[REVIEW] gcp-review: add org/project evidence scope

[yunrongy424-oss]

Skill Being Reviewed

Skill name: gcp-review
Skill path: skills/cloud/gcp-review/

False Positive Analysis

Benign configuration that can be misclassified:

resource "google_project_iam_binding" "viewer" {
  project = var.project_id
  role    = "roles/viewer"
  members = ["group:auditors@example.com"]
}

Why this can be misleading:

The skill inspects IAM bindings and project configuration, but it does not require the reviewer to record whether evidence is organization, folder, project, or resource scoped. A binding can be appropriate in one project while being unsafe if generalized across the organization. The reviewer also needs to distinguish IAM allow policies, IAM deny policies, Principal Access Boundary policies, and organization policies before deciding whether a control truly passes or fails.

Coverage Gaps

Missed variant 1: Organization Policy inheritance and exceptions

constraint: constraints/compute.vmExternalIpAccess
listPolicy:
  deniedValues:
    - '*'

Why it should be caught:

Org Policy can be inherited through organization, folder, and project hierarchy, and exceptions can alter the effective state. The skill should record where the policy is enforced, whether it inherits from an ancestor, and whether a project/resource has an override before treating the control as pass.

Missed variant 2: Security Command Center tier and scope

Evidence source: Security Command Center finding export for one project.
Control: CIS posture assessment across all production projects.

Why it should be caught:

Security Command Center Standard, Premium, and Enterprise expose different capabilities and can be activated at different scopes. A project-level SCC export is useful evidence, but it should not be treated as organization-wide coverage without tier and activation-scope evidence.

Missed variant 3: VPC Flow Logs are per subnet and sampled

resource "google_compute_subnetwork" "prod" {
  name = "prod"
  # no log_config block
}

Why it should be caught:

The skill already mentions subnet-level flow logs, but the report should require evidence source and sampling/sink context. VPC Flow Logs are sampled and generate logs in Cloud Logging for the reporting project, so a pass should include subnet coverage rather than broad VPC-level assumptions.

Edge Cases

• IAM deny policies and Principal Access Boundary policies can restrict access even when allow bindings appear permissive.
• Organization policy defaults, inheritance, exceptions, and project overrides can change the effective result.
• Security Command Center Premium and Enterprise are paid tiers; reviewers should report observed tier/scope evidence and not enable paid services.
• Cloud Asset Inventory exports can be organization, folder, project, or asset scoped; sampled exports should not be overclaimed.
• GCS uniform bucket-level access, public access prevention, and object ACL evidence can conflict; the report should state which evidence was reviewed.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: The skill should add evidence-source, scope-coverage, and Not Evaluable reason tracking so reports do not overstate organization/project compliance from partial IaC, sampled Cloud Asset Inventory, or project-only Security Command Center evidence.

Comparison to Other Tools

Tool	Catches this?	Notes
Security Command Center	Partial	Useful posture and finding source, but tier and activation scope determine coverage.
Organization Policy	Partial	Can enforce controls, but inheritance and exceptions must be reviewed.
Cloud Asset Inventory	Partial	Shows assets/policies for the exported scope, not necessarily every project unless organization-wide export is available.
Terraform review	Partial	Shows intended state, not effective live state or inherited policies.

Overall Assessment

Strengths:

• Clear CIS GCP v2.0.0 section structure.
• Good existing coverage for IAM, audit logs, networking, VMs, storage, Cloud SQL, and BigQuery.
• Useful common pitfalls around org policies, user-managed service account keys, VPC flow logs, and Cloud SQL networking.

Needs improvement:

• Add evidence confidence levels: IaC-only, gcloud export, Cloud Asset Inventory, SCC finding, sampled, or unknown.
• Track organization, folder, project, resource, and policy scope.
• Add Not Evaluable reason codes for missing org/project/resource exports.
• Add IAM deny and Principal Access Boundary policy distinctions.
• Add SCC tier/scope and VPC Flow Logs sampling/sink caveats.

Priority recommendations:

1. Add a scope/evidence-quality step before final reporting.
2. Expand output fields with evidence source, scope coverage, and Not Evaluable reason.
3. Add pitfalls for Org Policy inheritance/exceptions, IAM deny/PAB, SCC tier/scope, sampled Cloud Asset Inventory, and VPC Flow Logs sampling/sinks.

References used:

• Security Command Center service tiers: https://cloud.google.com/security-command-center/docs/service-tiers
• Principal Access Boundary policies: https://cloud.google.com/iam/docs/principal-access-boundary-policies
• Organization Policy constraints: https://cloud.google.com/resource-manager/docs/organization-policy/org-policy-constraints
• VPC Flow Logs: https://cloud.google.com/vpc/docs/flow-logs

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal 1005150221@qq.com

[yunrongy424-oss]

Improvement PR submitted for this review: #42

Preferred payment method remains PayPal: 1005150221@qq.com