Skip to content

Commit

Permalink
feat: add secrets discovery support
Browse files Browse the repository at this point in the history
docs: Updated method documentation

PiperOrigin-RevId: 636593602
  • Loading branch information
Google APIs authored and Copybara-Service committed May 23, 2024
1 parent 1294813 commit 1834a96
Show file tree
Hide file tree
Showing 2 changed files with 69 additions and 31 deletions.
90 changes: 59 additions & 31 deletions google/privacy/dlp/v2/dlp.proto
Original file line number Diff line number Diff line change
Expand Up @@ -1853,7 +1853,7 @@ message InspectDataSourceDetails {
// inspect job.
repeated InfoTypeStats info_type_stats = 3;

// Number of rows scanned post sampling and time filtering (Applicable for
// Number of rows scanned after sampling and time filtering (applicable for
// row based stores such as BigQuery).
int64 num_rows_processed = 5;

Expand Down Expand Up @@ -1989,6 +1989,9 @@ message InfoTypeCategory {
// The infoType is typically used in Australia.
AUSTRALIA = 3;

// The infoType is typically used in Azerbaijan.
AZERBAIJAN = 48;

// The infoType is typically used in Belgium.
BELGIUM = 4;

Expand Down Expand Up @@ -3938,7 +3941,7 @@ message Error {
repeated google.protobuf.Timestamp timestamps = 2;
}

// Contains a configuration to make api calls on a repeating basis.
// Contains a configuration to make API calls on a repeating basis.
// See
// https://cloud.google.com/sensitive-data-protection/docs/concepts-job-triggers
// to learn more.
Expand Down Expand Up @@ -4773,13 +4776,9 @@ message DataProfileAction {
// New profile (not a re-profile).
NEW_PROFILE = 1;

// Changed one of the following profile metrics:
// * Data risk score
// * Sensitivity score
// * Resource visibility
// * Encryption type
// * Predicted infoTypes
// * Other infoTypes
// One of the following profile metrics changed: Data risk score,
// Sensitivity score, Resource visibility, Encryption type, Predicted
// infoTypes, Other infoTypes
CHANGED_PROFILE = 2;

// Table data risk score or sensitivity score increased.
Expand Down Expand Up @@ -5036,6 +5035,11 @@ message DiscoveryTarget {
// Cloud SQL target for Discovery. The first target to match a table will be
// the one applied.
CloudSqlDiscoveryTarget cloud_sql_target = 2;

// Discovery target that looks for credentials and secrets stored in cloud
// resource metadata and reports them as vulnerabilities to Security Command
// Center. Only one target of this type is allowed.
SecretsDiscoveryTarget secrets_target = 3;
}
}

Expand Down Expand Up @@ -5088,6 +5092,11 @@ message DiscoveryBigQueryFilter {
// configuration. If none is specified, a default one will be added
// automatically.
AllOtherBigQueryTables other_tables = 2;

// The table to scan. Discovery configurations including this can only
// include one DiscoveryTarget (the DiscoveryTarget with this
// TableReference).
TableReference table_reference = 3;
}
}

Expand Down Expand Up @@ -5272,7 +5281,7 @@ message DatabaseResourceRegexes {
// under the google/re2 repository on GitHub.
message DatabaseResourceRegex {
// For organizations, if unset, will match all projects. Has no effect
// for Data Profile configurations created within a project.
// for configurations created within a project.
string project_id_regex = 1;

// Regex to test the instance name against. If empty, all instances match.
Expand All @@ -5294,12 +5303,19 @@ message AllOtherDatabaseResources {}
// Identifies a single database resource, like a table within a database.
message DatabaseResourceReference {
// Required. If within a project-level config, then this must match the
// config's project id.
// config's project ID.
string project_id = 1 [(google.api.field_behavior) = REQUIRED];

// Required. The instance where this resource is located. For example: Cloud
// SQL's instance id.
// SQL instance ID.
string instance = 2 [(google.api.field_behavior) = REQUIRED];

// Required. Name of a database within the instance.
string database = 3 [(google.api.field_behavior) = REQUIRED];

// Required. Name of a database resource, for example, a table within the
// database.
string database_resource = 4 [(google.api.field_behavior) = REQUIRED];
}

// Requirements that must be true before a table is profiled for the
Expand All @@ -5313,10 +5329,10 @@ message DiscoveryCloudSqlConditions {
// Include all supported database engines.
ALL_SUPPORTED_DATABASE_ENGINES = 1;

// MySql database.
// MySQL database.
MYSQL = 2;

// PostGres database.
// PostgreSQL database.
POSTGRES = 3;
}

Expand Down Expand Up @@ -5347,14 +5363,14 @@ message DiscoveryCloudSqlConditions {
// New tables are scanned as quickly as possible depending on system
// capacity.
message DiscoveryCloudSqlGenerationCadence {
// How frequency to modify the profile when the table's schema is modified.
// How frequently to modify the profile when the table's schema is modified.
message SchemaModifiedCadence {
// The type of modification that causes a profile update.
enum CloudSqlSchemaModification {
// Unused.
SQL_SCHEMA_MODIFICATION_UNSPECIFIED = 0;

// New columns has appeared.
// New columns have appeared.
NEW_COLUMNS = 1;

// Columns have been removed from the table.
Expand All @@ -5375,11 +5391,25 @@ message DiscoveryCloudSqlGenerationCadence {

// Data changes (non-schema changes) in Cloud SQL tables can't trigger
// reprofiling. If you set this field, profiles are refreshed at this
// frequency regardless of whether the underlying tables have changes.
// frequency regardless of whether the underlying tables have changed.
// Defaults to never.
DataProfileUpdateFrequency refresh_frequency = 2;
}

// Discovery target for credentials and secrets in cloud resource metadata.
//
// This target does not include any filtering or frequency controls. Cloud
// DLP will scan cloud resource metadata for secrets daily.
//
// No inspect template should be included in the discovery config for a
// security benchmarks scan. Instead, the built-in list of secrets and
// credentials infoTypes will be used (see
// https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference#credentials_and_secrets).
//
// Credentials and secrets discovered will be reported as vulnerabilities to
// Security Command Center.
message SecretsDiscoveryTarget {}

// The location to begin a discovery scan. Denotes an organization ID or folder
// ID within an organization.
message DiscoveryStartingLocation {
Expand Down Expand Up @@ -6523,8 +6553,8 @@ enum ResourceVisibility {
RESOURCE_VISIBILITY_PUBLIC = 10;

// May contain public items.
// For example, if a GCS bucket has uniform bucket level access disabled, some
// objects inside it may be public.
// For example, if a Cloud Storage bucket has uniform bucket level access
// disabled, some objects inside it may be public.
RESOURCE_VISIBILITY_INCONCLUSIVE = 15;

// Visible only to specific users.
Expand Down Expand Up @@ -7049,8 +7079,7 @@ message ListConnectionsRequest {
// results. If set, all other request fields must match the original request.
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

// Optional. * Supported fields/values
// - `state` - MISSING|AVAILABLE|ERROR
// Optional. Supported field/value: `state` - MISSING|AVAILABLE|ERROR
string filter = 4 [(google.api.field_behavior) = OPTIONAL];
}

Expand All @@ -7072,8 +7101,7 @@ message SearchConnectionsRequest {
// results. If set, all other request fields must match the original request.
string page_token = 3 [(google.api.field_behavior) = OPTIONAL];

// Optional. * Supported fields/values
// - `state` - MISSING|AVAILABLE|ERROR
// Optional. Supported field/value: - `state` - MISSING|AVAILABLE|ERROR
string filter = 4 [(google.api.field_behavior) = OPTIONAL];
}

Expand Down Expand Up @@ -7168,10 +7196,10 @@ enum ConnectionState {
// A configured connection that encountered errors during its last use. It
// will not be used again until it is set to AVAILABLE.
//
// If the resolution requires external action, then a request to set the
// status to AVAILABLE will mark this connection for use. Otherwise, any
// changes to the connection properties will automatically mark it as
// AVAILABLE.
// If the resolution requires external action, then the client must send a
// request to set the status to AVAILABLE when the connection is ready for
// use. If the resolution doesn't require external action, then any changes to
// the connection properties will automatically mark it as AVAILABLE.
ERROR = 3;
}

Expand All @@ -7189,8 +7217,8 @@ message SecretManagerCredential {
[(google.api.field_behavior) = REQUIRED];
}

// Use IAM auth to connect. This requires the Cloud SQL IAM feature to be
// enabled on the instance, which is not the default for Cloud SQL.
// Use IAM authentication to connect. This requires the Cloud SQL IAM feature
// to be enabled on the instance, which is not the default for Cloud SQL.
// See https://cloud.google.com/sql/docs/postgres/authentication and
// https://cloud.google.com/sql/docs/mysql/authentication.
message CloudSqlIamCredential {}
Expand All @@ -7200,13 +7228,13 @@ message CloudSqlProperties {
// Database engine of a Cloud SQL instance.
// New values may be added over time.
enum DatabaseEngine {
// An engine that is not currently supported by SDP.
// An engine that is not currently supported by Sensitive Data Protection.
DATABASE_ENGINE_UNKNOWN = 0;

// Cloud SQL for MySQL instance.
DATABASE_ENGINE_MYSQL = 1;

// Cloud SQL for Postgres instance.
// Cloud SQL for PostgreSQL instance.
DATABASE_ENGINE_POSTGRES = 2;
}

Expand Down
10 changes: 10 additions & 0 deletions google/privacy/dlp/v2/storage.proto
Original file line number Diff line number Diff line change
Expand Up @@ -859,6 +859,16 @@ message BigQueryTable {
string table_id = 3;
}

// Message defining the location of a BigQuery table with the projectId inferred
// from the parent project.
message TableReference {
// Dataset ID of the table.
string dataset_id = 1;

// Name of the table.
string table_id = 2;
}

// Message defining a field of a BigQuery table.
message BigQueryField {
// Source table of the field.
Expand Down

0 comments on commit 1834a96

Please sign in to comment.