GCP CNAPP Scanner

Cloud Securityv1.0.0

Cloud-Native Application Protection Platform for GCP with 67+ checks across 5 CNAPP pillars and 15 audit modules

67+
checks
5
pillars
15
modules
1
loc

01Overview

GCP CNAPP Security Scanner is a single, offline tool that mimics a modern Cloud-Native Application Protection Platform for Google Cloud, collapsing five distinct security disciplines - CSPM, CIEM, CWPP, KSPM, and IaC scanning - into one Python scanner. Instead of connecting to a live project, it reads standard JSON configuration exports produced by the gcloud CLI, gsutil, bq, and Terraform, then audits them against the CIS Google Cloud Foundation Benchmark v2.0, the CIS GKE Benchmark, and Google Cloud best practices.

The scanner ships 67 concrete checks organized into 15 audit modules spanning IAM and org policy, VPC and firewall exposure, Compute Engine, Cloud Storage, Cloud SQL, logging and monitoring, BigQuery, service-account hygiene, entitlement/least-privilege analysis, GKE hardening, serverless and container security, KMS encryption, and Terraform state misconfiguration. Each finding carries a severity, category, CIS mapping, affected resource list, and specific remediation, and the run rolls up into a self-contained interactive HTML dashboard with a weighted risk score and severity/category breakdowns.

It is built for cloud security engineers, GCP platform teams, auditors, and consultants who need a fast, air-gapped posture review without deploying an agent, paying for a SaaS CNAPP, or granting a third party live access to their environment. Because it runs purely on exported JSON, it is safe for authorized assessments in restricted or regulated environments.

What makes it notable: zero external dependencies (pure Python 3.8+ standard library), a clean data-loader that tolerates alternate export filenames, and honest CNAPP-pillar coverage - the same conceptual surface (misconfiguration, identity risk, workload hardening, Kubernetes posture, and shift-left IaC) that commercial platforms charge for, delivered as ~1,800 lines of readable, auditable code.

02Key Capabilities

Unified five-pillar CNAPP coverage

One scanner spans CSPM, CIEM, CWPP, KSPM, and IaC security so posture, identity, workload, Kubernetes, and shift-left checks run from a single command.

67 grounded security checks across 15 modules

Every check has a stable ID (IAM-001, NET-002, GKE-004, KMS-002...), severity, category, and remediation, making findings traceable and repeatable.

Fully offline, agentless analysis

Reads exported gcloud/gsutil/bq/Terraform JSON and never touches a live GCP project, making it safe for authorized reviews in restricted environments.

Zero external dependencies

Runs on pure Python 3.8+ standard library, so it installs nowhere and audits cleanly with no supply-chain surface.

CIS GCP Foundation Benchmark v2.0 mapping

Checks are keyed to CIS sections 1-7 (plus the CIS GKE Benchmark) so results align directly with recognized compliance baselines.

Interactive HTML dashboard report

Generates a self-contained report with a weighted risk score, severity and category breakdowns, and per-finding detail and remediation.

CIEM least-privilege and entitlement analysis

Flags over-privileged users, external identities, project-level allUsers/allAuthenticatedUsers bindings, and separation-of-duties conflicts.

GKE / Kubernetes hardening (KSPM)

Audits clusters for legacy ABAC, missing Network Policy, public nodes, absent Workload Identity, Binary Authorization, and Shielded Nodes.

Shift-left Terraform / IaC scanning

Inspects Terraform state and plans for 0.0.0.0/0 exposure, allUsers, cloud-platform scope, legacy ABAC, and destructive resource deletions before deploy.

Service-account and key hygiene

Detects SA keys older than 90 days, user-managed keys, dead disabled accounts, and excessive impersonation/Token Creator grants.

Selective module and severity filtering

Run any subset of modules and filter output by CRITICAL/HIGH/MEDIUM/LOW to focus a scan on a specific pillar or risk tier.

Baseline/config-aware runs

Accepts an optional JSON baseline via --config so thresholds and expected values can be tuned per environment.

03Architecture

The scanner is a linear pipeline: a DataLoader ingests exported GCP JSON, 15 auditor engines (each subclassing a common BaseAuditor) evaluate their domain and emit structured findings through a single finding() contract, and a ReportGenerator renders the aggregated findings into an interactive HTML dashboard. All auditors share the same finding schema (id, severity, category, CIS mapping, affected items, remediation), so the CLI can run any subset, filter by severity, and roll everything into one weighted risk report.

1
Configuration input
Standard JSON exports from gcloud CLI, gsutil, bq, and Terraform state/plan - the offline data the scanner consumes instead of a live API connection.
2
DataLoader (modules/base.py)
Maps 31 logical datasets to expected filenames (with alternate-name fallbacks), loads them as UTF-8 JSON, and reports how many config files were found.
3
BaseAuditor contract
Common base class providing severity constants, baseline access, and a single finding() method that normalizes every result into a consistent schema.
4
15 auditor engines
Domain modules split across cspm_core.py (IAM, Network, Compute, Storage), cspm_ciem.py (Database, Logging, BigQuery, CIEM, SA), and cwpp_iac.py (GKE, Serverless, Container, IaC, CIS, KMS).
5
CLI orchestrator (gcp_scanner.py)
Argument parsing, MODULE_MAP dispatch, module/severity selection, aggregation, and console summary of CRITICAL/HIGH/MEDIUM/LOW counts.
6
ReportGenerator (modules/report_generator.py)
Computes a weighted risk score and severity/category breakdowns and emits a self-contained interactive HTML dashboard, with JSON fallback if unavailable.

04Project Structure

gcp_scanner.pyMain CLI entry point: argument parsing, MODULE_MAP of 15 auditors, orchestration, and summary output.
modules/base.pyBaseAuditor (finding schema + severity constants) and the DataLoader with FILE_MAP filename resolution.
modules/cspm_core.pyCSPM auditors for IAM/Org, Network/VPC, Compute Engine, and Cloud Storage (CIS 1,3,4,5).
modules/cspm_ciem.pyAuditors for Database, Logging/Monitoring, BigQuery, CIEM entitlements, and Service Accounts (CIS 2,6,7).
modules/cwpp_iac.pyCWPP/KSPM and shift-left auditors: GKE, Serverless, Container, Terraform IaC, CIS summary, and KMS/Encryption.
modules/report_generator.pyInteractive HTML dashboard generator with weighted risk scoring and severity/category rollups.
sample_data/19 demo GCP exports with deliberate misconfigurations (IAM, firewall, VMs, buckets, SQL, GKE, functions, KMS, terraform.tfstate) plus a sample_report.html.
docs/banner.svgProject banner asset referenced by the README.
README.mdFull documentation: CNAPP pillar model, per-module check tables, export commands, and CIS coverage map.
CONTRIBUTING.mdContribution guidance for the project.
LICENSEMIT license.

05Security Controls

IAM & Org Policy (CSPM, 8 checks)
Service accounts with Owner/Admin roles, primitive basic roles, separation-of-duties conflicts, KMS admin/crypto overlap, missing domain-restricted sharing, and absent Essential Contacts (CIS 1.x).
Network & VPC (CSPM, 8 checks)
Default/legacy VPCs, SSH (22) and RDP (3389) open to 0.0.0.0/0, allow-all firewall rules, subnets without Flow Logs or Private Google Access, and load balancers without SSL policy (CIS 3.x).
Compute Engine (CSPM, 6 checks)
Default SA with cloud-platform scope, public IP exposure, serial-port access, Shielded VM disabled, project-wide OS Login off, and disks without CMEK (CIS 4.x).
Storage, SQL & BigQuery (CSPM, 12 checks)
Public GCS buckets, non-uniform bucket-level access, missing logging/retention/CMEK; Cloud SQL public IPs, no SSL enforcement, 0.0.0.0/0 authorized networks, missing backups and security flags; BigQuery broad access and no CMEK (CIS 5.x/6.x/7.x).
Logging & Monitoring (CSPM, 6 checks)
Missing audit-log config, insufficient Data Access coverage, no export sinks, no log-based metrics for IAM/firewall/route changes, and no alerting policies (CIS 2.x).
CIEM entitlements & least privilege (2 modules, 8 checks)
Users with excessive roles, custom-role review, external @gmail identities, project-level allUsers/allAuthenticatedUsers, SA keys >90 days, user-managed keys, dead disabled SAs, and excessive impersonation grants.
GKE / Kubernetes hardening (KSPM, 8 checks)
Legacy ABAC, missing Network Policy, public (non-private) nodes, no Workload Identity, disabled Shielded Nodes, no Binary Authorization, basic-auth API server, and disabled node auto-upgrade (CIS GKE Benchmark).
Serverless & container (CWPP, 5 checks)
Publicly invocable Cloud Functions, ALLOW_ALL ingress, default App Engine SA usage, Container Analysis API disabled, and images stuck in legacy gcr.io.
IaC / Terraform (2 checks)
Scans Terraform state for 0.0.0.0/0, allUsers, cloud-platform scope, legacy ABAC, and disabled SSL, and flags destructive resource deletions in plans - shifting detection left before deploy.
KMS & encryption (3 checks)
Keys without rotation periods, keys with public (allUsers) access, and KMS admin/crypto role overlap (CIS 1.9-1.11).

06Technology Stack

Language
Python 3.8+
Dependencies
Zero external - pure standard library (json, csv, datetime, pathlib, html, argparse)
Input formats
gcloud/gsutil/bq JSON exports and Terraform state/plan JSON
Reporting
Self-contained interactive HTML dashboard (JSON fallback)
Architecture
BaseAuditor + 15 pluggable auditor engines dispatched via MODULE_MAP
Testing
Runnable sample_data corpus of 19 seeded-misconfiguration exports (no formal unit-test suite)
License
MIT

07Quick Start

$ git clone https://github.com/Krishcalin/GCP-CNAPP-Security-Scanner.git && cd GCP-CNAPP-Security-Scanner
$ python gcp_scanner.py --data-dir ./sample_data --output report.html  # run all 15 modules on demo data
$ python gcp_scanner.py --data-dir ./exports --modules iam network compute gke  # scan selected pillars
$ python gcp_scanner.py --data-dir ./exports --severity HIGH  # show only HIGH-and-above findings
$ gcloud projects get-iam-policy PROJECT_ID --format=json > exports/iam_policy.json  # example export before scanning
$ python gcp_scanner.py --data-dir ./exports --modules ciem sa  # CIEM/entitlement-only review

08Compliance & Frameworks

CIS GCP Foundation Benchmark v2.0
Primary mapping; checks keyed to CIS sections 1-7 (IAM, Logging, Networking, VMs, Storage, Cloud SQL, BigQuery).
CIS GKE Benchmark
GKE hardening checks mapped to CIS Kubernetes Engine controls (e.g., 5.1.1, 5.2.1, 5.4.1, 5.6.7, 5.8.1).
NIST SP 800-53 Rev 5
Referenced as an industry control framework the posture checks support.
NIST CSF 2.0
Referenced framework for aligning cloud posture findings to cybersecurity functions.
SOC 2 Trust Service Criteria
Referenced framework for control assurance context.
ISO/IEC 27001:2022
Referenced information-security management standard.

09Integrations & Outputs

gcloud CLI JSON exports (IAM, compute, networks, firewall, SQL, GKE, functions, KMS)gsutil / gcloud storage bucket exportsbq (BigQuery) dataset exportsTerraform state (.tfstate) and plan (terraform show -json) for IaC scanningInteractive HTML dashboard outputJSON findings export (fallback when HTML generator unavailable)

Explore GCP CNAPP Scanner

Full source, documentation, and deployment guides live on GitHub.