{"id":39517696,"url":"https://github.com/googlecloudplatform/gcp-hardening-toolkit","last_synced_at":"2026-04-29T00:07:02.242Z","repository":{"id":327809132,"uuid":"1110617328","full_name":"GoogleCloudPlatform/gcp-hardening-toolkit","owner":"GoogleCloudPlatform","description":"Deep GCP security hardening via automated triage and state-aware IaC. Built to power rapid, agile task-force engagements and remediate complex brownfield environments at scale.","archived":false,"fork":false,"pushed_at":"2026-04-07T13:15:42.000Z","size":278,"stargazers_count":28,"open_issues_count":2,"forks_count":7,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-07T15:33:25.957Z","etag":null,"topics":["compliance-as-code","gcp","gemini-cli-extension","google-cloud-platform","policy-as-code","security-hardening","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"docs/code-of-conduct.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-05T13:15:19.000Z","updated_at":"2026-04-07T13:15:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/GoogleCloudPlatform/gcp-hardening-toolkit","commit_stats":null,"previous_names":["googlecloudplatform/gcp-hardening-toolkit"],"tags_count":27,"template":false,"template_full_name":null,"purl":"pkg:github/GoogleCloudPlatform/gcp-hardening-toolkit","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgcp-hardening-toolkit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgcp-hardening-toolkit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgcp-hardening-toolkit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgcp-hardening-toolkit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/gcp-hardening-toolkit/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fgcp-hardening-toolkit/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31812977,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-14T18:05:02.291Z","status":"ssl_error","status_checked_at":"2026-04-14T18:05:01.765Z","response_time":153,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["compliance-as-code","gcp","gemini-cli-extension","google-cloud-platform","policy-as-code","security-hardening","terraform"],"created_at":"2026-01-18T06:16:11.354Z","updated_at":"2026-04-14T20:00:52.497Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# GCP Hardening Toolkit (GHT)\n\n![Terraform](https://img.shields.io/badge/Terraform-%3E%3D1.3-935ADA)\n![Python](https://img.shields.io/badge/Python-3.x-3776AB)\n![Bash](https://img.shields.io/badge/Bash-Shell-4EAA25)\n![License](https://img.shields.io/badge/License-Apache%202.0-blue)\n![Release](https://img.shields.io/badge/Release-Rolling-4B5563)\n\nThe GCP Hardening Toolkit (GHT) is an automated triage and remediation engine designed to safely manage security debt in complex, active (brownfield) Google Cloud environments.\n\nWhile standard foundational toolkits provide blueprints for building from scratch, GHT is engineered for the realities of existing infrastructure. It combines state-aware Infrastructure as Code (IaC) with active triage automation, empowering security task forces to rapidly audit environments, identify vulnerabilities, and deploy incremental compliance guardrails—without disrupting active DevOps pipelines.\n\n## Repository Structure\n\nThe repository follows a **Library + Blueprints** architecture, decoupled to allow flexible composition.\n\n```text\ngcp-hardening-toolkit/\n├── agent/                      # agentic solution for automated hardening\n│   ├── custom-role-creation/   # custom IAM role definitions (least privilege)\n│   └── state-exporter/\n│       └── ...\n├── blueprints/                 # deployable solutions (stateful)\n│   ├── gcp-foundation-org-iam/\n│   └── ...\n├── modules/                    # reusable components (stateless)\n│   ├── gcp-iam-groups/\n│   └── gcp-custom-constraints/ # org policy constraints\n└── docs/                       # detailed documentation\n```\n\n### Design Principles\n\n- **Separation of Concerns**\n    - **Modules**: Encapsulate logic and resources (implementation).\n    - **Blueprints**: Handle orchestration and state (composition).\n- **Adaptability**\n    - **Reference Architectures**: Blueprints are production-ready but malleable.\n    - **Customization**: Users are encouraged to modify Blueprints to fit their specific requirements.\n- **Directness**\n    - **Minimal Wrappers**: Modules are usually thin layers over Terraform resources.\n    - **Value Add**: Abstraction is only added when it provides clear value (e.g., enforcing policy constraints).\n\n## Features (Pillars)\n\nThe toolkit is organized into five core pillars:\n\n1.  **Foundations** (`gcp-foundation`):\n    Rapidly provisions core controls (IAM engineering standards, Org Policies, SCC enablement) to facilitate security research and testing.\n\n2.  **Compliance** (`gcp-compliance`):\n    Delivers ultra-fast, frictionless compliance by deploying comprehensive security measures in a single run (e.g., HIPAA).\n\n3.  **Constraints** (`gcp-constraint`):\n    Secures the environment against lateral movement by enforcing advanced hardening constraints (e.g., blocking service account creation).\n\n4.  **Detection** (`gcp-detection`):\n    Extends native observability with custom threat detection pipelines and advanced log routing to spot anomalies instantly.\n\n5.  **Triage** (`gcp-triage`):\n    Automates investigation and decision-making for security alerts, reducing alert fatigue.\n\n## GHT vs. Cloud Foundation Toolkit (CFT)\n\nWe get this question a lot, so let's make the difference between the GCP Hardening Toolkit (GHT) and the Cloud Foundation Toolkit (CFT) CRYSTAL CLEAR.\n\nWhile GHT includes several foundational examples, these are meant to be thin and leverage CFT to deploy standard infrastructure. GHT is an open-source tool built with a completely different vision and utility in mind.\n\n### The Core Difference: Brownfield vs. Greenfield\n\n*   **CFT** is the gold standard for **greenfield** deployments. It provides excellent blueprints for building from scratch. While tools like CFT Scorecard can audit an existing environment to tell you what is broken, its primary utility is establishing a baseline.\n*   **GHT** is engineered for **brownfield** environments. It is built for scenarios where infrastructure is already deployed, messy, and has a lot of room for security improvement. GHT doesn't just evaluate; it actively remediates.\n\n### The Pain Point GHT Solves\n\nWhen teams conduct a Cloud Security Posture Review (CSPR), they get a clear picture of their security posture. But knowing the problems you have doesn't mean you know how to solve them without breaking production.\n\nUsually, security teams must manually review the environment, negotiate with stakeholders, and implement restrictive policies while trying not to disrupt DevOps. This causes tremendous operational friction.\n\n### The GHT Advantage: Triage and State-Aware Remediation\n\nGHT is the engine that handles the heavy lifting of security debt and accelerates your path to compliance.\n\n*   **Targeted Guardrails vs. Broad Enforcement:** CFT provides modules to enforce Organization Policies broadly. GHT provides the triage tools to figure out *how* to apply those guardrails in a running environment incrementally.\n*   **State-Aware IaC \u0026 Triage Automation:** Unlike standard foundations that assume a clean slate, GHT uses state-aware IaC combined with specialized triage scripts. This allows you to deploy security without destroying existing configurations.\n*   **Automated Execution:** Deploying foundations in brownfield environments is traditionally a manual, tedious process. GHT automates this by taking the current state, existing infrastructure, **and standard CFT modules** as its grounding input to bridge the gap to a hardened state.\n\nFor greenfield, GHT's use is mostly limited to creating compliance guardrails—a crucial 2nd layer of security. But for brownfield, GHT's automated triage and non-disruptive remediation are the features that define its utility.\n\n---\n\n### Summary Comparison\n\n| Feature | Cloud Foundation Toolkit (CFT) | GCP Hardening Toolkit (GHT) |\n| :--- | :--- | :--- |\n| **Primary Use Case** | **Greenfield:** Building new infrastructure from scratch. | **Brownfield:** Triaging and hardening existing environments. |\n| **Core Assets** | Static Terraform Blueprints \u0026 Modules. | State-Aware IaC, Triage Scripts \u0026 Deployable Guardrails. |\n| **Environment State** | Assumes a \"clean slate\" standard state. | Grounded in the **current state** (respects existing tech debt). |\n| **Guardrail Strategy** | Broad, top-down baseline enforcement. | Targeted, triage-based incremental enforcement. |\n| **Compliance Focus** | Policy Monitoring \u0026 Auditing (e.g., Scorecard). | Active Remediation \u0026 Debt Reduction. |\n| **DevOps Friction** | High, if forced onto existing messy infrastructure. | Low, designed to fix issues without disrupting active ops. |\n\n---\n\n### When to check out CFT\nYou should check out the [Cloud Foundation Toolkit](https://github.com/GoogleCloudPlatform/cloud-foundation-toolkit) if:\n* You are starting a brand new Google Cloud organization.\n* You need general-purpose, foundational blueprints (VPCs, Projects, Folders).\n* You want to audit your current state against baseline policies.\n\n### When to use GHT\nUse this open-source toolkit if:\n* You are conducting a CSPR and need to actively fix an existing environment.\n* You need to accelerate the path to compliance across any framework by managing security debt.\n* You want to search for low-hanging security fruits and implement incremental guardrails without breaking current operations.\n\n## Hardening Agent\n\nThe GCP Hardening Agent is a specialized security assistant designed to triage Google Cloud environments and generate hardening blueprints. It functions as an interactive CLI agent that automates the audit of existing infrastructure to identify vulnerabilities and deploy incremental compliance guardrails—all while grounding its decisions in the environment's live state.\n\n### Installation\n\nTo install the Hardening Agent as a Gemini CLI extension, run:\n\n```bash\ngemini extensions install https://github.com/GoogleCloudPlatform/gcp-hardening-toolkit\n```\n\nFor more information on the agent's architecture, setup, and core capabilities, see the [Hardening Agent README](agent/README.md).\n\n## Usage\n\n### Workflow\n\n1.  **Select a Blueprint**: Choose a solution from `blueprints/` that matches your goal.\n2.  **Customize**: Blueprints come with their own `examples` or default `variables`.\n3.  **Deploy**: Authenticate and run Terraform within the blueprint directory.\n\n```bash\ncd blueprints/gcp-foundation-org-iam\nterraform init\nterraform apply\n```\n\n### Helper Scripts\n\n- **Bash Scripts**: For one-time setup tasks (e.g., enabling SCC services, checking VPC-SC violations).\n- **Python Scripts**: Used within Cloud Functions for advanced logic (e.g., automated project creation enforcement).\n\n## Release Cycle \u0026 Versioning\n\nWe use a **Rolling Release** model (no semantic versioning). Every commit to `main` is stable.\n\n### Hash Pinning (Supply Chain Security)\n\nWe strongly recommend pinning modules to a specific commit hash for production environments. This prevents unintended updates and protects against potential supply chain compromises.\n\n```hcl\nmodule \"gcp_hardening\" {\n  source = \"github.com/GoogleCloudPlatform/gcp-hardening-toolkit//modules/gcp-org-policies?ref=\u003cCOMMIT_HASH\u003e\"\n}\n```\n\n## Contributing\n\nContributions are welcome! Please refer to our [Contributing Guide](docs/contributing.md) for details.\n\n## Feedback\n\nYour feedback helps us prioritize features and improve the toolkit. Please share your experience via our brief survey.\n\n[Take the 1-Minute Survey](https://forms.gle/LmgxXbJBoqu91dyA9)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fgcp-hardening-toolkit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Fgcp-hardening-toolkit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fgcp-hardening-toolkit/lists"}