{"id":15222173,"url":"https://github.com/googlecloudplatform/scoutsuite-gcp-scan","last_synced_at":"2025-07-05T13:34:31.658Z","repository":{"id":63817919,"uuid":"568608150","full_name":"GoogleCloudPlatform/scoutsuite-gcp-scan","owner":"GoogleCloudPlatform","description":"Terraform to run Scoutsuite security scan of projects within a Google Cloud Org. Report will be published to a GCS bucket.","archived":false,"fork":false,"pushed_at":"2024-05-04T17:39:47.000Z","size":25,"stargazers_count":15,"open_issues_count":2,"forks_count":2,"subscribers_count":14,"default_branch":"main","last_synced_at":"2024-12-18T08:41:20.911Z","etag":null,"topics":["cloud-posture-security","cloudsecurity","gcp","gcp-security","google-cloud","google-cloud-platform","scoutsuite","terraform"],"latest_commit_sha":null,"homepage":"","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/GoogleCloudPlatform.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-11-21T02:33:38.000Z","updated_at":"2024-03-19T17:41:35.000Z","dependencies_parsed_at":"2024-09-28T15:21:00.621Z","dependency_job_id":null,"html_url":"https://github.com/GoogleCloudPlatform/scoutsuite-gcp-scan","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fscoutsuite-gcp-scan","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fscoutsuite-gcp-scan/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fscoutsuite-gcp-scan/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/GoogleCloudPlatform%2Fscoutsuite-gcp-scan/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/GoogleCloudPlatform","download_url":"https://codeload.github.com/GoogleCloudPlatform/scoutsuite-gcp-scan/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":237243005,"owners_count":19278060,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cloud-posture-security","cloudsecurity","gcp","gcp-security","google-cloud","google-cloud-platform","scoutsuite","terraform"],"created_at":"2024-09-28T15:10:55.738Z","updated_at":"2025-02-05T04:31:58.459Z","avatar_url":"https://github.com/GoogleCloudPlatform.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Scoutsuite Security Scan for Google Cloud\n\nThis will run a Scoutsuite security scan in your Google Cloud Organization, Folder or Project and copy the report to a GCS Bucket.\n\n## Providers\n\n| Name | Version  |\n|:----------|:----------|\n| Terraform    | \u003e= 0.14.0    |\n| Google    | ~\u003e 4.41.0    |\n\n\n## Resources\n\nThe following resources will be created:\n\n- GCS bucket to store html report\n- Service Account for Cloud Build job to run with, and the Scoutsuite scan to run under\n- IAM Role Bindings that are attached to the SA: **Viewer**, **Security Reviewer**, **Stackdriver Accounts Viewer**, **Log Writer**, **Storage Object Admin** (restricted to the GCS bucket previously created and the bucket created for Cloud Build)\n- Cloud Build Image\n\n\n## Cloud Build\n\nThe Cloud Build job will contain the following attributes:\n\n- Uses google-cloud-cli:slim and gsutil base container images from Google's public container registry\n- Scoutsuite is installed on google-cloud-cli:slim\n- Scoutsuite is run on Current Project, Organization, Folder, or all Projects that the service account has access to\n- gsutil is used to copy the report files to the bucket created previously\n\n \n## IAM Permissions\n\nThe following Roles are required for the user/SA to apply and destroy this Terraform script:\n\nWithin the host project from where the scan will be run:\n\n- Storage Admin\n- Create Service Accounts\n- Service Account User\n- Service Usage Admin\n- Cloud Build Editor\n\nThe following additional roles are required depending on the desired scan scope:\n- Project IAM Admin Administrator (Project Level Scan)\n- Folder Administrator (Folder Level Scan)\n- Organization Administrator (Org Level Scan)\n\n\n## GCP Environment setup\n\nIt is recommended that this is run from within Google Cloud using Cloud Shell, or however your currently execute Terraform scripts so as not to need to download SA keys.\n\nClone this repository\n\n```sh\ngit clone https://github.com/GoogleCloudPlatform/scoutsuite-gcp-scan.git\ncd scoutsuite-gcp-scan\nexport WORKING_DIR=$(pwd)\n```\n\n\n## Variable Inputs\n\n| Name | Description | Default  |\n|:----------|:----------|:----------|\n| host_project_id   | The Project ID used to to create resources in (SA, GCS Bucket, Cloud Build) and run Scoutsuite from    | n/a    |\n| scan_scope    | The scope of where Scoutsuite should scan. Valid inputs are: 'organization-id [ORGANIZATION ID]'; 'folder-id [FOLDER ID]'; 'project-id [PROJECT ID]'  | n/a    |\n| region    | Preferred Region to create resources    | n/a   |\n| scoutsuite_sa    | Name of Service Account to Run Cloud Build Job and Scoutsuite scan    | scoutsuite    |\n\n\n## Terraform init, plan and apply\n\nUse Terraform to provision the Scoutsuite container and generate the report\n\n```\ncd ${WORKING_DIR}\nterraform init\nterraform plan\nterraform apply\n```\n\n## Get the Scout Suite Report\n\nThe results report is put in to the GCS bucket that was created. To view the report it is recommended that you download all the files from the bucket to your local machine and open the html file on your local browser.\n\n## Clean up\n\nDelete all provisioned resources by using Terraform destroy\n\n```\nterraform destroy\n```\n\n-------\n\nThis is not an official Google or Google Cloud product.\n\nCopyright 2022 Google\nSPDX-License-Identifier: Apache-2.0\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fscoutsuite-gcp-scan","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgooglecloudplatform%2Fscoutsuite-gcp-scan","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgooglecloudplatform%2Fscoutsuite-gcp-scan/lists"}