Skill Being Reviewed
Skill name: gcp-review
Skill path: skills/cloud/gcp-review/
False Positive Analysis
Scenario: CIS 1.4 (User-managed SA Keys).
Observation: The skill currently flags all user-managed keys as "Critical".
Why this is a false positive: In Hybrid Cloud scenarios where an on-premise application (outside of GCP) needs to access a GCP resource (like a BigQuery dataset), a user-managed Service Account key is often the only supported method if Workload Identity Federation isn't available for the legacy on-prem provider.
Recommendation: The skill should allow an exclusion for "Validated Hybrid-Cloud SA Keys" if the key has a defined rotation period and is not assigned an owner/editor role at the project level.
Coverage Gaps
1. Artifact Registry Vulnerability Scanning (CIS 5.x):
The Storage section (Step 6) covers GCS buckets but misses Artifact Registry (the successor to Container Registry). The skill should check if "Automatic Vulnerability Scanning" is enabled for images and if "Remote Repository" policies are restricted to trusted domains.
2. Organization Policy 'Drift' (Step 1):
While the skill mentions Org Policies, it misses the "Inheritance Override" problem. A project-level admin can often override an Org Policy if it wasn't set with enforce: true at the root. The skill should explicitly verify that google_project_organization_policy doesn't contradict the Organization-level google_organization_policy.
3. Confidential Computing (CIS 4.12):
Section 4 (VMs) should add a check for Confidential VMs (AMD SEV/Intel TDX). For high-security workloads (Level 2 Profile), the skill should flag VMs that process sensitive data in memory without Confidential Computing enabled.
Remediation Quality
Comparison to Other Tools
| Tool |
Catches this? |
Notes |
| Forseti Security |
Yes |
The classic open-source scanner for GCP. |
| GCP Security Health Analytics |
Yes |
Native to Security Command Center; covers CIS v2.0.0. |
| Checkov |
Yes |
Excellent for scanning Terraform/IaC before it hits the cloud. |
Overall Assessment
This is a robust implementation of the CIS v2.0.0 benchmark. Its focus on IaC discovery (Terraform/Jinja) makes it highly valuable for modern DevOps. Adding the Artifact Registry checks and the Org Policy inheritance verification would make it the most comprehensive GCP audit tool in the "Security Skills" catalog.
Bounty Info
Skill Being Reviewed
Skill name:
gcp-reviewSkill path:
skills/cloud/gcp-review/False Positive Analysis
Scenario: CIS 1.4 (User-managed SA Keys).
Observation: The skill currently flags all user-managed keys as "Critical".
Why this is a false positive: In Hybrid Cloud scenarios where an on-premise application (outside of GCP) needs to access a GCP resource (like a BigQuery dataset), a user-managed Service Account key is often the only supported method if Workload Identity Federation isn't available for the legacy on-prem provider.
Recommendation: The skill should allow an exclusion for "Validated Hybrid-Cloud SA Keys" if the key has a defined rotation period and is not assigned an owner/editor role at the project level.
Coverage Gaps
1. Artifact Registry Vulnerability Scanning (CIS 5.x):
The Storage section (Step 6) covers GCS buckets but misses Artifact Registry (the successor to Container Registry). The skill should check if "Automatic Vulnerability Scanning" is enabled for images and if "Remote Repository" policies are restricted to trusted domains.
2. Organization Policy 'Drift' (Step 1):
While the skill mentions Org Policies, it misses the "Inheritance Override" problem. A project-level admin can often override an Org Policy if it wasn't set with
enforce: trueat the root. The skill should explicitly verify thatgoogle_project_organization_policydoesn't contradict the Organization-levelgoogle_organization_policy.3. Confidential Computing (CIS 4.12):
Section 4 (VMs) should add a check for Confidential VMs (AMD SEV/Intel TDX). For high-security workloads (Level 2 Profile), the skill should flag VMs that process sensitive data in memory without Confidential Computing enabled.
Remediation Quality
Issues found: The remediation section correctly points to Terraform, but it should also provide "gcloud CLI one-liners". Often, a security analyst needs to fix a finding instantly via the console/shell without waiting for a Terraform pipeline run.
Comparison to Other Tools
Overall Assessment
This is a robust implementation of the CIS v2.0.0 benchmark. Its focus on IaC discovery (Terraform/Jinja) makes it highly valuable for modern DevOps. Adding the Artifact Registry checks and the Org Policy inheritance verification would make it the most comprehensive GCP audit tool in the "Security Skills" catalog.
Bounty Info