Agent skill

gcp-security-scanner

GCP security configuration scanning and hardening using Security Command Center, Forseti, and ScoutSuite

View SKILL.md on GitHub Repository
Stars 514
Forks 31

Install this agent skill to your Project

npx add-skill https://github.com/a5c-ai/babysitter/tree/main/library/specializations/security-compliance/skills/gcp-security-scanner

SKILL.md

GCP Security Scanner Skill

Purpose

Automated Google Cloud Platform security configuration scanning and hardening to identify misconfigurations, compliance violations, and security risks across GCP projects and organizations.

Capabilities

Security Command Center Integration

  • Leverage GCP Security Command Center findings
  • Review vulnerability and threat findings
  • Check Security Health Analytics results
  • Monitor Event Threat Detection alerts
  • Track Container Threat Detection findings
  • Generate compliance reports

IAM Security Analysis

  • Analyze IAM policies for over-permissive access
  • Check service account key usage and rotation
  • Identify excessive permissions
  • Review organization policy constraints
  • Detect cross-project access
  • Audit IAM recommender suggestions

VPC Firewall Analysis

  • Review firewall rules for overly permissive access
  • Check for open management ports
  • Validate VPC Service Controls
  • Review Shared VPC configurations
  • Check Private Google Access settings
  • Analyze VPC flow logs configuration

Cloud Storage Security

  • Identify publicly accessible buckets
  • Check bucket IAM policies
  • Validate uniform bucket-level access
  • Review bucket encryption settings
  • Check access logging configuration
  • Verify retention policies

Cloud KMS Configuration

  • Review key ring and key configurations
  • Check key rotation policies
  • Validate IAM policies on keys
  • Review HSM key protection levels
  • Check external key manager usage
  • Audit key access patterns

Audit Logging Verification

  • Validate Cloud Audit Logs configuration
  • Check data access logging
  • Review admin activity logging
  • Verify log export configuration
  • Check Cloud Logging retention
  • Validate alert policies

Organization Policy Assessment

  • Review organization policy constraints
  • Check service restriction policies
  • Validate resource location constraints
  • Review VM external IP restrictions
  • Check service account creation policies

GCP Services Covered

Category Services
Identity IAM, Cloud Identity, Workforce Identity
Compute Compute Engine, GKE, Cloud Run, Functions
Storage Cloud Storage, Persistent Disks
Database Cloud SQL, Spanner, BigQuery, Firestore
Network VPC, Firewall, Cloud Armor, Cloud CDN
Security Security Command Center, Cloud KMS, BeyondCorp
Monitoring Cloud Logging, Cloud Monitoring, Cloud Audit Logs

Integrations

  • Security Command Center: GCP native CSPM
  • Forseti Security: Open-source GCP security toolkit
  • ScoutSuite: Multi-cloud security auditing
  • Cloud Asset Inventory: Resource visibility
  • IAM Recommender: Permission optimization

Target Processes

  • Cloud Security Architecture Review
  • Compliance Monitoring
  • GCP Project Hardening
  • Security Posture Assessment

Input Schema

json
{
  "type": "object",
  "properties": {
    "scanType": {
      "type": "string",
      "enum": ["full", "cis", "pci", "hipaa", "iso27001", "custom"],
      "description": "Type of security scan"
    },
    "projects": {
      "type": "array",
      "items": { "type": "string" },
      "description": "GCP project IDs to scan"
    },
    "organization": {
      "type": "string",
      "description": "GCP organization ID for org-wide scanning"
    },
    "services": {
      "type": "array",
      "items": { "type": "string" },
      "description": "Specific services to scan"
    },
    "severityThreshold": {
      "type": "string",
      "enum": ["critical", "high", "medium", "low"]
    },
    "complianceFrameworks": {
      "type": "array",
      "items": {
        "type": "string",
        "enum": ["CIS", "PCI-DSS", "HIPAA", "ISO27001", "SOC2", "NIST"]
      }
    },
    "includeSCC": {
      "type": "boolean",
      "description": "Include Security Command Center findings"
    }
  },
  "required": ["scanType"]
}

Output Schema

json
{
  "type": "object",
  "properties": {
    "scanId": {
      "type": "string"
    },
    "scanTimestamp": {
      "type": "string",
      "format": "date-time"
    },
    "projectsScanned": {
      "type": "array"
    },
    "organizationId": {
      "type": "string"
    },
    "summary": {
      "type": "object",
      "properties": {
        "totalChecks": { "type": "integer" },
        "passed": { "type": "integer" },
        "failed": { "type": "integer" },
        "warnings": { "type": "integer" }
      }
    },
    "findingsBySeverity": {
      "type": "object",
      "properties": {
        "critical": { "type": "integer" },
        "high": { "type": "integer" },
        "medium": { "type": "integer" },
        "low": { "type": "integer" }
      }
    },
    "findings": {
      "type": "array",
      "items": {
        "type": "object",
        "properties": {
          "checkId": { "type": "string" },
          "severity": { "type": "string" },
          "service": { "type": "string" },
          "project": { "type": "string" },
          "resourceName": { "type": "string" },
          "description": { "type": "string" },
          "remediation": { "type": "string" },
          "complianceMapping": { "type": "array" }
        }
      }
    },
    "sccFindings": {
      "type": "array"
    },
    "organizationPolicyStatus": {
      "type": "object"
    },
    "recommendations": {
      "type": "array",
      "items": { "type": "string" }
    }
  }
}

Usage Example

javascript
skill: {
  name: 'gcp-security-scanner',
  context: {
    scanType: 'cis',
    projects: ['my-project-id'],
    complianceFrameworks: ['CIS', 'SOC2'],
    includeSCC: true,
    severityThreshold: 'medium'
  }
}

Recommended Agent Skills

Expand your agent's capabilities with these related and highly-rated skills.

a5c-ai/babysitter

gsd-tools

Central utility skill for GSD operations. Provides config parsing, slug generation, timestamps, path operations, and orchestrates calls to other specialized skills. Acts as the unified entry point that the original gsd-tools.cjs provided via its lib/ modules (commands, config, core, init).

514 31
Explore
a5c-ai/babysitter

model-profile-resolution

Resolve model profile (quality/balanced/budget) at orchestration start and map agents to specific models. Enables cost/quality tradeoffs by selecting appropriate AI models for each agent role.

514 31
Explore
a5c-ai/babysitter

verification-suite

Plan structure validation, phase completeness checks, reference integrity verification, and artifact existence confirmation. Provides the structured verification layer ensuring GSD artifacts are well-formed and complete.

514 31
Explore
a5c-ai/babysitter

state-management

STATE.md reading, writing, and field-level updates. Provides cross-session state persistence via .planning/STATE.md with structured fields for current task, completed phases, blockers, decisions, and quick tasks.

514 31
Explore
a5c-ai/babysitter

git-integration

Git commit patterns, formats, and conventions for GSD methodology. Provides atomic commits per task, structured commit messages, planning file commits, branch management, and milestone tag operations.

514 31
Explore
a5c-ai/babysitter

frontmatter-parsing

YAML frontmatter parsing and manipulation for .planning/ documents. Provides read, write, update, query, and validation operations on frontmatter blocks in GSD markdown artifacts.

514 31
Explore

Didn't find tool you were looking for?

Be as detailed as possible for better results