feat(github): add check for stale review dismissal via repository rulesets

[tejas0077]

This PR adds support for GitHub Repository Rulesets in Prowler's GitHub provider checks.

GitHub introduced Repository Rulesets as the modern replacement for legacy branch protection rules. Organizations that have migrated to rulesets were getting false positives in existing Prowler checks because the checks only read legacy branch protection data.

Fix #9530
Adds a new check repository_ruleset_dismisses_stale_reviews that verifies whether stale PR approvals are dismissed when new commits are pushed — using the modern GitHub Rulesets API.

Changes:

• Added Ruleset model to repository_service.py
• Added new check: repository_ruleset_dismisses_stale_reviews
• Backward compatible: supports both modern rulesets AND legacy branch protection
• Repositories using legacy rules get MANUAL status with migration guidance

No new dependencies required.

1. Review repository_service.py — Ruleset model added at bottom of file
2. Review the new check folder:
   • repository_ruleset_dismisses_stale_reviews.py — check logic
   • repository_ruleset_dismisses_stale_reviews.metadata.json — metadata
3. Check logic:
   • PASS: Active ruleset with dismiss_stale_reviews_on_push = true
   • FAIL: Rulesets exist but none enforce stale review dismissal
   • FAIL: No branch protection or ruleset configured
   • MANUAL: Legacy branch protection only (prompts migration)
   • MANUAL: Archived repositories

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[HugoPBrito]

Thanks for the contribution. I think there are a few issues that need to be addressed before this can be merged.

1. The new GitHub check does not look compatible with the current check implementation pattern.
   In the current codebase, GitHub repository checks use CheckReportGithub, but this PR introduces CheckResult and CheckStatus. I do not see those types added anywhere in this PR, so as submitted this looks like it will not import/run correctly.

2. The check is placed under prowler/providers/github/services/repository/checks/..., which does not match Prowler’s standard check discovery layout.
   The loader expects checks under:
   prowler.providers.<provider>.services.<service>.<check_name>.<check_name> not under an extra checks/ directory. With the current path, this check is very likely not going to be auto-discovered.

3. repo.rulesets is added to the Repo model, but I do not see it being populated in repository_service.py.
   That means the new check will never evaluate real repository rulesets and will always fall back to the legacy branch protection path.

4. The ruleset evaluation logic is too broad and can produce false positives.
   The check currently passes if it finds any active ruleset with dismiss_stale_reviews_on_push = true, but it does not verify that the
   ruleset actually applies to the repository’s default branch / target branch being evaluated.

5. There are no tests for this new behavior.
   This needs coverage for:

   • ruleset parsing in the repository service
   • discovery/loading of the new check
   • PASS / FAIL / MANUAL scenarios
   • legacy branch protection fallback behavior

6. This PR also introduces changes to GCP compliance file (rbi_cyber_security_framework_gcp.json), which is unrelated to the GitHub repository ruleset check.
   These are two separate concerns and should be split into different PRs. Mixing a GitHub provider check with a GCP compliance framework makes review and validation much harder.

I would recommend splitting the compliance addition into its own PR, then reworking this GitHub check to:

• follow the standard repository check layout
• use the existing GitHub check reporting model
• populate rulesets from the GitHub API in repository_service.py
• validate applicability to the default branch
• add provider tests

[tejas0077]

Hi @HugoPBrito, thank you for the detailed review!

I'll address all the issues:

1. Switch to CheckReportGithub
2. Fix folder structure to match standard layout
3. Populate rulesets in _process_repository()
4. Add default branch validation to ruleset check
5. Split GCP compliance into separate PR
6. Add tests

Will push fixes shortly!

[tejas0077]

Hi @HugoPBrito, I've addressed all the review feedback:

1. Switched to CheckReportGithub (correct reporting model)
2. Fixed folder structure - check now lives directly under repository/ (no extra checks/ dir)
3. Added _get_repository_rulesets() method that populates rulesets via GitHub REST API
4. Added Ruleset model to repository_service.py
5. Added target="branch" filter to ensure ruleset applies to branches
6. Removed unrelated GCP compliance changes (will open separate PR)

Still working on adding tests - will push shortly.

Please re-review when you get a chance. Thanks!