 @@
     {
       "Id": "3.1.4.2.1",
       "Description": "Ensure Google Chat externally is restricted to allowed domains",
-      "Checks": [],
+      "Checks": [
+        "chat_external_messaging_restricted"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1147,7 +1153,9 @@
     {
       "Id": "3.1.4.3.1",
       "Description": "Ensure external spaces in Google Chat and Hangouts are restricted",
-      "Checks": [],
+      "Checks": [
+        "chat_external_spaces_restricted"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1168,7 +1176,9 @@
     {
       "Id": "3.1.4.4.1",
       "Description": "Ensure allow users to install Chat apps is disabled",
-      "Checks": [],
+      "Checks": [
+        "chat_apps_installation_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",
@@ -1189,7 +1199,9 @@
     {
       "Id": "3.1.4.4.2",
       "Description": "Ensure allow users to add and use incoming webhooks is disabled",
-      "Checks": [],
+      "Checks": [
+        "chat_incoming_webhooks_disabled"
+      ],
       "Attributes": [
         {
           "Section": "3 Apps",

prowler/compliance/googleworkspace/cisa_scuba_0.6_googleworkspace.json

@@ -1466,7 +1466,9 @@
     {
       "Id": "GWS.CHAT.2.1",
       "Description": "External file sharing SHALL be disabled to protect sensitive information from unauthorized or accidental sharing",
-      "Checks": [],
+      "Checks": [
+        "chat_external_file_sharing_disabled"
+      ],
       "Attributes": [
         {
           "Section": "Chat",
@@ -1492,7 +1494,9 @@
     {
       "Id": "GWS.CHAT.4.1",
       "Description": "External chat messaging SHALL be restricted to allowlisted domains only",
-      "Checks": [],
+      "Checks": [
+        "chat_external_messaging_restricted"
+      ],
       "Attributes": [
         {
           "Section": "Chat",

prowler/providers/googleworkspace/services/chat/chat_apps_installation_disabled/chat_apps_installation_disabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "chat_apps_installation_disabled",
+  "CheckTitle": "Chat apps installation is disabled for users",
+  "CheckType": [],
+  "ServiceName": "chat",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Google Chat apps connect to external services to look up information, schedule meetings, or complete tasks. Apps are accounts created by Google, users in the organization, or third parties that can access user data including **email addresses**, **conversation content**, and **organizational information**.",
+  "Risk": "Unrestricted Chat app installation allows **unvetted third-party applications** to access user data including conversation content and organizational information. An attacker could distribute a malicious Chat app to **exfiltrate confidential data** or establish **persistent access** to internal communications.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/6089179",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **Chat apps**\n4. Under Chat apps access settings, set **Allow users to install Chat apps** to **OFF**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable Chat apps installation to prevent **unvetted third-party applications** from accessing organizational data through the Chat platform.",
+      "Url": "https://hub.prowler.com/check/chat_apps_installation_disabled"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "chat_incoming_webhooks_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/chat/chat_apps_installation_disabled/chat_apps_installation_disabled.py

@@ -0,0 +1,52 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
+
+
+class chat_apps_installation_disabled(Check):
+    """Check that users cannot install Chat apps.
+
+    This check verifies that the domain-level Chat policy prevents users
+    from installing Chat apps, reducing the risk of data exposure through
+    third-party or unvetted applications.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if chat_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=chat_client.policies,
+                resource_id="chatPolicies",
+                resource_name="Chat Policies",
+                customer_id=chat_client.provider.identity.customer_id,
+            )
+
+            apps_enabled = chat_client.policies.enable_apps
+
+            if apps_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Chat apps installation is disabled "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            elif apps_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Chat apps installation uses Google's secure default "
+                    f"configuration (disabled) "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Chat apps installation is enabled "
+                    f"in domain {chat_client.provider.identity.domain}. "
+                    f"Chat apps installation should be disabled to prevent unvetted apps."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/chat/chat_client.py

@@ -0,0 +1,4 @@
+from prowler.providers.common.provider import Provider
+from prowler.providers.googleworkspace.services.chat.chat_service import Chat
+
+chat_client = Chat(Provider.get_global_provider())

prowler/providers/googleworkspace/services/chat/chat_external_file_sharing_disabled/chat_external_file_sharing_disabled.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "chat_external_file_sharing_disabled",
+  "CheckTitle": "External file sharing in Chat is set to no files",
+  "CheckType": [],
+  "ServiceName": "chat",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Google Chat **external file sharing** controls whether users can share files with people outside the organization via Chat conversations. Files often contain **confidential information**, and organizations in regulated industries need to control the flow of this information outside their boundaries.",
+  "Risk": "Enabled external file sharing allows users to send files containing **confidential information** to external parties through Chat. This creates a **data leakage** channel that bypasses DLP controls, particularly dangerous for organizations handling **regulated data** such as PII, PHI, or financial records.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/9540647",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **Chat File Sharing**\n4. Under Setting, set **External filesharing** to **No files**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable **external file sharing** in Chat to prevent users from sharing files with people outside the organization through Chat conversations.",
+      "Url": "https://hub.prowler.com/check/chat_external_file_sharing_disabled"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "chat_internal_file_sharing_disabled",
+    "drive_sharing_allowlisted_domains"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/chat/chat_external_file_sharing_disabled/chat_external_file_sharing_disabled.py

@@ -0,0 +1,52 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
+
+
+class chat_external_file_sharing_disabled(Check):
+    """Check that external file sharing in Google Chat is disabled.
+
+    This check verifies that the domain-level Chat policy prevents users
+    from sharing files with people outside the organization via Chat,
+    protecting sensitive information from unauthorized external access.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if chat_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=chat_client.policies,
+                resource_id="chatPolicies",
+                resource_name="Chat Policies",
+                customer_id=chat_client.provider.identity.customer_id,
+            )
+
+            external_sharing = chat_client.policies.external_file_sharing
+
+            if external_sharing == "NO_FILES":
+                report.status = "PASS"
+                report.status_extended = (
+                    f"External file sharing in Chat is disabled "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                if external_sharing is None:
+                    report.status_extended = (
+                        f"External file sharing in Chat is not explicitly configured "
+                        f"in domain {chat_client.provider.identity.domain}. "
+                        f"External file sharing should be set to No files."
+                    )
+                else:
+                    report.status_extended = (
+                        f"External file sharing in Chat is set to {external_sharing} "
+                        f"in domain {chat_client.provider.identity.domain}. "
+                        f"External file sharing should be set to No files."
+                    )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/chat/chat_external_messaging_restricted/chat_external_messaging_restricted.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "chat_external_messaging_restricted",
+  "CheckTitle": "External Chat messaging is restricted to allowed domains",
+  "CheckType": [],
+  "ServiceName": "chat",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Google Chat **external messaging** controls whether users can send messages to people outside the organization. If external messaging is allowed, it can optionally be restricted to only **allowlisted domains** to limit the scope of external communication.",
+  "Risk": "Unrestricted external messaging allows users to communicate freely with **any external party**, increasing the risk of **data exfiltration** through conversation content and **social engineering attacks** from untrusted domains targeting internal users.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/9540647",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **External Chat Settings**\n4. Select **Chat externally**\n5. Set **Allow users to send messages outside the organization** to **ON**\n6. Check **Only allow this for allowlisted domains**\n7. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict **external Chat messaging** to **allowlisted domains** only to limit information flow to trusted parties and reduce exposure to external threats.",
+      "Url": "https://hub.prowler.com/check/chat_external_messaging_restricted"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "chat_external_spaces_restricted",
+    "drive_sharing_allowlisted_domains"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/chat/chat_external_messaging_restricted/chat_external_messaging_restricted.py

@@ -0,0 +1,59 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
+
+
+class chat_external_messaging_restricted(Check):
+    """Check that external Chat messaging is restricted to allowed domains.
+
+    This check verifies that external Chat messaging is either disabled
+    entirely or restricted to allowlisted domains only, preventing
+    unrestricted communication with external users.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if chat_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=chat_client.policies,
+                resource_id="chatPolicies",
+                resource_name="Chat Policies",
+                customer_id=chat_client.provider.identity.customer_id,
+            )
+
+            allow_external = chat_client.policies.allow_external_chat
+            restriction = chat_client.policies.external_chat_restriction
+
+            if allow_external is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"External Chat messaging is disabled "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            elif allow_external is None and restriction is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"External Chat messaging uses Google's secure default "
+                    f"configuration (disabled) "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            elif restriction == "TRUSTED_DOMAINS":
+                report.status = "PASS"
+                report.status_extended = (
+                    f"External Chat messaging is restricted to allowed domains "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"External Chat messaging is not restricted to allowed domains "
+                    f"in domain {chat_client.provider.identity.domain}. "
+                    f"External messaging should be restricted to allowed domains only."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/chat/chat_external_spaces_restricted/chat_external_spaces_restricted.metadata.json

@@ -0,0 +1,40 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "chat_external_spaces_restricted",
+  "CheckTitle": "External spaces in Chat are restricted to allowed domains",
+  "CheckType": [],
+  "ServiceName": "chat",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Google Chat **external spaces** allow users to create or join collaborative spaces that include people outside the organization. If external spaces are allowed, they can optionally be restricted to only **allowlisted domains** to limit external participation.",
+  "Risk": "Unrestricted external spaces allow users to add **anyone from any domain** to persistent group conversations. This increases the risk of **confidential information exposure** in shared spaces and enables **unauthorized external access** to ongoing organizational discussions.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/9540647",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **External Spaces**\n4. Set **Allow users to create and join spaces with people outside their organization** to **ON**\n5. Check **Only allow users to add people from allowlisted domains**\n6. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Restrict **external spaces** to **allowlisted domains** only to control which external parties can participate in organizational Chat spaces.",
+      "Url": "https://hub.prowler.com/check/chat_external_spaces_restricted"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "chat_external_messaging_restricted",
+    "drive_sharing_allowlisted_domains"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/chat/chat_external_spaces_restricted/chat_external_spaces_restricted.py

@@ -0,0 +1,59 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
+
+
+class chat_external_spaces_restricted(Check):
+    """Check that external spaces in Google Chat are restricted.
+
+    This check verifies that external spaces are either disabled entirely
+    or restricted to allowlisted domains only, preventing users from
+    creating or joining spaces with unrestricted external participants.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if chat_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=chat_client.policies,
+                resource_id="chatPolicies",
+                resource_name="Chat Policies",
+                customer_id=chat_client.provider.identity.customer_id,
+            )
+
+            spaces_enabled = chat_client.policies.external_spaces_enabled
+            allowlist_mode = chat_client.policies.external_spaces_domain_allowlist_mode
+
+            if spaces_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"External spaces are disabled "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            elif allowlist_mode == "TRUSTED_DOMAINS":
+                report.status = "PASS"
+                report.status_extended = (
+                    f"External spaces are restricted to allowed domains "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                if spaces_enabled is None and allowlist_mode is None:
+                    report.status_extended = (
+                        f"External spaces restriction is not explicitly configured "
+                        f"in domain {chat_client.provider.identity.domain}. "
+                        f"External spaces should be restricted to allowed domains only."
+                    )
+                else:
+                    report.status_extended = (
+                        f"External spaces are not restricted to allowed domains "
+                        f"in domain {chat_client.provider.identity.domain}. "
+                        f"External spaces should be restricted to allowed domains only."
+                    )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/chat/chat_incoming_webhooks_disabled/chat_incoming_webhooks_disabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "chat_incoming_webhooks_disabled",
+  "CheckTitle": "Incoming webhooks in Chat are disabled for users",
+  "CheckType": [],
+  "ServiceName": "chat",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "medium",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "**Incoming webhooks** let external applications post asynchronous messages into Google Chat spaces without being a Chat app. When enabled, users can configure webhooks and developers can call them to send content from **external applications**.",
+  "Risk": "Exposed webhook URLs allow **unauthorized content injection** into Chat spaces. Attackers can send **fraudulent or misleading messages** that appear to come from trusted services, creating a vector for **social engineering** and **phishing** within internal communications.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/6089179",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **Chat apps**\n4. Under Chat apps access settings, set **Allow users to add and use incoming webhooks** to **OFF**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable **incoming webhooks** to prevent unauthenticated external applications from **injecting content** into internal Chat spaces.",
+      "Url": "https://hub.prowler.com/check/chat_incoming_webhooks_disabled"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "chat_apps_installation_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/chat/chat_incoming_webhooks_disabled/chat_incoming_webhooks_disabled.py

@@ -0,0 +1,52 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
+
+
+class chat_incoming_webhooks_disabled(Check):
+    """Check that incoming webhooks are disabled in Google Chat.
+
+    This check verifies that the domain-level Chat policy prevents users
+    from adding and using incoming webhooks, reducing the risk of
+    unauthorized content being posted into Chat spaces.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if chat_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=chat_client.policies,
+                resource_id="chatPolicies",
+                resource_name="Chat Policies",
+                customer_id=chat_client.provider.identity.customer_id,
+            )
+
+            webhooks_enabled = chat_client.policies.enable_webhooks
+
+            if webhooks_enabled is False:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Incoming webhooks are disabled "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            elif webhooks_enabled is None:
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Incoming webhooks use Google's secure default "
+                    f"configuration (disabled) "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                report.status_extended = (
+                    f"Incoming webhooks are enabled "
+                    f"in domain {chat_client.provider.identity.domain}. "
+                    f"Incoming webhooks should be disabled to prevent unauthorized content."
+                )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/chat/chat_internal_file_sharing_disabled/chat_internal_file_sharing_disabled.metadata.json

@@ -0,0 +1,39 @@
+{
+  "Provider": "googleworkspace",
+  "CheckID": "chat_internal_file_sharing_disabled",
+  "CheckTitle": "Internal file sharing in Chat is set to no files",
+  "CheckType": [],
+  "ServiceName": "chat",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "",
+  "Severity": "low",
+  "ResourceType": "NotDefined",
+  "ResourceGroup": "collaboration",
+  "Description": "Google Chat **internal file sharing** controls whether users can share files with other people inside the organization via Chat conversations. Organizations in regulated industries may need to **control and audit** all file sharing, even between internal users.",
+  "Risk": "Unrestricted internal file sharing in Chat allows files with **sensitive information** to be distributed freely without passing through approved channels. This undermines **data governance** and **audit trail** requirements, making it harder to track data movement within the organization.",
+  "RelatedUrl": "",
+  "AdditionalURLs": [
+    "https://support.google.com/a/answer/9540647",
+    "https://cloud.google.com/identity/docs/concepts/supported-policy-api-settings"
+  ],
+  "Remediation": {
+    "Code": {
+      "CLI": "",
+      "NativeIaC": "",
+      "Other": "1. Sign in to the Google **Admin console** at https://admin.google.com\n2. Navigate to **Apps** > **Google Workspace** > **Google Chat and classic Hangouts**\n3. Click **Chat File Sharing**\n4. Under Setting, set **Internal filesharing** to **No files**\n5. Click **Save**",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Disable **internal file sharing** in Chat to enforce file distribution through **approved channels** with proper audit trails and governance controls.",
+      "Url": "https://hub.prowler.com/check/chat_internal_file_sharing_disabled"
+    }
+  },
+  "Categories": [
+    "trust-boundaries"
+  ],
+  "DependsOn": [],
+  "RelatedTo": [
+    "chat_external_file_sharing_disabled"
+  ],
+  "Notes": ""
+}

prowler/providers/googleworkspace/services/chat/chat_internal_file_sharing_disabled/chat_internal_file_sharing_disabled.py

@@ -0,0 +1,52 @@
+from typing import List
+
+from prowler.lib.check.models import Check, CheckReportGoogleWorkspace
+from prowler.providers.googleworkspace.services.chat.chat_client import chat_client
+
+
+class chat_internal_file_sharing_disabled(Check):
+    """Check that internal file sharing in Google Chat is disabled.
+
+    This check verifies that the domain-level Chat policy prevents users
+    from sharing files internally via Chat, providing maximum control over
+    file distribution within the organization.
+    """
+
+    def execute(self) -> List[CheckReportGoogleWorkspace]:
+        findings = []
+
+        if chat_client.policies_fetched:
+            report = CheckReportGoogleWorkspace(
+                metadata=self.metadata(),
+                resource=chat_client.policies,
+                resource_id="chatPolicies",
+                resource_name="Chat Policies",
+                customer_id=chat_client.provider.identity.customer_id,
+            )
+
+            internal_sharing = chat_client.policies.internal_file_sharing
+
+            if internal_sharing == "NO_FILES":
+                report.status = "PASS"
+                report.status_extended = (
+                    f"Internal file sharing in Chat is disabled "
+                    f"in domain {chat_client.provider.identity.domain}."
+                )
+            else:
+                report.status = "FAIL"
+                if internal_sharing is None:
+                    report.status_extended = (
+                        f"Internal file sharing in Chat is not explicitly configured "
+                        f"in domain {chat_client.provider.identity.domain}. "
+                        f"Internal file sharing should be set to No files."
+                    )
+                else:
+                    report.status_extended = (
+                        f"Internal file sharing in Chat is set to {internal_sharing} "
+                        f"in domain {chat_client.provider.identity.domain}. "
+                        f"Internal file sharing should be set to No files."
+                    )
+
+            findings.append(report)
+
+        return findings

prowler/providers/googleworkspace/services/chat/chat_service.py

@@ -0,0 +1,125 @@
+from typing import Optional
+
+from pydantic import BaseModel
+
+from prowler.lib.logger import logger
+from prowler.providers.googleworkspace.lib.service.service import GoogleWorkspaceService
+
+
+class Chat(GoogleWorkspaceService):
+    """Google Workspace Chat service for auditing domain-level Chat policies.
+
+    Uses the Cloud Identity Policy API v1 to read Chat file sharing, external
+    messaging, spaces, and apps access settings configured in the Admin Console.
+    """
+
+    def __init__(self, provider):
+        super().__init__(provider)
+        self.policies = ChatPolicies()
+        self.policies_fetched = False
+        self._fetch_chat_policies()
+
+    def _fetch_chat_policies(self):
+        """Fetch Chat policies from the Cloud Identity Policy API v1."""
+        logger.info("Chat - Fetching Chat policies...")
+
+        try:
+            service = self._build_service("cloudidentity", "v1")
+
+            if not service:
+                logger.error("Failed to build Cloud Identity service")
+                return
+
+            request = service.policies().list(
+                pageSize=100,
+                filter='setting.type.matches("chat.*")',
+            )
+            fetch_succeeded = True
+
+            while request is not None:
+                try:
+                    response = request.execute()
+
+                    for policy in response.get("policies", []):
+                        if not self._is_customer_level_policy(policy):
+                            continue
+
+                        setting = policy.get("setting", {})
+                        setting_type = setting.get("type", "").removeprefix("settings/")
+                        logger.debug(f"Processing setting type: {setting_type}")
+
+                        value = setting.get("value", {})
+
+                        if setting_type == "chat.chat_file_sharing":
+                            self.policies.external_file_sharing = value.get(
+                                "externalFileSharing"
+                            )
+                            self.policies.internal_file_sharing = value.get(
+                                "internalFileSharing"
+                            )
+                            logger.debug("Chat file sharing settings fetched.")
+
+                        elif setting_type == "chat.external_chat_restriction":
+                            self.policies.allow_external_chat = value.get(
+                                "allowExternalChat"
+                            )
+                            self.policies.external_chat_restriction = value.get(
+                                "externalChatRestriction"
+                            )
+                            logger.debug(
+                                "Chat external chat restriction settings fetched."
+                            )
+
+                        elif setting_type == "chat.chat_external_spaces":
+                            self.policies.external_spaces_enabled = value.get("enabled")
+                            self.policies.external_spaces_domain_allowlist_mode = (
+                                value.get("domainAllowlistMode")
+                            )
+                            logger.debug("Chat external spaces settings fetched.")
+
+                        elif setting_type == "chat.chat_apps_access":
+                            self.policies.enable_apps = value.get("enableApps")
+                            self.policies.enable_webhooks = value.get("enableWebhooks")
+                            logger.debug("Chat apps access settings fetched.")
+
+                    request = service.policies().list_next(request, response)
+
+                except Exception as error:
+                    self._handle_api_error(
+                        error,
+                        "fetching Chat policies",
+                        self.provider.identity.customer_id,
+                    )
+                    fetch_succeeded = False
+                    break
+
+            self.policies_fetched = fetch_succeeded
+            logger.info("Chat policies fetched successfully.")
+
+        except Exception as error:
+            self._handle_api_error(
+                error,
+                "fetching Chat policies",
+                self.provider.identity.customer_id,
+            )
+            self.policies_fetched = False
+
+
+class ChatPolicies(BaseModel):
+    """Model for domain-level Chat policy settings."""
+
+    # chat.chat_file_sharing
+    external_file_sharing: Optional[str] = None
+    internal_file_sharing: Optional[str] = None
+
+    # chat.external_chat_restriction
+    allow_external_chat: Optional[bool] = None
+    external_chat_restriction: Optional[str] = None
+
+    # chat.chat_external_spaces
+    external_spaces_enabled: Optional[bool] = None
+    external_spaces_domain_allowlist_mode: Optional[str] = None
+
+    # chat.chat_apps_access
+    enable_apps: Optional[bool] = None
+    enable_webhooks: Optional[bool] = None

tests/providers/googleworkspace/services/chat/chat_apps_installation_disabled/chat_apps_installation_disabled_test.py

@@ -0,0 +1,119 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.chat.chat_service import ChatPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatAppsInstallationDisabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled import (
+                chat_apps_installation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(enable_apps=False)
+
+            check = chat_apps_installation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == "Chat Policies"
+            assert findings[0].resource_id == "chatPolicies"
+            assert findings[0].customer_id == CUSTOMER_ID
+            assert findings[0].resource == ChatPolicies(enable_apps=False).dict()
+
+    def test_fail_enabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled import (
+                chat_apps_installation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(enable_apps=True)
+
+            check = chat_apps_installation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "enabled" in findings[0].status_extended
+
+    def test_pass_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled import (
+                chat_apps_installation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(enable_apps=None)
+
+            check = chat_apps_installation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_apps_installation_disabled.chat_apps_installation_disabled import (
+                chat_apps_installation_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = ChatPolicies()
+
+            check = chat_apps_installation_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/chat/chat_external_file_sharing_disabled/chat_external_file_sharing_disabled_test.py

@@ -0,0 +1,149 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.chat.chat_service import ChatPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatExternalFileSharingDisabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled import (
+                chat_external_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(external_file_sharing="NO_FILES")
+
+            check = chat_external_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == "Chat Policies"
+            assert findings[0].resource_id == "chatPolicies"
+            assert findings[0].customer_id == CUSTOMER_ID
+            assert (
+                findings[0].resource
+                == ChatPolicies(external_file_sharing="NO_FILES").dict()
+            )
+
+    def test_fail_all_files(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled import (
+                chat_external_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(external_file_sharing="ALL_FILES")
+
+            check = chat_external_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "ALL_FILES" in findings[0].status_extended
+
+    def test_fail_images_only(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled import (
+                chat_external_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(external_file_sharing="IMAGES_ONLY")
+
+            check = chat_external_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "IMAGES_ONLY" in findings[0].status_extended
+
+    def test_fail_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled import (
+                chat_external_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(external_file_sharing=None)
+
+            check = chat_external_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not explicitly configured" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_file_sharing_disabled.chat_external_file_sharing_disabled import (
+                chat_external_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = ChatPolicies()
+
+            check = chat_external_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/chat/chat_external_messaging_restricted/chat_external_messaging_restricted_test.py

@@ -0,0 +1,154 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.chat.chat_service import ChatPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatExternalMessagingRestricted:
+    def test_pass_external_chat_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted import (
+                chat_external_messaging_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(allow_external_chat=False)
+
+            check = chat_external_messaging_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == "Chat Policies"
+            assert findings[0].resource_id == "chatPolicies"
+            assert findings[0].customer_id == CUSTOMER_ID
+            assert (
+                findings[0].resource == ChatPolicies(allow_external_chat=False).dict()
+            )
+
+    def test_pass_trusted_domains(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted import (
+                chat_external_messaging_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(
+                allow_external_chat=True,
+                external_chat_restriction="TRUSTED_DOMAINS",
+            )
+
+            check = chat_external_messaging_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "restricted to allowed domains" in findings[0].status_extended
+
+    def test_fail_no_restriction(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted import (
+                chat_external_messaging_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(
+                allow_external_chat=True,
+                external_chat_restriction="NO_RESTRICTION",
+            )
+
+            check = chat_external_messaging_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not restricted" in findings[0].status_extended
+
+    def test_pass_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted import (
+                chat_external_messaging_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies()
+
+            check = chat_external_messaging_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_messaging_restricted.chat_external_messaging_restricted import (
+                chat_external_messaging_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = ChatPolicies()
+
+            check = chat_external_messaging_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/chat/chat_external_spaces_restricted/chat_external_spaces_restricted_test.py

@@ -0,0 +1,155 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.chat.chat_service import ChatPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatExternalSpacesRestricted:
+    def test_pass_spaces_disabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted import (
+                chat_external_spaces_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(external_spaces_enabled=False)
+
+            check = chat_external_spaces_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == "Chat Policies"
+            assert findings[0].resource_id == "chatPolicies"
+            assert findings[0].customer_id == CUSTOMER_ID
+            assert (
+                findings[0].resource
+                == ChatPolicies(external_spaces_enabled=False).dict()
+            )
+
+    def test_pass_trusted_domains(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted import (
+                chat_external_spaces_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(
+                external_spaces_enabled=True,
+                external_spaces_domain_allowlist_mode="TRUSTED_DOMAINS",
+            )
+
+            check = chat_external_spaces_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "restricted to allowed domains" in findings[0].status_extended
+
+    def test_fail_all_domains(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted import (
+                chat_external_spaces_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(
+                external_spaces_enabled=True,
+                external_spaces_domain_allowlist_mode="ALL_DOMAINS",
+            )
+
+            check = chat_external_spaces_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not restricted" in findings[0].status_extended
+
+    def test_fail_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted import (
+                chat_external_spaces_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies()
+
+            check = chat_external_spaces_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not explicitly configured" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_external_spaces_restricted.chat_external_spaces_restricted import (
+                chat_external_spaces_restricted,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = ChatPolicies()
+
+            check = chat_external_spaces_restricted()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/chat/chat_incoming_webhooks_disabled/chat_incoming_webhooks_disabled_test.py

@@ -0,0 +1,119 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.chat.chat_service import ChatPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatIncomingWebhooksDisabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled import (
+                chat_incoming_webhooks_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(enable_webhooks=False)
+
+            check = chat_incoming_webhooks_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == "Chat Policies"
+            assert findings[0].resource_id == "chatPolicies"
+            assert findings[0].customer_id == CUSTOMER_ID
+            assert findings[0].resource == ChatPolicies(enable_webhooks=False).dict()
+
+    def test_fail_enabled(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled import (
+                chat_incoming_webhooks_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(enable_webhooks=True)
+
+            check = chat_incoming_webhooks_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "enabled" in findings[0].status_extended
+
+    def test_pass_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled import (
+                chat_incoming_webhooks_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(enable_webhooks=None)
+
+            check = chat_incoming_webhooks_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "secure default" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_incoming_webhooks_disabled.chat_incoming_webhooks_disabled import (
+                chat_incoming_webhooks_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = ChatPolicies()
+
+            check = chat_incoming_webhooks_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/chat/chat_internal_file_sharing_disabled/chat_internal_file_sharing_disabled_test.py

@@ -0,0 +1,122 @@
+from unittest.mock import patch
+
+from prowler.providers.googleworkspace.services.chat.chat_service import ChatPolicies
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    CUSTOMER_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatInternalFileSharingDisabled:
+    def test_pass(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled import (
+                chat_internal_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(internal_file_sharing="NO_FILES")
+
+            check = chat_internal_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "PASS"
+            assert "disabled" in findings[0].status_extended
+            assert findings[0].resource_name == "Chat Policies"
+            assert findings[0].resource_id == "chatPolicies"
+            assert findings[0].customer_id == CUSTOMER_ID
+            assert (
+                findings[0].resource
+                == ChatPolicies(internal_file_sharing="NO_FILES").dict()
+            )
+
+    def test_fail_all_files(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled import (
+                chat_internal_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(internal_file_sharing="ALL_FILES")
+
+            check = chat_internal_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "ALL_FILES" in findings[0].status_extended
+
+    def test_fail_no_policy_set(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled import (
+                chat_internal_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = True
+            mock_client.policies = ChatPolicies(internal_file_sharing=None)
+
+            check = chat_internal_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 1
+            assert findings[0].status == "FAIL"
+            assert "not explicitly configured" in findings[0].status_extended
+
+    def test_no_findings_when_fetch_failed(self):
+        mock_provider = set_mocked_googleworkspace_provider()
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled.chat_client"
+            ) as mock_client,
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_internal_file_sharing_disabled.chat_internal_file_sharing_disabled import (
+                chat_internal_file_sharing_disabled,
+            )
+
+            mock_client.provider = mock_provider
+            mock_client.policies_fetched = False
+            mock_client.policies = ChatPolicies()
+
+            check = chat_internal_file_sharing_disabled()
+            findings = check.execute()
+
+            assert len(findings) == 0

tests/providers/googleworkspace/services/chat/chat_service_test.py

@@ -0,0 +1,440 @@
+from unittest.mock import MagicMock, patch
+
+from googleapiclient.errors import HttpError
+from httplib2 import Response as HttpResponse
+
+from tests.providers.googleworkspace.googleworkspace_fixtures import (
+    ROOT_ORG_UNIT_ID,
+    set_mocked_googleworkspace_provider,
+)
+
+
+class TestChatService:
+    def test_chat_fetch_policies_all_settings(self):
+        """Test fetching all 4 Chat policy settings from Cloud Identity API"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_credentials = MagicMock()
+        mock_session = MagicMock()
+        mock_session.credentials = mock_credentials
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {
+            "policies": [
+                {
+                    "setting": {
+                        "type": "settings/chat.chat_file_sharing",
+                        "value": {
+                            "externalFileSharing": "NO_FILES",
+                            "internalFileSharing": "IMAGES_ONLY",
+                        },
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/chat.external_chat_restriction",
+                        "value": {
+                            "allowExternalChat": True,
+                            "externalChatRestriction": "TRUSTED_DOMAINS",
+                        },
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/chat.chat_external_spaces",
+                        "value": {
+                            "enabled": True,
+                            "domainAllowlistMode": "TRUSTED_DOMAINS",
+                        },
+                    }
+                },
+                {
+                    "setting": {
+                        "type": "settings/chat.chat_apps_access",
+                        "value": {
+                            "enableApps": False,
+                            "enableWebhooks": False,
+                        },
+                    }
+                },
+            ]
+        }
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is True
+            assert chat.policies.external_file_sharing == "NO_FILES"
+            assert chat.policies.internal_file_sharing == "IMAGES_ONLY"
+            assert chat.policies.allow_external_chat is True
+            assert chat.policies.external_chat_restriction == "TRUSTED_DOMAINS"
+            assert chat.policies.external_spaces_enabled is True
+            assert (
+                chat.policies.external_spaces_domain_allowlist_mode == "TRUSTED_DOMAINS"
+            )
+            assert chat.policies.enable_apps is False
+            assert chat.policies.enable_webhooks is False
+
+    def test_chat_fetch_policies_empty_response(self):
+        """Test handling empty policies response"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {"policies": []}
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is True
+            assert chat.policies.external_file_sharing is None
+            assert chat.policies.allow_external_chat is None
+            assert chat.policies.enable_apps is None
+            assert chat.policies.enable_webhooks is None
+
+    def test_chat_fetch_policies_api_error(self):
+        """Test handling of API errors during policy fetch"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_service.policies().list.side_effect = Exception("API Error")
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is False
+            assert chat.policies.external_file_sharing is None
+
+    def test_chat_fetch_policies_build_service_returns_none(self):
+        """Test early return when _build_service fails to construct the client"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=None,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is False
+            assert chat.policies.external_file_sharing is None
+
+    def test_chat_fetch_policies_execute_raises(self):
+        """Test inner except handler when request.execute() raises during pagination"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_request = MagicMock()
+        mock_request.execute.side_effect = Exception("Execute failed")
+        mock_service.policies().list.return_value = mock_request
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is False
+            assert chat.policies.external_file_sharing is None
+
+    def test_chat_fetch_policies_ignores_ou_and_group_level(self):
+        """Test that OU-level and group-level policies are skipped, only customer-level used"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {
+            "policies": [
+                {
+                    # Customer-level: no policyQuery → should be used
+                    "setting": {
+                        "type": "settings/chat.chat_apps_access",
+                        "value": {"enableApps": False, "enableWebhooks": False},
+                    }
+                },
+                {
+                    # OU-level: has policyQuery.orgUnit → should be skipped
+                    "policyQuery": {"orgUnit": "orgUnits/sales_team"},
+                    "setting": {
+                        "type": "settings/chat.chat_apps_access",
+                        "value": {"enableApps": True, "enableWebhooks": True},
+                    },
+                },
+                {
+                    # Group-level: has policyQuery.group → should be skipped
+                    "policyQuery": {"group": "groups/contractors"},
+                    "setting": {
+                        "type": "settings/chat.chat_file_sharing",
+                        "value": {
+                            "externalFileSharing": "ALL_FILES",
+                            "internalFileSharing": "ALL_FILES",
+                        },
+                    },
+                },
+                {
+                    # Customer-level: no policyQuery → should be used
+                    "setting": {
+                        "type": "settings/chat.chat_file_sharing",
+                        "value": {
+                            "externalFileSharing": "NO_FILES",
+                            "internalFileSharing": "NO_FILES",
+                        },
+                    }
+                },
+            ]
+        }
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is True
+            assert chat.policies.enable_apps is False
+            assert chat.policies.external_file_sharing == "NO_FILES"
+
+    def test_chat_fetch_policies_accepts_root_ou(self):
+        """Test that root-OU-scoped policies are accepted as customer-level"""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+        mock_policies_list = MagicMock()
+        mock_policies_list.execute.return_value = {
+            "policies": [
+                {
+                    # Root OU: matches provider's root_org_unit_id → should be accepted
+                    "policyQuery": {"orgUnit": f"orgUnits/{ROOT_ORG_UNIT_ID}"},
+                    "setting": {
+                        "type": "settings/chat.chat_apps_access",
+                        "value": {"enableApps": False, "enableWebhooks": True},
+                    },
+                },
+                {
+                    # Sub-OU: different orgUnit → should be skipped
+                    "policyQuery": {"orgUnit": "orgUnits/sub_ou_sales"},
+                    "setting": {
+                        "type": "settings/chat.chat_file_sharing",
+                        "value": {
+                            "externalFileSharing": "ALL_FILES",
+                            "internalFileSharing": "ALL_FILES",
+                        },
+                    },
+                },
+            ]
+        }
+        mock_service.policies().list.return_value = mock_policies_list
+        mock_service.policies().list_next.return_value = None
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            assert chat.policies_fetched is True
+            # Root OU policy accepted
+            assert chat.policies.enable_apps is False
+            assert chat.policies.enable_webhooks is True
+            # Sub-OU policy skipped
+            assert chat.policies.external_file_sharing is None
+
+    def test_chat_partial_fetch_marks_policies_fetched_false(self):
+        """Regression: if page 1 returns valid data but page 2 raises an error,
+        policies_fetched must be False even though some policy values were stored."""
+        mock_provider = set_mocked_googleworkspace_provider()
+        mock_provider.audit_config = {}
+        mock_provider.fixer_config = {}
+        mock_session = MagicMock()
+        mock_session.credentials = MagicMock()
+        mock_provider.session = mock_session
+
+        mock_service = MagicMock()
+
+        # Page 1: returns valid Chat data
+        page1_response = {
+            "policies": [
+                {
+                    "setting": {
+                        "type": "settings/chat.chat_apps_access",
+                        "value": {"enableApps": False, "enableWebhooks": False},
+                    }
+                },
+            ]
+        }
+
+        # Page 2 request raises HttpError 429
+        page1_request = MagicMock()
+        page1_request.execute.return_value = page1_response
+
+        page2_request = MagicMock()
+        page2_request.execute.side_effect = HttpError(
+            HttpResponse({"status": "429"}), b"Rate limit exceeded"
+        )
+
+        mock_service.policies().list.return_value = page1_request
+        mock_service.policies().list_next.return_value = page2_request
+
+        with (
+            patch(
+                "prowler.providers.common.provider.Provider.get_global_provider",
+                return_value=mock_provider,
+            ),
+            patch(
+                "prowler.providers.googleworkspace.services.chat.chat_service.GoogleWorkspaceService._build_service",
+                return_value=mock_service,
+            ),
+        ):
+            from prowler.providers.googleworkspace.services.chat.chat_service import (
+                Chat,
+            )
+
+            chat = Chat(mock_provider)
+
+            # Page 1 data was stored
+            assert chat.policies.enable_apps is False
+            # But policies_fetched must be False because page 2 failed
+            assert chat.policies_fetched is False
+
+    def test_chat_policies_model(self):
+        """Test ChatPolicies Pydantic model"""
+        from prowler.providers.googleworkspace.services.chat.chat_service import (
+            ChatPolicies,
+        )
+
+        policies = ChatPolicies(
+            external_file_sharing="NO_FILES",
+            internal_file_sharing="IMAGES_ONLY",
+            allow_external_chat=True,
+            external_chat_restriction="TRUSTED_DOMAINS",
+            external_spaces_enabled=True,
+            external_spaces_domain_allowlist_mode="TRUSTED_DOMAINS",
+            enable_apps=False,
+            enable_webhooks=False,
+        )
+
+        assert policies.external_file_sharing == "NO_FILES"
+        assert policies.internal_file_sharing == "IMAGES_ONLY"
+        assert policies.allow_external_chat is True
+        assert policies.external_chat_restriction == "TRUSTED_DOMAINS"
+        assert policies.external_spaces_enabled is True
+        assert policies.external_spaces_domain_allowlist_mode == "TRUSTED_DOMAINS"
+        assert policies.enable_apps is False
+        assert policies.enable_webhooks is False