A CLI tool for GCP Security Analysis powered by Gemini.
Project description
gcpsight - GCP Security Scanner with Gemini-Powered Queries
A powerful command-line tool for scanning Google Cloud Platform (GCP) projects for security misconfigurations. Features an AI-powered natural language interface using Google's Gemini model, comprehensive security scoring, and beautiful terminal reports.
๐ Quick Install
pip install gcpsight
Or using uv
uv pip install gcpsight
โจ Features
- ๐ฅ Firewall Scanning: Detects VPC firewall rules open to the internet (
0.0.0.0/0) - ๐ชฃ Public Storage Detection: Finds publicly accessible GCS buckets
- ๐ฅ IAM Analysis: Identifies overly permissive roles (Owner, Editor) with broad access
- ๐ BigQuery Security: Checks for publicly accessible datasets
- โก Cloud Functions: Scans for insecure functions with public access or outdated runtimes
- ๐ก๏ธ Security Scoring: Risk-based scoring with detailed remediation guidance
- ๐ค AI-Powered Queries: Natural language security questions via Gemini
- ๐จ Beautiful Reports: Colorful terminal output with emojis and structured tables
๐ Quick Start Examples
Basic Security Scan
# Run comprehensive security assessment
gcpsight security-assessment --project-id my-gcp-project
# Check specific security issues
gcpsight list-open-firewalls --project-id my-gcp-project
gcpsight check-public-buckets --project-id my-gcp-project
AI-Powered Natural Language Queries
# Ask questions in plain English
gcpsight ask --project-id my-gcp-project "are there any firewalls open to the world?"
gcpsight ask --project-id my-gcp-project "show me my security score"
gcpsight ask --project-id my-gcp-project "check my cloud functions for issues"
Sample Output
Security Assessment Report:
๐ก๏ธ GCP SECURITY ASSESSMENT REPORT ๐ก๏ธ
๐ Overall Assessment
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ฏ Security Score โ 75/100 (75.0%) โ
โ โ ๏ธ Risk Level โ HIGH โ
โโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Security Score Progress โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ 75.0%
๐ Findings Summary
โโโโโโโโโโโโโโโฌโโโโโโโโฌโโโโโโโโโโโ
โ Risk Level โ Count โ Visual โ
โโโโโโโโโโโโโโโผโโโโโโโโผโโโโโโโโโโโค
โ ๐จ CRITICAL โ 1 โ โ โ
โ โ ๏ธ HIGH โ 2 โ โโ โ
โโโโโโโโโโโโโโโดโโโโโโโโดโโโโโโโโโโโ
๐ Detailed Findings
๐จ Open Firewall [CRITICAL]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ท๏ธ Resource: allow-ssh-from-anywhere โ
โ ๐ Issue: Firewall rule allows unrestricted SSH access โ
โ ๐ Impact: -25 points โ
โ ๐ง Fix: Restrict source ranges to specific IP addresses โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Project Structure
src/gcpsight/main.py: The main entry point for the CLI application, built usingclick.src/gcpsight/gcp_scanner.py: Contains the core logic for interacting with GCP APIs.src/gcpsight/gemini_processor.py: Handles interaction with the Gemini API.src/gcpsight/security_scorer.py: Implements security scoring, risk assessment, and reporting functionality.pyproject.toml: Defines project metadata, dependencies, and the CLI entry point for packaging.requirements.txt: Lists project dependencies (primarily for reference).README.md: This file..env(not included, but necessary for local development): Used for environment variables.
๐ง Setup & Configuration
Prerequisites
- Python 3.9+
- Google Cloud SDK installed and configured
- Valid GCP project with appropriate permissions
1. Install gcpsight
pip install gcpsight
2. GCP Authentication
# Authenticate with your GCP account
gcloud auth application-default login
# Or set service account credentials
export GOOGLE_APPLICATION_CREDENTIALS="/path/to/service-account.json"
3. Required GCP Permissions
Your authenticated user/service account needs these IAM permissions:
compute.firewalls.liststorage.buckets.list&storage.buckets.getIamPolicyresourcemanager.projects.getIamPolicybigquery.datasets.list&bigquery.datasets.getcloudfunctions.functions.list&cloudfunctions.functions.getIamPolicy
4. Gemini API Key (for AI features)
# Set your Gemini API key as environment variable
export GEMINI_API_KEY="your-gemini-api-key-here"
# Or create a .env file in your working directory
echo "GEMINI_API_KEY=your-gemini-api-key-here" > .env
๐ All Available Commands
Security Assessment (Recommended)
# Comprehensive security report with scoring
gcpsight security-assessment --project-id my-project
# JSON output for automation
gcpsight security-assessment --project-id my-project --output-format json
# Table format for quick overview
gcpsight security-assessment --project-id my-project --output-format table
Individual Security Checks
# Check firewall rules
gcpsight list-open-firewalls --project-id my-project
# Check storage buckets
gcpsight check-public-buckets --project-id my-project
# Check IAM roles
gcpsight check-overly-permissive-iam-roles --project-id my-project
# Check BigQuery datasets
gcpsight check-public-bigquery-datasets --project-id my-project
# Check Cloud Functions
gcpsight check-insecure-cloud-functions --project-id my-project
# Run all individual checks
gcpsight run-all-checks --project-id my-project
AI-Powered Natural Language Queries
# Ask security questions in plain English
gcpsight ask --project-id my-project "are there any firewalls open to the world?"
gcpsight ask --project-id my-project "show me public buckets"
gcpsight ask --project-id my-project "check for overly permissive IAM roles"
gcpsight ask --project-id my-project "are there any public BigQuery datasets?"
gcpsight ask --project-id my-project "check my cloud functions for issues"
gcpsight ask --project-id my-project "run all checks"
gcpsight ask --project-id my-project "give me a security assessment"
gcpsight ask --project-id my-project "what's my security score?"
Example Command Outputs
Firewall Check:
๐ Checking open firewall rules for project my-project...
๐ฅ Open Firewall Rules
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโฌโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโ
โ Name โ Network โ Source Range โ Allowed Ports โ
โโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโผโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโค
โ allow-ssh-anywhere โ default โ 0.0.0.0/0 โ tcp:22 โ
โ allow-http-https โ default โ 0.0.0.0/0 โ tcp:80,tcp:443 โ
โโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโดโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโ
Security Assessment Table Format:
๐ก๏ธ Security Assessment Summary
โโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ฏ Security Score โ 75/100 (75.0%) โ
โ โ ๏ธ Risk Level โ HIGH โ
โ ๐ Total Findings โ 3 โ
โโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโโโโ
๐ Detailed Security Findings
โโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโ
โ Check Type โ Resource โ Risk Level โ Score Impact โ
โโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโค
โ Open Firewall โ allow-ssh-anywhere โ ๐จ CRITICAL โ -25 โ
โ Public Bucket โ my-public-bucket โ โ ๏ธ HIGH โ -15 โ
โ Insecure Function โ my-function โ โก MEDIUM โ -10 โ
โโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโ
๐ ๏ธ Development Installation
For contributors and developers who want to work on gcpsight:
# Clone the repository
git clone https://github.com/rishabkumar7/gcpsight
cd gcpsight
# Install in development mode
pip install -e .
# Or build and install locally
python -m pip install build
python -m build
pip install dist/gcpsight-*.whl
๐ How it Works
- CLI Interface: Built with
clicklibrary for intuitive command-line interaction - GCP API Integration: Uses official Google Cloud client libraries for secure API access
- Security Analysis: Comprehensive checks across compute, storage, IAM, and serverless resources
- Risk Scoring: Intelligent scoring system with weighted impact based on security severity
- AI Integration: Gemini AI translates natural language queries into specific security checks
- Rich Output: Beautiful terminal reports with colors, emojis, and structured tables
Future Enhancements
- Add more GCP security checks.
- Improve output formatting.
- More sophisticated error handling and logging.
- Scan multiple projects or an entire GCP organization.
- Automated remediation suggestions/actions (with caution!).
Contributing
Contributions are welcome! Please open an issue.
License
This is under the MIT License.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
gcpsight-0.1.0.tar.gz
(20.0 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
gcpsight-0.1.0-py3-none-any.whl
(18.7 kB
view details)
File details
Details for the file gcpsight-0.1.0.tar.gz.
File metadata
- Download URL: gcpsight-0.1.0.tar.gz
- Upload date:
- Size: 20.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
77abd8c8b0459a2bf2126b81e40a515a60098fa6e0af1f7722e4c067a48c58a1
|
|
| MD5 |
40055b184015885b7c42c4a2af693d72
|
|
| BLAKE2b-256 |
0c51270218849ad70c0a6e99a10c7d661cde607346270fd950c51b7b8c625f42
|
File details
Details for the file gcpsight-0.1.0-py3-none-any.whl.
File metadata
- Download URL: gcpsight-0.1.0-py3-none-any.whl
- Upload date:
- Size: 18.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
651a146e9f0f6839b44b858d2a707449a6f99310f4c65119ec9500f06576aa31
|
|
| MD5 |
be59ceef2f95802d93305861cb3e88fd
|
|
| BLAKE2b-256 |
0cc146a8877ba4c2a4baf4b6ee526948248d306858afd31a18e77ddd624e3bc1
|
