01Overview
GCP CNAPP Security Scanner is a single, offline tool that mimics a modern Cloud-Native Application Protection Platform for Google Cloud, collapsing five distinct security disciplines - CSPM, CIEM, CWPP, KSPM, and IaC scanning - into one Python scanner. Instead of connecting to a live project, it reads standard JSON configuration exports produced by the gcloud CLI, gsutil, bq, and Terraform, then audits them against the CIS Google Cloud Foundation Benchmark v2.0, the CIS GKE Benchmark, and Google Cloud best practices.
The scanner ships 67 concrete checks organized into 15 audit modules spanning IAM and org policy, VPC and firewall exposure, Compute Engine, Cloud Storage, Cloud SQL, logging and monitoring, BigQuery, service-account hygiene, entitlement/least-privilege analysis, GKE hardening, serverless and container security, KMS encryption, and Terraform state misconfiguration. Each finding carries a severity, category, CIS mapping, affected resource list, and specific remediation, and the run rolls up into a self-contained interactive HTML dashboard with a weighted risk score and severity/category breakdowns.
It is built for cloud security engineers, GCP platform teams, auditors, and consultants who need a fast, air-gapped posture review without deploying an agent, paying for a SaaS CNAPP, or granting a third party live access to their environment. Because it runs purely on exported JSON, it is safe for authorized assessments in restricted or regulated environments.
What makes it notable: zero external dependencies (pure Python 3.8+ standard library), a clean data-loader that tolerates alternate export filenames, and honest CNAPP-pillar coverage - the same conceptual surface (misconfiguration, identity risk, workload hardening, Kubernetes posture, and shift-left IaC) that commercial platforms charge for, delivered as ~1,800 lines of readable, auditable code.
02Key Capabilities
Unified five-pillar CNAPP coverage
One scanner spans CSPM, CIEM, CWPP, KSPM, and IaC security so posture, identity, workload, Kubernetes, and shift-left checks run from a single command.
67 grounded security checks across 15 modules
Every check has a stable ID (IAM-001, NET-002, GKE-004, KMS-002...), severity, category, and remediation, making findings traceable and repeatable.
Fully offline, agentless analysis
Reads exported gcloud/gsutil/bq/Terraform JSON and never touches a live GCP project, making it safe for authorized reviews in restricted environments.
Zero external dependencies
Runs on pure Python 3.8+ standard library, so it installs nowhere and audits cleanly with no supply-chain surface.
CIS GCP Foundation Benchmark v2.0 mapping
Checks are keyed to CIS sections 1-7 (plus the CIS GKE Benchmark) so results align directly with recognized compliance baselines.
Interactive HTML dashboard report
Generates a self-contained report with a weighted risk score, severity and category breakdowns, and per-finding detail and remediation.
CIEM least-privilege and entitlement analysis
Flags over-privileged users, external identities, project-level allUsers/allAuthenticatedUsers bindings, and separation-of-duties conflicts.
GKE / Kubernetes hardening (KSPM)
Audits clusters for legacy ABAC, missing Network Policy, public nodes, absent Workload Identity, Binary Authorization, and Shielded Nodes.
Shift-left Terraform / IaC scanning
Inspects Terraform state and plans for 0.0.0.0/0 exposure, allUsers, cloud-platform scope, legacy ABAC, and destructive resource deletions before deploy.
Service-account and key hygiene
Detects SA keys older than 90 days, user-managed keys, dead disabled accounts, and excessive impersonation/Token Creator grants.
Selective module and severity filtering
Run any subset of modules and filter output by CRITICAL/HIGH/MEDIUM/LOW to focus a scan on a specific pillar or risk tier.
Baseline/config-aware runs
Accepts an optional JSON baseline via --config so thresholds and expected values can be tuned per environment.
03Architecture
The scanner is a linear pipeline: a DataLoader ingests exported GCP JSON, 15 auditor engines (each subclassing a common BaseAuditor) evaluate their domain and emit structured findings through a single finding() contract, and a ReportGenerator renders the aggregated findings into an interactive HTML dashboard. All auditors share the same finding schema (id, severity, category, CIS mapping, affected items, remediation), so the CLI can run any subset, filter by severity, and roll everything into one weighted risk report.
04Project Structure
gcp_scanner.pyMain CLI entry point: argument parsing, MODULE_MAP of 15 auditors, orchestration, and summary output.modules/base.pyBaseAuditor (finding schema + severity constants) and the DataLoader with FILE_MAP filename resolution.modules/cspm_core.pyCSPM auditors for IAM/Org, Network/VPC, Compute Engine, and Cloud Storage (CIS 1,3,4,5).modules/cspm_ciem.pyAuditors for Database, Logging/Monitoring, BigQuery, CIEM entitlements, and Service Accounts (CIS 2,6,7).modules/cwpp_iac.pyCWPP/KSPM and shift-left auditors: GKE, Serverless, Container, Terraform IaC, CIS summary, and KMS/Encryption.modules/report_generator.pyInteractive HTML dashboard generator with weighted risk scoring and severity/category rollups.sample_data/19 demo GCP exports with deliberate misconfigurations (IAM, firewall, VMs, buckets, SQL, GKE, functions, KMS, terraform.tfstate) plus a sample_report.html.docs/banner.svgProject banner asset referenced by the README.README.mdFull documentation: CNAPP pillar model, per-module check tables, export commands, and CIS coverage map.CONTRIBUTING.mdContribution guidance for the project.LICENSEMIT license.05Security Controls
06Technology Stack
- Language
- Python 3.8+
- Dependencies
- Zero external - pure standard library (json, csv, datetime, pathlib, html, argparse)
- Input formats
- gcloud/gsutil/bq JSON exports and Terraform state/plan JSON
- Reporting
- Self-contained interactive HTML dashboard (JSON fallback)
- Architecture
- BaseAuditor + 15 pluggable auditor engines dispatched via MODULE_MAP
- Testing
- Runnable sample_data corpus of 19 seeded-misconfiguration exports (no formal unit-test suite)
- License
- MIT
07Quick Start
$ git clone https://github.com/Krishcalin/GCP-CNAPP-Security-Scanner.git && cd GCP-CNAPP-Security-Scanner $ python gcp_scanner.py --data-dir ./sample_data --output report.html # run all 15 modules on demo data $ python gcp_scanner.py --data-dir ./exports --modules iam network compute gke # scan selected pillars $ python gcp_scanner.py --data-dir ./exports --severity HIGH # show only HIGH-and-above findings $ gcloud projects get-iam-policy PROJECT_ID --format=json > exports/iam_policy.json # example export before scanning $ python gcp_scanner.py --data-dir ./exports --modules ciem sa # CIEM/entitlement-only review
08Compliance & Frameworks
09Integrations & Outputs
Explore GCP CNAPP Scanner
Full source, documentation, and deployment guides live on GitHub.