No project description provided
Project description
Carve Systems GCP Assessment Tooling
Installation
This tool requires Python 3.8 or newer.
Additionally, the gcloud CLI is required for authentication against Google user accounts.
Usage
Prerequisites
To use this tool against a Google Cloud environment, you must be have a user account with the Security Reviewer role granted across all relevant projects. The use of a service account with these permissions is recommended if possible; regular user accounts are subject to stricter rate-limiting by Google.
Currently, gcptool authenticates using Google Application Default Credentials. If you are using a regular user account for testing, the gcloud auth application-default login command will properly configure credentials for you. In the case of a service account, setting the GOOGLE_APPLICATION_CREDENTIALS environment variable to a path containing a service account keypair will be required.
You can verify access is working correctly using two commands within the tool; gcptool list-projects will print a list of projects you can currently access, and gcptool check <PROJECT-NAME> will verify your account has the necessary set of permissions to perform all scans.
Running Tests
Once you've verified access, the gcptool scan command can be used to perform testing. To run a basic scan, the command can be used as follows:
gcptool scan PROJECT-NAME,PROJECT-NAME-2 path/to/report/findings/folder
This will produce several outputs:
- A JSON inventory of Google Cloud Resources in
gcptool_cache.jsonin the current directory (NOTE: this file should be handled with care, as it may contain sensitive information) - CDPS-format Markdown findings ready for editing and use in a report (Note that some of these are guidance to possible points of interest for manual testing)
gcptool.loglog file with more detailed information
gcptool will use the generated cache file when possible to avoid making extraneous API requests; the --cache-only option can be used to exit with an error if any scan would required fresh data from the API. This is convenient, for example, to run new scans against already-collected data.
Other useful arguments are:
--service: only run scans for a specific GCP service. For example,--service computewill only run Compute Engine tests.--scan: only run a specific scan. One particularly useful use for this argument is--scan inventory, which will gather data or a complete cache file but will not run any analysis. (gcptool list-scansprovides a helpful list of scans and services)
Development
Development dependencies
Code formatting is handled using the pre-commit tool. Please install and configure it before making any commits!
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gcptool-1.1.1.tar.gz.
File metadata
- Download URL: gcptool-1.1.1.tar.gz
- Upload date:
- Size: 302.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: python-httpx/0.23.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2313b8f0c46a6275bd0c1d89403300fc0d5014b607b4f4bab76ecd2fb5b322a5
|
|
| MD5 |
a844932816eff224b5a96e32f48bbb1f
|
|
| BLAKE2b-256 |
a5dee825007221aacceae125b97b47f408f9615c7f7ca859ffa6ceba370a07dd
|
File details
Details for the file gcptool-1.1.1-py3-none-any.whl.
File metadata
- Download URL: gcptool-1.1.1-py3-none-any.whl
- Upload date:
- Size: 335.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: python-httpx/0.23.1
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0a934dd94d29b266f13577e3b673c6cc878e61a6b0a19cb439bdeb9541f01d5b
|
|
| MD5 |
d0260b739087bd5477faf00c7032123d
|
|
| BLAKE2b-256 |
73c13e60da9e6018f02fd0657bca1dab7a2b26fc2d368eaf346f072cb1f792f0
|
