playbooks

home / skills / a5c-ai / babysitter / gcp-security-scanner

gcp-security-scanner skill

/plugins/babysitter/skills/babysit/process/specializations/security-compliance/skills/gcp-security-scanner

This skill analyzes GCP security posture across projects, identifying misconfigurations and hardening opportunities using SCC, Forseti, and ScoutSuite.

npx playbooks add skill a5c-ai/babysitter --skill gcp-security-scanner

Review the files below or copy the command above to add this skill to your agents.

Files (2)
SKILL.md
5.8 KB
---
name: gcp-security-scanner
description: GCP security configuration scanning and hardening using Security Command Center, Forseti, and ScoutSuite
allowed-tools:
  - Bash
  - Read
  - Write
  - Glob
  - Grep
  - WebFetch
---

# GCP Security Scanner Skill

## Purpose

Automated Google Cloud Platform security configuration scanning and hardening to identify misconfigurations, compliance violations, and security risks across GCP projects and organizations.

## Capabilities

### Security Command Center Integration
- Leverage GCP Security Command Center findings
- Review vulnerability and threat findings
- Check Security Health Analytics results
- Monitor Event Threat Detection alerts
- Track Container Threat Detection findings
- Generate compliance reports

### IAM Security Analysis
- Analyze IAM policies for over-permissive access
- Check service account key usage and rotation
- Identify excessive permissions
- Review organization policy constraints
- Detect cross-project access
- Audit IAM recommender suggestions

### VPC Firewall Analysis
- Review firewall rules for overly permissive access
- Check for open management ports
- Validate VPC Service Controls
- Review Shared VPC configurations
- Check Private Google Access settings
- Analyze VPC flow logs configuration

### Cloud Storage Security
- Identify publicly accessible buckets
- Check bucket IAM policies
- Validate uniform bucket-level access
- Review bucket encryption settings
- Check access logging configuration
- Verify retention policies

### Cloud KMS Configuration
- Review key ring and key configurations
- Check key rotation policies
- Validate IAM policies on keys
- Review HSM key protection levels
- Check external key manager usage
- Audit key access patterns

### Audit Logging Verification
- Validate Cloud Audit Logs configuration
- Check data access logging
- Review admin activity logging
- Verify log export configuration
- Check Cloud Logging retention
- Validate alert policies

### Organization Policy Assessment
- Review organization policy constraints
- Check service restriction policies
- Validate resource location constraints
- Review VM external IP restrictions
- Check service account creation policies

## GCP Services Covered

| Category | Services |
|----------|----------|
| Identity | IAM, Cloud Identity, Workforce Identity |
| Compute | Compute Engine, GKE, Cloud Run, Functions |
| Storage | Cloud Storage, Persistent Disks |
| Database | Cloud SQL, Spanner, BigQuery, Firestore |
| Network | VPC, Firewall, Cloud Armor, Cloud CDN |
| Security | Security Command Center, Cloud KMS, BeyondCorp |
| Monitoring | Cloud Logging, Cloud Monitoring, Cloud Audit Logs |

## Integrations

- **Security Command Center**: GCP native CSPM
- **Forseti Security**: Open-source GCP security toolkit
- **ScoutSuite**: Multi-cloud security auditing
- **Cloud Asset Inventory**: Resource visibility
- **IAM Recommender**: Permission optimization

## Target Processes

- Cloud Security Architecture Review
- Compliance Monitoring
- GCP Project Hardening
- Security Posture Assessment

## Input Schema

```json
{
  "type": "object",
  "properties": {
    "scanType": {
      "type": "string",
      "enum": ["full", "cis", "pci", "hipaa", "iso27001", "custom"],
      "description": "Type of security scan"
    },
    "projects": {
      "type": "array",
      "items": { "type": "string" },
      "description": "GCP project IDs to scan"
    },
    "organization": {
      "type": "string",
      "description": "GCP organization ID for org-wide scanning"
    },
    "services": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Specific services to scan"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["critical", "high", "medium", "low"]
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "PCI-DSS", "HIPAA", "ISO27001", "SOC2", "NIST"]
      }
    },
    "includeSCC": {
      "type": "boolean",
      "description": "Include Security Command Center findings"
    }
  },
  "required": ["scanType"]
}
```

## Output Schema

```json
{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "projectsScanned": {
      "type": "array"
    },
    "organizationId": {
      "type": "string"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalChecks": { "type": "integer" },
        "passed": { "type": "integer" },
        "failed": { "type": "integer" },
        "warnings": { "type": "integer" }
      }
    },
    "findingsBySeverity": {
      "type": "object",
      "properties": {
        "critical": { "type": "integer" },
        "high": { "type": "integer" },
        "medium": { "type": "integer" },
        "low": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "service": { "type": "string" },
          "project": { "type": "string" },
          "resourceName": { "type": "string" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "sccFindings": {
      "type": "array"
    },
    "organizationPolicyStatus": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}
```

## Usage Example

```javascript
skill: {
  name: 'gcp-security-scanner',
  context: {
    scanType: 'cis',
    projects: ['my-project-id'],
    complianceFrameworks: ['CIS', 'SOC2'],
    includeSCC: true,
    severityThreshold: 'medium'
  }
}
```

Overview

This skill automates GCP security configuration scanning and hardening using Security Command Center, Forseti, and ScoutSuite. It identifies misconfigurations, IAM risks, network exposures, and compliance gaps across projects or organizations and returns prioritized findings with remediation guidance. It produces compliance-aligned reports and actionable recommendations for remediation.

How this skill works

The skill collects assets via Cloud Asset Inventory and runs checks across services using ScoutSuite and Forseti, augmented by Security Command Center findings when requested. It inspects IAM policies, VPC firewall rules, Cloud Storage settings, KMS keys, audit logging, and organization policies, then aggregates results into a structured report with severity, compliance mapping, and remediation steps. Output includes a scan summary, per-project findings, SCC findings, and prioritized recommendations for hardening.

When to use it

  • Periodic security posture assessments across GCP projects or an organization
  • Pre-launch hardening before production deployment
  • Compliance audits for CIS, PCI-DSS, HIPAA, ISO27001, SOC2, or custom frameworks
  • Incident response triage to surface misconfigurations and risky resources
  • Validate remediation work after making configuration changes

Best practices

  • Run full scans regularly and targeted scans after major infra changes
  • Start with high-severity findings and implement least-privilege IAM fixes first
  • Enable Security Command Center and Cloud Asset Inventory for richer context
  • Use project-scoped scans before organization-wide scans to limit blast radius
  • Map findings to compliance frameworks to prioritize remediation for audits

Example use cases

  • CIS benchmark scan across all production projects to generate a compliance report
  • Detect and remediate publicly exposed Cloud Storage buckets and missing encryption settings
  • Audit service account keys, rotation policies, and excessive IAM roles for privilege reduction
  • Validate VPC firewall rules and open management ports across Shared VPCs
  • Produce a SOC2-ready findings package with mapped remediation steps for auditors

FAQ

What inputs are required to run a scan?

At minimum specify scanType (full, cis, pci, hipaa, iso27001, custom). Optionally provide project IDs, organization ID, services list, severityThreshold, complianceFrameworks, and includeSCC flag.

Can this include Security Command Center findings?

Yes. Set includeSCC to true to aggregate SCC findings alongside Forseti and ScoutSuite results for more comprehensive coverage.

How are findings prioritized?

Findings are categorized by severity (critical/high/medium/low) and mapped to compliance controls. The output includes a summary and recommended remediation steps to prioritize work.