feat(gcp): add 6 new GCP checks for CloudSQL, SecretManager, and Cloud Functions#10967
Open
s1ns3nz0 wants to merge 4 commits intoprowler-cloud:masterfrom
Open
feat(gcp): add 6 new GCP checks for CloudSQL, SecretManager, and Cloud Functions#10967s1ns3nz0 wants to merge 4 commits intoprowler-cloud:masterfrom
s1ns3nz0 wants to merge 4 commits intoprowler-cloud:masterfrom
Conversation
…ud Functions
Implements 6 new GCP security checks aligned with KISA ISMS-P 2023 requirements,
along with a new SecretManager service layer and Cloud Functions service layer.
New checks:
- cloudsql_instance_high_availability_enabled (ISMS-P 2.9.2, 2.10.2, 2.12.1)
- cloudsql_instance_cmek_encryption_enabled (ISMS-P 2.6.4, 2.7.1, 2.10.2)
- secretmanager_secret_rotation_enabled (ISMS-P 2.7.1, 2.10.2)
- secretmanager_secret_not_publicly_accessible (ISMS-P 2.6.2, 2.10.2)
- cloudfunction_function_not_publicly_accessible (ISMS-P 2.6.2)
- cloudfunction_function_inside_vpc (ISMS-P 2.6.1)
Service changes:
- Add SecretManager GCP service (secrets list + IAM policy, thread-safe)
- Add Cloud Functions GCP service (v2 API, locations pagination, thread-safe IAM)
- Extend CloudSQL Instance model with high_availability and cmek_key_name fields
- Use instance.get("settings", {}) to guard against KeyError on error-state instances
Quality hardening (post Red-Team review):
- cloudfunctions: api_version="v2" for serviceConfig.vpcConnector field access
- cloudfunctions: per-location try/except so one region failure does not abort project scan
- secretmanager rotation: int(float(...)) for fractional-second Duration strings
- secretmanager rotation: explicit is not None check to handle 0-day rotation edge case
- secretmanager rotation: next_rotation_time staleness check (FAIL if overdue)
- secretmanager: Secret.location = "global" derived from resource model, not service region
- cloudfunction_function_inside_vpc: skip non-ACTIVE functions; surface ingress_settings advisory
- All threaded IAM calls use http=__get_AuthorizedHttp_client__() (httplib2 thread safety)
- All VALID_CATEGORIES values verified against prowler/lib/check/models.py frozenset
Compliance:
- Add prowler/compliance/gcp/kisa_isms_p_2023_gcp.json mapping all 6 checks
to requirements 2.1.3, 2.6.1, 2.6.2, 2.6.4, 2.7.1, 2.9.2, 2.10.2, 2.12.1
Tests:
- 22 unit tests across all new checks and services
- gcp_fixtures.py sqladmin mock updated with availabilityType and diskEncryptionConfiguration
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Set RelatedUrl to "" in all 6 check metadata files (field is deprecated) - Set Remediation.Recommendation.Url to https://hub.prowler.com/check/<id> for all 6 checks (validator requires hub.prowler.com prefix) - All 30 unit tests now pass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Remove out-of-scope ingress advisory from VPC check PASS message (H1)
- Add state!=ACTIVE filter to not_publicly_accessible check for
consistency with inside_vpc check (H2)
- Add allAuthenticatedUsers test cases for both cloudfunction and
secretmanager service IAM checks (H3)
- Add inactive function skip tests for both cloudfunction checks (H4)
- Fix false PASS on datetime parse failure in rotation check by
defaulting rotation_overdue=True on error (H5, fail-safe)
- Use .replace("Z","+00:00") for robust ISO timestamp parsing (M4)
- Fix error log messages to use location_id/project_id instead of
always-global self.region (M1)
- Fix secretmanager_service error log to use project_id (M1)
- Change rotation check category from "encryption" to "secrets" (M6)
- Fix compliance Name to "KISA ISMS-P" (not "KISA ISMS") (M7)
- Fix AdditionalURL to Cloud Functions docs instead of Cloud Run (L1)
- Remove dead RelatedTo reference to non-existent check (L2)
- secretmanager_secret_not_publicly_accessible: replace 404 URL manage-access -> access-control (IAM roles for Secret Manager) - cloudfunction_function_not_publicly_accessible: replace misleading function-identity URL -> securing/authenticating (invocation auth)
github-actions
Bot
added
provider/gcp
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
Member
|
Hi @s1ns3nz0 thanks for this contribution 🙌 In order for us to be able to review the PR and merge it as fast as possible we need you to split it creating one PR by check. Please, let us know if you need help for that and the team will work with you. |
jfagoagas
added
size/xl
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
cloudfunction_function_inside_vpc— ensures Cloud Functions have a VPC connector attachedcloudfunction_function_not_publicly_accessible— detectsallUsers/allAuthenticatedUsersIAM bindings on functionscloudsql_instance_cmek_encryption_enabled— verifies CMEK (Customer-Managed Encryption Key) usage on Cloud SQL instancescloudsql_instance_high_availability_enabled— checksavailabilityType=REGIONALfor HA standby replicasecretmanager_secret_not_publicly_accessible— detects publicly accessible Secret Manager secretssecretmanager_secret_rotation_enabled— verifies rotation period ≤ 90 days and not overduecloudfunction_service.py(Cloud Functions v2 API) andsecretmanager_service.py(Secret Manager v1 API)cloudsql_service.pywithavailabilityTypeanddiskEncryptionConfigurationfieldskisa_isms_p_2023_gcp.json— maps checks to KISA ISMS-P 2023 requirements (2.1.3, 2.6.1, 2.6.2, 2.6.4, 2.7.1, 2.9.2, 2.10.2, 2.12.1)allAuthenticatedUsers, fractional durations, overdue rotation, missing fields)Verification
Changes
Test plan
python -m pytest tests/providers/gcp/services/cloudfunction/ -vpython -m pytest tests/providers/gcp/services/secretmanager/ -vpython -m pytest tests/providers/gcp/services/cloudsql/cloudsql_instance_cmek_encryption_enabled/ -vpython -m pytest tests/providers/gcp/services/cloudsql/cloudsql_instance_high_availability_enabled/ -vkisa_isms_p_2023_gcp.jsonloads without errors in Prowler CLIprowler gcp --check cloudfunction_function_inside_vpcagainst a live GCP project