### Install Gemini CLI Extension Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Install the GCP OWASP Top 10 Skills extension using the Gemini CLI. ```bash gemini extensions install https://github.com/hminooei/gcp-owasp-top10-skills ``` -------------------------------- ### Audit Authentication Configuration Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md Run this script to audit Identity-Aware Proxy (IAP), Identity Platform, reCAPTCHA Enterprise, and OAuth setup. It checks for IAP enablement, and the status of Identity Platform and reCAPTCHA Enterprise. ```bash bash ./scripts/audit-auth-config.sh PROJECT_ID ``` -------------------------------- ### Get IAM Policy for Remediation Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md Retrieve the current IAM policy for a GCP project to a YAML file. This is a preparatory step before modifying audit log configurations. ```bash gcloud projects get-iam-policy PROJECT_ID > policy.yaml ``` -------------------------------- ### Set Up Security Logging and Monitoring Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-logging-monitoring-failures` skill to set up logging and monitoring for security events. ```bash # Set up logging and monitoring for security events ``` -------------------------------- ### Set GCP Project Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Configure the Google Cloud SDK to use a specific project. Ensure you have the necessary IAM permissions for the skills you intend to use. ```bash gcloud config set project PROJECT_ID ``` -------------------------------- ### Create Asset Monitoring Feed Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md This command creates a real-time asset monitoring feed for specific resource types. Replace PROJECT_ID and TOPIC_NAME with your actual values. ```bash gcloud asset feeds create access-control-feed \ --project=PROJECT_ID \ --content-type=resource \ --asset-types="compute.googleapis.com/Instance,compute.googleapis.com/Firewall,iam.googleapis.com/ServiceAccount" \ --pubsub-topic="projects/PROJECT_ID/topics/TOPIC_NAME" ``` -------------------------------- ### Enable Binary Authorization API Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Enables the Binary Authorization API for the specified GCP project. Ensure the project ID is correct. ```bash gcloud services enable binaryauthorization.googleapis.com --project=PROJECT_ID ``` -------------------------------- ### Enable Identity-Aware Proxy (IAP) Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md Use this command to enable IAP on a backend service. Ensure you have the necessary permissions. ```bash gcloud compute backend-services update BACKEND --global --iap=enabled ``` -------------------------------- ### List GCP API Keys Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md Use this gcloud command to list all API keys associated with a GCP project. Review each key's restrictions and creation date for security compliance. ```bash gcloud services api-keys list --project=PROJECT_ID ``` -------------------------------- ### Configure Binary Authorization Policy Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Import a Binary Authorization policy from a YAML file. This is used to switch from an ALWAYS_ALLOW policy to a REQUIRE_ATTESTATION policy. ```bash gcloud container binauthz policy import policy.yaml --project=PROJECT_ID ``` -------------------------------- ### Configure GCP Security Command Center Notifications Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Sets up Security Command Center (SCC) notification configurations to forward high-severity findings to Pub/Sub. Requires the script `./skills/gcp-logging-monitoring-failures/scripts/audit-scc-integration.sh` to be available. ```bash # Audit SCC integration bash ./skills/gcp-logging-monitoring-failures/scripts/audit-scc-integration.sh my-project-id ``` ```bash # Create Pub/Sub topic for SCC notifications gcloud pubsub topics create scc-notifications --project=my-project-id ``` ```bash # Configure SCC notification for high/critical findings gcloud scc notifications create security-alerts \ --organization=123456789012 \ --pubsub-topic=projects/my-project-id/topics/scc-notifications \ --filter='state="ACTIVE" AND (severity="HIGH" OR severity="CRITICAL")' ``` ```bash # Create alerting policy for security events gcloud monitoring policies create \ --policy-from-file=security-alert-policy.yaml \ --project=my-project-id ``` -------------------------------- ### Deploy Cloud Armor Rules Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-security-misconfiguration/SKILL.md Use this script to create or update a Cloud Armor security policy with predefined WAF rules for common attack vectors. Ensure you provide the correct PROJECT_ID and POLICY_NAME. ```bash bash ./scripts/remediate-misconfiguration.sh PROJECT_ID POLICY_NAME ``` -------------------------------- ### GCP OWASP Top 10 Skills Script Inventory Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Bash scripts for each skill accept `PROJECT_ID` as the first argument, exit with 0 (pass) or 1 (findings), produce structured output, and are idempotent. ```bash # All scripts: # - Accept PROJECT_ID as the first argument # - Exit with code 0 (pass) or 1 (findings detected) # - Produce structured, human-readable output # - Are idempotent (remediation scripts check before creating) ``` -------------------------------- ### Deploy Cloud Armor WAF Rules Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-injection` skill to set up Cloud Armor WAF rules to protect against SQL injection, XSS, RCE, and PHP injection. ```bash # Set up Cloud Armor WAF rules to block SQL injection ``` -------------------------------- ### Review KMS Key Rotation Policies Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-cryptographic-failures` skill to review your KMS key rotation policies. ```bash # Review my KMS key rotation policies ``` -------------------------------- ### Check Binary Authorization Enforcement Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-vulnerable-components` skill to check if Binary Authorization is enforced on your GKE clusters. ```bash # Check if Binary Authorization is enforced on my GKE clusters ``` -------------------------------- ### Configure Cloud KMS Key Rotation and TLS Policies Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Sets up automatic key rotation for Cloud KMS keys at 90-day intervals and creates strict TLS policies for load balancers. Ensures cryptographic security and modern TLS configurations. ```bash # Set up KMS key rotation (90 days = 7776000 seconds) gcloud kms keys update my-encryption-key \ --keyring=my-keyring \ --location=us-central1 \ --rotation-period=7776000s \ --next-rotation-time=$(date -u +"%Y-%m-%dT%H:%M:%SZ" -d "+1 day") \ --project=my-project-id # Create strict SSL policy for TLS 1.2+ with RESTRICTED cipher profile gcloud compute ssl-policies create strict-tls-policy \ --profile=RESTRICTED \ --min-tls-version=1.2 \ --project=my-project-id # Attach SSL policy to HTTPS proxy gcloud compute target-https-proxies update my-https-proxy \ --ssl-policy=strict-tls-policy \ --project=my-project-id ``` -------------------------------- ### Enable Identity-Aware Proxy (IAP) Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md Enable IAP on a backend service to enforce centralized authentication and access control for internet-facing services. Ensure an OAuth consent screen is configured first. ```bash gcloud compute backend-services update BACKEND --global --iap=enabled --project=PROJECT_ID ``` -------------------------------- ### Enable Container Analysis APIs Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Enable the Container Analysis and On-Demand Scanning APIs. These are required for vulnerability scanning of container images in Artifact Registry. ```bash gcloud services enable containeranalysis.googleapis.com --project=PROJECT_ID gcloud services enable ondemandscanning.googleapis.com --project=PROJECT_ID ``` -------------------------------- ### Enable Container Analysis API Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Enables the Container Analysis API for your Google Cloud project. This is a prerequisite for container image scanning. ```bash gcloud services enable containeranalysis.googleapis.com --project=PROJECT_ID ``` -------------------------------- ### Create VPC Service Perimeter Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md Use this command to create a VPC Service Perimeter to protect sensitive APIs. Ensure you replace placeholders like PERIMETER_NAME, PROJECT_NUMBER, and POLICY_ID with your specific values. ```bash gcloud access-context-manager perimeters create PERIMETER_NAME \ --title="Sensitive Data Perimeter" \ --resources="projects/PROJECT_NUMBER" \ --restricted-services="cloudkms.googleapis.com,secretmanager.googleapis.com,storage.googleapis.com,bigquery.googleapis.com" \ --policy=POLICY_ID ``` -------------------------------- ### Enable Binary Authorization on GKE Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Use this gcloud command to enable Binary Authorization for a GKE cluster. This ensures that only verified container images can be deployed. ```bash gcloud container clusters update CLUSTER_NAME \ --enable-binauthz \ --zone=ZONE \ --project=PROJECT_ID ``` -------------------------------- ### Check IAP Configuration Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-broken-access-control` skill to verify if Identity-Aware Proxy (IAP) is enabled on your backend services. ```bash # Check if Identity-Aware Proxy is enabled on my backend services ``` -------------------------------- ### Rotate Stale Service Account Keys Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md Use these gcloud commands to create a new service account key and delete an old one. Ensure keys are younger than 90 days. Prefer workload identity federation where possible. ```bash gcloud iam service-accounts keys create new-key.json \ --iam-account=SA_EMAIL --project=PROJECT_ID ``` ```bash gcloud iam service-accounts keys delete KEY_ID \ --iam-account=SA_EMAIL --project=PROJECT_ID ``` -------------------------------- ### Create Log Sink to Cloud Storage Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md Create a log sink to export audit logs to a Cloud Storage bucket for long-term retention. This ensures logs are available beyond the default retention period. ```bash gcloud logging sinks create security-logs-sink \ storage.googleapis.com/BUCKET_NAME \ --log-filter='logName:"cloudaudit.googleapis.com"' \ --project=PROJECT_ID ``` -------------------------------- ### Enable reCAPTCHA Enterprise API Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md Enable the reCAPTCHA Enterprise API for your project using this gcloud command. This is necessary before creating site keys and integrating with authentication flows. ```bash gcloud services enable recaptchaenterprise.googleapis.com --project=PROJECT_ID ``` -------------------------------- ### Attach Security Policy to Backend Service Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Attaches a security policy to a global backend service. Ensure the security policy exists before running this command. ```bash gcloud compute backend-services update my-backend \ --security-policy=ssrf-protection \ --global \ --project=my-project-id ``` -------------------------------- ### Run Misconfiguration Audit Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-security-misconfiguration/SKILL.md Execute this script to audit for common security misconfigurations, including SCC findings and firewall rules. Ensure you have the necessary IAM roles and have set your GCP project. ```bash bash ./scripts/audit-misconfigurations.sh PROJECT_ID ``` -------------------------------- ### Audit Binary Authorization Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Execute this script to audit Binary Authorization policies and GKE cluster configurations. Verify that policies are set to REQUIRE_ATTESTATION and not ALWAYS_ALLOW. ```bash bash ./scripts/audit-binary-authorization.sh PROJECT_ID ``` -------------------------------- ### Deploy WAF Injection Protection Rules Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Creates Cloud Armor rules using preconfigured WAF expressions to block common injection attacks like SQL injection, XSS, and remote code execution at the edge. ```bash # Deploy WAF injection protection rules bash ./skills/gcp-injection/scripts/remediate-waf-injection-rules.sh my-project-id ``` -------------------------------- ### Create Log Sink to BigQuery Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md Create a log sink to export audit logs to a BigQuery dataset for analysis. This is useful for security event correlation and investigation. ```bash gcloud logging sinks create security-logs-bq \ bigquery.googleapis.com/projects/PROJECT_ID/datasets/DATASET \ --log-filter='logName:"cloudaudit.googleapis.com"' \ --project=PROJECT_ID ``` -------------------------------- ### Check Security Command Center Findings Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-broken-access-control` or `gcp-vulnerable-components` skill to check for Security Command Center findings in your project. ```bash # Are there any Security Command Center findings for my project? ``` -------------------------------- ### Harden VPC Firewall Rules Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/README.md Use the `gcp-ssrf` skill to harden your VPC firewall rules against Server-Side Request Forgery (SSRF) attacks. ```bash # Harden my VPC firewall rules against SSRF attacks ``` -------------------------------- ### Configure VPC Service Controls Perimeter Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Creates a VPC Service Controls perimeter to protect resources from data exfiltration. This command configures a perimeter named 'ssrf-perimeter' with specified restricted services. ```bash # Configure VPC Service Controls perimeter gcloud access-context-manager perimeters create ssrf-perimeter \ --title="SSRF Protection Perimeter" \ --resources="projects/123456789012" \ --restricted-services="storage.googleapis.com,bigquery.googleapis.com" \ --policy=my-access-policy ``` -------------------------------- ### Audit Binary Authorization and Container Images Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Audits Binary Authorization enforcement on GKE clusters and scans container images in Artifact Registry for known CVEs. Enables Binary Authorization and vulnerability scanning. ```bash bash ./skills/gcp-vulnerable-components/scripts/audit-binary-auth.sh my-project-id ``` ```bash bash ./skills/gcp-vulnerable-components/scripts/audit-container-images.sh my-project-id ``` ```bash gcloud container clusters update my-cluster \ --enable-binauthz \ --zone=us-central1-a \ --project=my-project-id ``` ```bash gcloud services enable containeranalysis.googleapis.com --project=my-project-id ``` ```bash gcloud artifacts repositories update my-repo \ --location=us-central1 \ --enable-vulnerability-scanning \ --project=my-project-id ``` -------------------------------- ### Attach Cloud Armor Policy to Backend Service Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md After creating a Cloud Armor security policy, use this command to attach it to a specific backend service for global traffic management. ```bash gcloud compute backend-services update BACKEND --security-policy=POLICY_NAME --global --project=PROJECT_ID ``` -------------------------------- ### Attach Cloud Armor Policy to Backend Service Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-security-misconfiguration/SKILL.md Attach the created Cloud Armor security policy to your backend service to enable WAF protection. Replace BACKEND_NAME, POLICY_NAME, and PROJECT_ID with your specific values. ```bash gcloud compute backend-services update BACKEND_NAME --security-policy=POLICY_NAME --global --project=PROJECT_ID ``` -------------------------------- ### Create Cloud Armor WAF Policy Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Creates a new Cloud Armor security policy named 'vuln-component-protection' to protect against common web vulnerabilities. This policy can then be attached to backend services. ```bash gcloud compute security-policies create vuln-component-protection \ --project=PROJECT_ID \ --description="OWASP A06 Vulnerable Component Protection" ``` -------------------------------- ### Remediate Cloud Armor WAF Rules Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md Apply WAF rules for Cross-Origin Request Filtering, HTTP Parameter Pollution, File Inclusion, and Sensitive Endpoint Restriction. ```bash bash ./scripts/remediate-cloud-armor.sh PROJECT_ID POLICY_NAME [ALLOWED_ORIGINS] ``` -------------------------------- ### Export and Import Binary Authorization Policy Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Exports the current Binary Authorization policy to a YAML file, allowing for modifications before re-importing. Ensure the policy is edited to set defaultAdmissionRule.evaluationMode to REQUIRE_ATTESTATION. ```bash gcloud container binauthz policy export > /tmp/policy.yaml ``` ```bash gcloud container binauthz policy import /tmp/policy.yaml --project=PROJECT_ID ``` -------------------------------- ### Enable Binary Authorization on GKE Cluster Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Enables Binary Authorization enforcement on an existing Google Kubernetes Engine (GKE) cluster. Replace CLUSTER_NAME and ZONE with your cluster's specific details. ```bash gcloud container clusters update CLUSTER_NAME --enable-binauthz --zone=ZONE --project=PROJECT_ID ``` -------------------------------- ### Audit Cloud Asset Inventory Feeds in GCP Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md Verify the existence and configuration of Cloud Asset Inventory feeds for monitoring unauthorized resource changes and detecting shadow IT. ```bash bash ./scripts/audit-asset-inventory.sh PROJECT_ID ``` -------------------------------- ### Audit TLS Configuration with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md This bash script audits TLS configurations for Google Cloud Load Balancing, checking for weak TLS versions, non-RESTRICTED cipher profiles, and expiring SSL certificates. Provide the project ID when running. ```bash bash ./scripts/audit-tls-config.sh PROJECT_ID ``` -------------------------------- ### Audit Sensitive Data Exposure with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-insecure-design/SKILL.md Execute this script to verify DLP API enablement, inspect templates, and job triggers. Absence of these suggests a gap in sensitive data protection. ```bash bash ./scripts/audit-dlp-exposure.sh PROJECT_ID ``` -------------------------------- ### Audit Cloud Build Pipeline Security Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Run this script to audit Cloud Build triggers and service account permissions. Ensure sensitive triggers have approval requirements enabled. ```bash bash ./scripts/audit-cloud-build.sh PROJECT_ID ``` -------------------------------- ### Deploy Injection Protection Rules Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Applies Cloud Armor security policies to block common injection attacks like SQL injection and XSS. Requires a project ID and a policy name. ```bash bash ./skills/gcp-injection/scripts/remediate-injection-rules.sh my-project-id injection-protection ``` ```bash gcloud compute backend-services update my-backend \ --security-policy=injection-protection \ --global \ --project=my-project-id ``` ```bash gcloud logging read 'resource.type="http_load_balancer" AND jsonPayload.enforcedSecurityPolicy.name="injection-protection"' \ --project=my-project-id \ --limit=25 ``` -------------------------------- ### Deploy GCP SSRF Protection Rules Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Deploys Cloud Armor rules to block Server-Side Request Forgery (SSRF) attacks. The script `./skills/gcp-ssrf/scripts/remediate-ssrf-rules.sh` must be present. ```bash # Deploy SSRF protection rules bash ./skills/gcp-ssrf/scripts/remediate-ssrf-rules.sh my-project-id ssrf-protection ``` -------------------------------- ### Audit API Validation with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-insecure-design/SKILL.md Run this script to check for API validation mechanisms like Apigee or Web Security Scanner. Lack of these indicates an insecure design. ```bash bash ./scripts/audit-api-validation.sh PROJECT_ID ``` -------------------------------- ### Enable Vulnerability Scanning on Artifact Registry Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Activates vulnerability scanning for a specific Artifact Registry repository. This ensures that images pushed to this repository are automatically scanned for known vulnerabilities. ```bash gcloud artifacts repositories update REPO_NAME --location=LOCATION --enable-vulnerability-scanning --project=PROJECT_ID ``` -------------------------------- ### Configure Rate Limiting for Authentication Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Deploys Cloud Armor rate limiting rules to protect authentication endpoints against brute force attacks. Configures both throttle and ban mechanisms for specified paths. ```bash bash ./skills/gcp-auth-failures/scripts/remediate-rate-limiting.sh my-project-id auth-protection /login ``` ```bash gcloud compute backend-services update my-backend \ --security-policy=auth-protection \ --global \ --project=my-project-id ``` -------------------------------- ### Scan for Sensitive Data Exposure with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md Execute this bash script to audit Google Cloud DLP configurations, checking for existing inspect templates, automated job triggers, and the overall absence of sensitive data scanning. The project ID is required. ```bash bash ./scripts/audit-dlp-scan.sh PROJECT_ID ``` -------------------------------- ### Deploy Security Misconfiguration Hardening Rules Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Deploys Cloud Armor rules to harden HTTP configurations, detect scanners, prevent request smuggling, and block file inclusion attacks. Attaches the policy to a backend service. ```bash bash ./skills/gcp-security-misconfiguration/scripts/remediate-misconfiguration.sh my-project-id hardening-policy ``` ```bash gcloud compute backend-services update my-backend \ --security-policy=hardening-policy \ --global \ --project=my-project-id ``` -------------------------------- ### Audit Monitoring and Alerting Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md Run this bash script to check for configured alerting policies, notification channels, and uptime checks within your GCP project. This helps identify gaps in security event monitoring. ```bash bash ./scripts/audit-monitoring-alerts.sh PROJECT_ID ``` -------------------------------- ### Audit Cloud Armor Policies in GCP Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md Execute this script to identify backend services lacking security policies or missing WAF rules for common web attacks. ```bash bash ./scripts/audit-cloud-armor.sh PROJECT_ID ``` -------------------------------- ### Audit Cloud Armor WAF Rules Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-injection/SKILL.md Run this script to check for existing Cloud Armor security policies and their rules, specifically looking for injection protection signatures like 'sqli-stable' and 'xss-stable'. It identifies policies missing these rules or backend services without any protection. ```bash bash ./scripts/audit-cloud-armor-waf.sh PROJECT_ID ``` -------------------------------- ### Audit Artifact Registry Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Run this script to audit Artifact Registry for vulnerability scanning configurations. Ensure Container Analysis API is enabled for CVE checks. ```bash bash ./scripts/audit-artifact-registry.sh PROJECT_ID ``` -------------------------------- ### Deploy Cloud Armor SSRF Rules Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-ssrf/SKILL.md Applies Cloud Armor rules to block SSRF attack patterns, including metadata endpoint access and remote file inclusion. ```bash bash ./scripts/remediate-ssrf-rules.sh PROJECT_ID POLICY_NAME ``` -------------------------------- ### Deploy Cloud Armor WAF Rules for Access Control Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Creates or updates Cloud Armor security policies with rules for CORS filtering, parameter pollution, and file inclusion blocking. Attach the policy to a backend service to protect against broken access control vectors. ```bash # Deploy Cloud Armor rules for access control protection bash ./skills/gcp-broken-access-control/scripts/remediate-cloud-armor.sh my-project-id access-control-policy # Attach policy to backend service gcloud compute backend-services update my-backend \ --security-policy=access-control-policy \ --global \ --project=my-project-id # Rules created: # Priority 1000: Cross-origin request filtering # Priority 2000: Protocol attack prevention (evaluatePreconfiguredExpr('protocolattack-stable')) # Priority 2100: Local file inclusion (evaluatePreconfiguredExpr('lfi-stable')) # Priority 2200: Remote file inclusion (evaluatePreconfiguredExpr('rfi-stable')) ``` -------------------------------- ### Enable Identity-Aware Proxy on GCP Backend Service Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Enables Identity-Aware Proxy (IAP) on a backend service for centralized authentication. Ensure the backend service exists before running. ```bash # Enable IAP on backend service gcloud compute backend-services update my-backend \ --global \ --iap=enabled \ --project=my-project-id ``` ```bash # Grant IAP access to authorized users gcloud iap web add-iam-policy-binding \ --resource-type=backend-services \ --service=my-backend \ --member="user:developer@example.com" \ --role="roles/iap.httpsResourceAccessor" \ --project=my-project-id ``` ```bash # Enable reCAPTCHA Enterprise for bot protection gcloud services enable recaptchaenterprise.googleapis.com --project=my-project-id ``` -------------------------------- ### Audit Security Command Center Integration Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md This bash script verifies the enablement of the Security Command Center API, checks notification configurations, and lists active SCC sources and detectors. Proper integration is key for timely security alerts. ```bash bash ./scripts/audit-scc-integration.sh PROJECT_ID ``` -------------------------------- ### Audit Logging Configuration Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md Execute this bash script to audit your GCP project's logging configuration, including audit logs, log sinks, and retention settings. Ensure you have the necessary IAM roles. ```bash bash ./scripts/audit-logging-config.sh PROJECT_ID ``` -------------------------------- ### Attach Strict SSL Policy to Target Proxy with gcloud Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md Update an existing target HTTPS proxy to use a newly created strict SSL policy. Ensure the proxy name and project ID are correctly specified. ```bash gcloud compute target-https-proxies update PROXY_NAME \ --ssl-policy=strict-tls-policy \ --project=PROJECT_ID ``` -------------------------------- ### Audit KMS Keys with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md Execute this bash script to audit Google Cloud KMS keys for rotation periods, algorithm strength, and key states. Ensure the script is run with the correct project ID. ```bash bash ./scripts/audit-kms-keys.sh PROJECT_ID ``` -------------------------------- ### Block Egress to Metadata Endpoint Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Creates a VPC firewall rule to deny all egress traffic to the GCP metadata endpoint (169.254.169.254). This is a crucial step for SSRF protection. ```bash # Block egress to metadata endpoint gcloud compute firewall-rules create deny-metadata-egress \ --direction=EGRESS \ --priority=1000 \ --action=DENY \ --rules=all \ --destination-ranges=169.254.169.254/32 \ --project=my-project-id ``` -------------------------------- ### Review SCC Findings for Design Flaws with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-insecure-design/SKILL.md Run this script to identify Security Command Center findings related to design flaws such as insecure CORS, mixed content, or outdated libraries. ```bash bash ./scripts/audit-scc-design-findings.sh PROJECT_ID ``` -------------------------------- ### Create DLP Job Trigger Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md This command creates a DLP job trigger for automated sensitive data scanning. Configure the inspect template, schedule, and storage URL according to your needs. Replace PROJECT_ID, TEMPLATE_NAME, and BUCKET_NAME. ```bash gcloud dlp job-triggers create \ --project=PROJECT_ID \ --display-name="Scan for sensitive data" \ --inspect-template=TEMPLATE_NAME \ --trigger-schedule="86400s" \ --storage-url="gs://BUCKET_NAME" ``` -------------------------------- ### Attach Cloud Armor Policy to Backend Services Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-vulnerable-components/SKILL.md Attaches the 'vuln-component-protection' Cloud Armor security policy to a specified backend service. This directs traffic to the backend service through the WAF rules defined in the policy. ```bash gcloud compute backend-services update BACKEND --security-policy=vuln-component-protection --global --project=PROJECT_ID ``` -------------------------------- ### Audit VPC Firewall Rules for SSRF Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-ssrf/SKILL.md Executes a script to check for overly permissive egress firewall rules that could facilitate SSRF attacks. ```bash bash ./scripts/audit-vpc-firewall.sh PROJECT_ID ``` -------------------------------- ### Audit Exposed Admin Endpoints Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-security-misconfiguration/SKILL.md Run this script to check for Cloud Armor policies, URL maps, and backend services that might expose sensitive endpoints without adequate protection. This helps identify potential security risks. ```bash bash ./scripts/audit-admin-endpoints.sh PROJECT_ID ``` -------------------------------- ### Audit VPC Service Controls for SSRF Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-ssrf/SKILL.md Executes a script to audit existing VPC Service Controls perimeters and their configurations for SSRF protection. ```bash bash ./scripts/audit-vpc-service-controls.sh PROJECT_ID ``` -------------------------------- ### Create VPC Service Perimeter Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-ssrf/SKILL.md Creates a VPC Service Controls perimeter to protect managed GCP services from unauthorized access. ```gcloud gcloud access-context-manager perimeters create PERIMETER_NAME \ --title="SSRF Protection Perimeter" \ --resources="projects/PROJECT_NUMBER" \ --restricted-services="storage.googleapis.com,bigquery.googleapis.com" \ --policy=POLICY_ID ``` -------------------------------- ### Restrict General Egress to Specific Destinations Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Creates a VPC firewall rule to allow egress TCP traffic only to specific destination IP ranges (e.g., Google APIs). This rule applies to instances with the 'web-server' tag. ```bash # Restrict general egress to specific destinations gcloud compute firewall-rules create allow-specific-egress \ --direction=EGRESS \ --priority=2000 \ --action=ALLOW \ --rules=tcp:443 \ --destination-ranges=35.190.0.0/16,35.191.0.0/16 \ --target-tags=web-server \ --project=my-project-id ``` -------------------------------- ### Audit Secret Manager with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md Run this bash script to audit secrets in Google Cloud Secret Manager for rotation configuration, overly broad IAM bindings, and active versions. Requires the project ID. ```bash bash ./scripts/audit-secrets.sh PROJECT_ID ``` -------------------------------- ### Audit SSL/TLS Policies in GCP Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md This script checks for weak SSL/TLS configurations, including outdated TLS versions and insecure cipher suites, and ensures HTTPS proxies have attached SSL policies. ```bash bash ./scripts/audit-ssl-policies.sh PROJECT_ID ``` -------------------------------- ### Audit MFA Enforcement Status Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md Execute this script to check for Security Command Center findings related to MFA not being enforced and to identify stale service account keys older than 90 days. ```bash bash ./scripts/audit-mfa-status.sh PROJECT_ID ``` -------------------------------- ### Audit IAM Policies in GCP Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-broken-access-control/SKILL.md Run this script to check for overly permissive IAM bindings, including public access grants and primitive role assignments. ```bash bash ./scripts/audit-iam-policies.sh PROJECT_ID ``` -------------------------------- ### Audit GCP Logging Configuration Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Audits Cloud Logging configuration including audit logs, log sinks, and log-based metrics. The script `./skills/gcp-logging-monitoring-failures/scripts/audit-logging-config.sh` must be present. ```bash # Audit logging configuration bash ./skills/gcp-logging-monitoring-failures/scripts/audit-logging-config.sh my-project-id ``` ```bash # Create log sink for long-term retention gcloud logging sinks create security-logs-sink \ storage.googleapis.com/my-security-logs-bucket \ --log-filter='logName:"cloudaudit.googleapis.com"' \ --project=my-project-id ``` ```bash # Create log sink for BigQuery analysis gcloud logging sinks create security-logs-bq \ bigquery.googleapis.com/projects/my-project-id/datasets/security_logs \ --log-filter='logName:"cloudaudit.googleapis.com"' \ --project=my-project-id ``` -------------------------------- ### Add Build Approval Requirements Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-integrity-failures/SKILL.md Update a Cloud Build trigger to require manual approval before execution. This adds a gate for sensitive build processes. ```bash gcloud builds triggers update TRIGGER_NAME \ --require-approval \ --project=PROJECT_ID ``` -------------------------------- ### Create Strict TLS SSL Policy with gcloud Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-cryptographic-failures/SKILL.md Create a new SSL policy with strict TLS version and cipher profile settings using gcloud. This policy can then be attached to target HTTPS proxies. ```bash gcloud compute ssl-policies create strict-tls-policy \ --profile=RESTRICTED \ --min-tls-version=1.2 \ --project=PROJECT_ID ``` -------------------------------- ### Audit Security Misconfigurations Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Scans GCP resources for common security misconfigurations, including open firewall ports and unmonitored rules. Checks for specific Security Command Center findings. ```bash bash ./skills/gcp-security-misconfiguration/scripts/audit-misconfigurations.sh my-project-id ``` -------------------------------- ### Audit Secrets Management with Bash Script Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-insecure-design/SKILL.md Use this script to assess Secret Manager enablement, secret count, rotation policies, and IAM access. Findings may indicate hardcoded or exposed credentials. ```bash bash ./scripts/audit-secrets-management.sh PROJECT_ID ``` -------------------------------- ### Create Security Command Center Notification Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-logging-monitoring-failures/SKILL.md Configure SCC notifications to forward high-severity or critical findings to a specified Pub/Sub topic. This enables real-time alerting for security incidents. ```bash gcloud scc notifications create security-alerts \ --organization=ORG_ID \ --pubsub-topic=projects/PROJECT_ID/topics/scc-notifications \ --filter='state="ACTIVE" AND severity="HIGH" OR severity="CRITICAL"' ``` -------------------------------- ### Review Cloud Armor WAF Expressions Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-security-misconfiguration/SKILL.md Examine existing Cloud Armor rules for specific WAF expressions that prevent HTTP verb tampering and request smuggling. Missing rules on internet-facing backends require remediation. ```text - methodenforcement-stable - protocolattack-stable - scannerdetection-stable ``` -------------------------------- ### Audit IAM Policies for Broken Access Control Source: https://context7.com/hminooei/gcp-owasp-top10-skills/llms.txt Audits project-level IAM policies for overly permissive bindings, including public access and primitive roles. Use this to enforce least-privilege principles. ```bash # Audit IAM policies for public access and primitive roles bash ./skills/gcp-broken-access-control/scripts/audit-iam-policies.sh my-project-id # Example output: # === IAM Policy Audit for project: my-project-id === # --- Checking for public access bindings --- # PASS: No public access bindings found # --- Checking for primitive role assignments --- # FINDING: user:admin@example.com has primitive role roles/owner # --- Checking for over-privileged service accounts --- # FINDING: serviceAccount:compute@my-project-id.iam.gserviceaccount.com has roles/editor # === IAM Audit Complete === # STATUS: FINDINGS DETECTED - Review and remediate the issues above ``` -------------------------------- ### Remediate Rate Limiting with Cloud Armor Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-auth-failures/SKILL.md This script creates or updates a Cloud Armor security policy to implement throttle-based and ban-based rate limiting for authentication endpoints, protecting against brute force attacks. ```bash bash ./scripts/remediate-rate-limiting.sh PROJECT_ID POLICY_NAME [LOGIN_PATH] ``` -------------------------------- ### Add Cross-Site Scripting Protection Rule to Cloud Armor Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-injection/SKILL.md This code snippet defines a Cloud Armor WAF rule to block XSS attacks by evaluating the 'xss-stable' preconfigured expression. It should be applied with a priority of 1100. ```gcloud evaluatePreconfiguredExpr('xss-stable') ``` -------------------------------- ### Audit Security Command Center for Injection Findings Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-injection/SKILL.md Execute this script to identify active Security Command Center findings related to injection attacks, such as XSS, SQL injection, and reverse shells from Container Threat Detection or Web Security Scanner. ```bash bash ./scripts/audit-scc-injection.sh PROJECT_ID ``` -------------------------------- ### Add SQL Injection Protection Rule to Cloud Armor Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-injection/SKILL.md This code snippet defines a Cloud Armor WAF rule to protect against SQL injection attempts using the 'sqli-stable' preconfigured expression. It's intended to be added to a security policy with a priority of 1000. ```gcloud evaluatePreconfiguredExpr('sqli-stable') ``` -------------------------------- ### Add PHP Injection Protection Rule to Cloud Armor Source: https://github.com/hminooei/gcp-owasp-top10-skills/blob/main/skills/gcp-injection/SKILL.md This code snippet adds a Cloud Armor WAF rule to protect against PHP-specific injection attacks, utilizing the 'php-stable' preconfigured expression. It is designed to be used with a priority of 1300. ```gcloud evaluatePreconfiguredExpr('php-stable') ```