feat: Add rego checks for teams

[ssherar]

This pull request updates the organization compliance policies to standardize the input data structure and adds two new policies for team privacy and security team presence. The main changes include refactoring existing policies to expect organization settings under a settings object, updating related test cases, and introducing new policies to check for private teams and the existence of a security team.

Refactoring for standardized input structure:

• Updated gh_org_mfa_enabled.rego and gh_org_public_repos.rego policies to reference organization settings under input.settings, ensuring consistency in how input data is accessed. [1] [2]
• Modified associated test files (gh_org_mfa_enabled_test.rego, gh_org_public_repos_test.rego) to match the new input structure, wrapping relevant fields in a settings object. [1] [2]
• Updated example data files (testorg.json, testorg-unremediated.json) to include a top-level settings object, supporting the refactored policies. [1] [2] [3] [4]

New team-related compliance policies:

• Added gh_teams_privacy_closed.rego and its test file to enforce that all teams in the organization must have privacy set to closed. [1] [2]
• Introduced gh_teams_security_found.rego to require the presence of a security-focused team, identified by name or description, within the organization.

[Copilot]

Pull Request Overview

This pull request refactors the organization compliance policies to use a standardized input data structure and adds two new team-related compliance policies for enhanced security governance.

• Standardizes input data structure by wrapping organization settings under a settings object
• Adds team privacy enforcement policy requiring all teams to be private
• Introduces security team presence validation policy

Reviewed Changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
policies/gh_org_mfa_enabled.rego	Updated to reference MFA settings under input.settings
policies/gh_org_mfa_enabled_test.rego	Modified test cases to match new input structure
policies/gh_org_public_repos.rego	Refactored to access public repo settings under input.settings
policies/gh_org_public_repos_test.rego	Updated test data to use new settings structure
policies/gh_teams_privacy_closed.rego	New policy enforcing all teams must be private
policies/gh_teams_privacy_closed_test.rego	Test cases for team privacy policy
policies/gh_teams_security_found.rego	New policy requiring presence of security team
example-data/testorg.json	Updated example data to include settings wrapper
example-data/testorg-unremediated.json	Updated example data to include settings wrapper

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The contains function performs case-sensitive matching. A team named 'Security' or 'SECURITY' would not be detected. Consider using lower(team.name) or regex matching for case-insensitive detection.

Suggested change

	contains(team.name, "security")
	}
	_team_with_security if {
	some team in input.teams
	contains(team.description, "security")
	contains(lower(team.name), "security")
	}
	_team_with_security if {
	some team in input.teams
	contains(lower(team.description), "security")

[Copilot]

The contains function on team description is case-sensitive and may miss valid security teams. Additionally, there's no null check for the description field, which could cause errors if a team has no description.

Suggested change

	_team_with_security if {
	some team in input.teams
	contains(team.description, "security")
	team.description != null
	contains(lower(team.description), "security")