A powerful command-line tool for scanning Google Cloud Platform (GCP) projects for security misconfigurations. Features an AI-powered natural language interface using Google's Gemini model, comprehensive security scoring, and beautiful terminal reports.
pip install gcpsightOr using uv
uv pip install gcpsight- π₯ Firewall Scanning: Detects VPC firewall rules open to the internet (
0.0.0.0/0) - πͺ£ Public Storage Detection: Finds publicly accessible GCS buckets
- π₯ IAM Analysis: Identifies overly permissive roles (Owner, Editor) with broad access
- π BigQuery Security: Checks for publicly accessible datasets
- β‘ Cloud Functions: Scans for insecure functions with public access or outdated runtimes
- π‘οΈ Security Scoring: Risk-based scoring with detailed remediation guidance
- π€ AI-Powered Queries: Natural language security questions via Gemini
- π¨ Beautiful Reports: Colorful terminal output with emojis and structured tables
# Run comprehensive security assessment
gcpsight security-assessment --project-id my-gcp-project
# Check specific security issues
gcpsight list-open-firewalls --project-id my-gcp-project
gcpsight check-public-buckets --project-id my-gcp-project# Ask questions in plain English
gcpsight ask --project-id my-gcp-project "are there any firewalls open to the world?"
gcpsight ask --project-id my-gcp-project "show me my security score"
gcpsight ask --project-id my-gcp-project "check my cloud functions for issues"Security Assessment Report:
π‘οΈ GCP SECURITY ASSESSMENT REPORT π‘οΈ
π Overall Assessment
βββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β π― Security Score β 75/100 (75.0%) β
β β οΈ Risk Level β HIGH β
βββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ
Security Score Progress ββββββββββββββββββββββββββββββββββββββββ 75.0%
π Findings Summary
βββββββββββββββ¬ββββββββ¬βββββββββββ
β Risk Level β Count β Visual β
βββββββββββββββΌββββββββΌβββββββββββ€
β π¨ CRITICAL β 1 β β β
β β οΈ HIGH β 2 β ββ β
βββββββββββββββ΄ββββββββ΄βββββββββββ
π Detailed Findings
π¨ Open Firewall [CRITICAL]
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β π·οΈ Resource: allow-ssh-from-anywhere β
β π Issue: Firewall rule allows unrestricted SSH access β
β π Impact: -25 points β
β π§ Fix: Restrict source ranges to specific IP addresses β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
src/gcpsight/main.py: The main entry point for the CLI application, built usingclick.src/gcpsight/gcp_scanner.py: Contains the core logic for interacting with GCP APIs.src/gcpsight/gemini_processor.py: Handles interaction with the Gemini API.src/gcpsight/security_scorer.py: Implements security scoring, risk assessment, and reporting functionality.pyproject.toml: Defines project metadata, dependencies, and the CLI entry point for packaging.requirements.txt: Lists project dependencies (primarily for reference).README.md: This file..env(not included, but necessary for local development): Used for environment variables.
- Python 3.9+
- Google Cloud SDK installed and configured
- Valid GCP project with appropriate permissions
pip install gcpsight# Authenticate with your GCP account
gcloud auth application-default login
# Or set service account credentials
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"Your authenticated user/service account needs these IAM permissions:
compute.firewalls.liststorage.buckets.list&storage.buckets.getIamPolicyresourcemanager.projects.getIamPolicybigquery.datasets.list&bigquery.datasets.getcloudfunctions.functions.list&cloudfunctions.functions.getIamPolicy
# Set your Gemini API key as environment variable
export GEMINI_API_KEY="your-gemini-api-key-here"
# Or create a .env file in your working directory
echo "GEMINI_API_KEY=your-gemini-api-key-here" > .env# Comprehensive security report with scoring
gcpsight security-assessment --project-id my-project
# JSON output for automation
gcpsight security-assessment --project-id my-project --output-format json
# Table format for quick overview
gcpsight security-assessment --project-id my-project --output-format table# Check firewall rules
gcpsight list-open-firewalls --project-id my-project
# Check storage buckets
gcpsight check-public-buckets --project-id my-project
# Check IAM roles
gcpsight check-overly-permissive-iam-roles --project-id my-project
# Check BigQuery datasets
gcpsight check-public-bigquery-datasets --project-id my-project
# Check Cloud Functions
gcpsight check-insecure-cloud-functions --project-id my-project
# Run all individual checks
gcpsight run-all-checks --project-id my-project# Ask security questions in plain English
gcpsight ask --project-id my-project "are there any firewalls open to the world?"
gcpsight ask --project-id my-project "show me public buckets"
gcpsight ask --project-id my-project "check for overly permissive IAM roles"
gcpsight ask --project-id my-project "are there any public BigQuery datasets?"
gcpsight ask --project-id my-project "check my cloud functions for issues"
gcpsight ask --project-id my-project "run all checks"
gcpsight ask --project-id my-project "give me a security assessment"
gcpsight ask --project-id my-project "what's my security score?"Firewall Check:
π Checking open firewall rules for project my-project...
π₯ Open Firewall Rules
βββββββββββββββββββββββ¬ββββββββββ¬βββββββββββββββ¬ββββββββββββββββββ
β Name β Network β Source Range β Allowed Ports β
βββββββββββββββββββββββΌββββββββββΌβββββββββββββββΌββββββββββββββββββ€
β allow-ssh-anywhere β default β 0.0.0.0/0 β tcp:22 β
β allow-http-https β default β 0.0.0.0/0 β tcp:80,tcp:443 β
βββββββββββββββββββββββ΄ββββββββββ΄βββββββββββββββ΄ββββββββββββββββββ
Security Assessment Table Format:
π‘οΈ Security Assessment Summary
βββββββββββββββββββ¬βββββββββββββββββββββββββ
β π― Security Score β 75/100 (75.0%) β
β β οΈ Risk Level β HIGH β
β π Total Findings β 3 β
βββββββββββββββββββ΄βββββββββββββββββββββββββ
π Detailed Security Findings
ββββββββββββββββββββββββ¬ββββββββββββββββββββββ¬ββββββββββββββ¬βββββββββββββββ
β Check Type β Resource β Risk Level β Score Impact β
ββββββββββββββββββββββββΌββββββββββββββββββββββΌββββββββββββββΌβββββββββββββββ€
β Open Firewall β allow-ssh-anywhere β π¨ CRITICAL β -25 β
β Public Bucket β my-public-bucket β β οΈ HIGH β -15 β
β Insecure Function β my-function β β‘ MEDIUM β -10 β
ββββββββββββββββββββββββ΄ββββββββββββββββββββββ΄ββββββββββββββ΄βββββββββββββββ
For contributors and developers who want to work on gcpsight:
# Clone the repository
git clone https://github.com/rishabkumar7/gcpsight
cd gcpsight
# Install in development mode
pip install -e .
# Or build and install locally
python -m pip install build
python -m build
pip install dist/gcpsight-*.whl- CLI Interface: Built with
clicklibrary for intuitive command-line interaction - GCP API Integration: Uses official Google Cloud client libraries for secure API access
- Security Analysis: Comprehensive checks across compute, storage, IAM, and serverless resources
- Risk Scoring: Intelligent scoring system with weighted impact based on security severity
- AI Integration: Gemini AI translates natural language queries into specific security checks
- Rich Output: Beautiful terminal reports with colors, emojis, and structured tables
- Add more GCP security checks.
- Improve output formatting.
- More sophisticated error handling and logging.
- Scan multiple projects or an entire GCP organization.
- Automated remediation suggestions/actions (with caution!).
Contributions are welcome! Please open an issue.
This is under the MIT License.