GCP cloud security in 60 seconds
Authorize via Google OAuth. Scope to specific projects. Read-only by default. No JSON key files stored.
Free forever. No credit card required.
Why vul.ninja for GCP?
Google OAuth-native
Sign in with your existing Google Cloud account. No JSON key files to download, rotate, or secure. OAuth handles everything.
Project-level scope
Choose exactly which GCP projects vul.ninja can scan. Exclude development or experimental projects easily, and update your selection at any time.
GCP-aware findings
Every finding includes GCP resource names, IAM binding details, and remediation steps tailored to GCP best practices and CIS benchmarks.
How to connect GCP in 60 seconds
Click "Connect GCP" in vul.ninja
From your vul.ninja dashboard, choose Google Cloud as your provider. You'll be redirected to the Google OAuth consent screen.
Sign in with your Google Cloud account
Authenticate via your existing Google account with access to GCP. Review and approve the permission scopes vul.ninja requests.
Choose your projects
Select which GCP projects you want vul.ninja to scan. You can include or exclude projects and update this selection at any time.
Done — your first scan starts automatically
Within minutes you'll have findings across your selected projects, prioritized by severity and risk to your production workloads.
What permissions does vul.ninja need?
Least-privilege by design. Read-only by default. Write actions require your explicit per-action approval.
By default (read-only)
- roles/viewer on selected projects (built-in GCP IAM role, audited by Google)
- Cloud Resource Manager: read project and organization metadata
- IAM: read roles, service accounts, and policy bindings
- Cloud Storage: list buckets, read bucket IAM policies and ACLs
- Compute Engine: describe instances, firewall rules, and network configurations
- GKE: describe cluster configurations and node pools
- Cloud SQL: describe instances, backups, and SSL settings
- Cloud KMS: list keys and read key rotation configuration
If you enable remediation (opt-in)
- Cloud Storage: update bucket IAM policies to remove allUsers/allAuthenticatedUsers access
- Compute Engine: update firewall rules to remove overly permissive ingress rules
- Cloud SQL: enable SSL enforcement and automated backups
- IAM: remove overly permissive roles from service accounts
Write permissions are scoped per-action and require your approval before anything runs.
vul.ninja uses OAuth 2.0 with PKCE. Tokens are short-lived and refreshed via OAuth refresh tokens — we never request, download, or store JSON service account key files. You can revoke vul.ninja's access at any time by visiting myaccount.google.com/permissions, finding vul.ninja in the list of connected apps, and clicking Remove Access.
How is this different from Google Security Command Center?
We believe in honest comparisons. Here's where the native tool wins, and where vul.ninja wins.
Where Google Security Command Center wins
- Native to GCP with no setup beyond enabling the service in your project
- Free Standard tier with comprehensive findings for common GCP misconfigurations
- Deep integration with Google threat intelligence and Event Threat Detection
- Google-managed and covered under your existing Google Cloud support
Where vul.ninja wins
- Multi-cloud: scan AWS and Azure alongside GCP — Security Command Center is Google-only
- AI agents that explain findings in plain language and trace attack paths end-to-end
- Faster, friendlier setup for teams without dedicated GCP security expertise
- Simpler, predictable pricing — no per-finding or tiered per-project billing
- Human-in-the-loop remediation pipeline with approval gates before any change runs
Frequently asked questions
Yes, by default. The OAuth scopes requested map to roles/viewer, which is read-only. Write actions are only possible if you explicitly enable the Remediation Agent on a paid plan, and every individual fix requires your approval before it runs.
Yes. During setup you choose exactly which projects to include. You can update this selection at any time from the cloud connections page in your dashboard.
No. We use OAuth 2.0 refresh tokens exclusively — no JSON key files are ever downloaded or stored. This eliminates the most common GCP credential compromise vector.
Go to myaccount.google.com/permissions, find vul.ninja in the list of connected apps, and click Remove Access. This immediately terminates all access to your GCP projects.
IAM, Cloud Storage, Compute Engine, GKE, Cloud SQL, Cloud KMS, Cloud Run, App Engine, BigQuery, VPC firewall rules, and more. See our documentation for the full current coverage list.
Security Command Center is excellent if you only use GCP. vul.ninja adds multi-cloud coverage (AWS, Azure), AI agents that investigate findings and propose remediations in plain language, and a human-approval remediation pipeline. Security Command Center doesn't offer those capabilities.
Yes. vul.ninja maps GCP findings to SOC 2, HIPAA, and PCI-DSS controls. Connecting your GCP projects gives us visibility into your posture — your existing compliance certifications are unaffected.
Typically 5–15 minutes per GCP project, depending on the number of resources and services in scope.
Yes. You can connect projects from multiple GCP organizations by completing the OAuth flow for each organization separately. Each connection is managed independently in your dashboard.
We scan GCP infrastructure (IAM, compute, storage, etc.) but do not currently scan Google Workspace settings. Reach out to security@vul.ninja if this is a requirement.
Built for security-conscious teams
roles/viewer only
Built-in GCP read-only role — the minimum required to see your resources.
OAuth 2.0 with PKCE
No JSON key files. Short-lived tokens refreshed via OAuth.
Full API audit log
Every API call vul.ninja makes against your projects is logged.
One-click revocation
Revoke via myaccount.google.com/permissions — instant effect.
Ready to scan your GCP cloud?
Connect in 60 seconds. Free forever.
Free forever. No credit card required.