Jump to Content
Security & Identity

Web application vulnerability scans for GKE and Compute Engine are generally available

August 6, 2019
Kyle Olive

Product Manager

As the number of platforms you build and run your applications on increases, so does the challenge of understanding what applications you have deployed and their security state. Without visibility, it can be difficult to know if there are any latent vulnerabilities in your applications—much less how to fix them.

Today, we’re excited to announce the general availability of Cloud Security Scanner for Google Kubernetes Engine (GKE) and Compute Engine, joining Cloud Security Scanner for App Engine. Now, no matter where you run your applications on Google Cloud, you can quickly gain insights into your web app’s vulnerabilities and take action before a bad actor can exploit them. 

Web application vulnerabilities can occur during the development process. Some of these vulnerabilities include the incorrect setup of an app’s security framework, the incorrect implementation of an app into a production environment, or systems that weren’t patched or updated. 

Cloud Security Scanner can surface a wide range of web application vulnerabilities as findings; here are a few examples of its capabilities:

  • Identity and notify you of common external vulnerabilities in your applications such as Flash Injection or mixed content 
  • Detect vulnerabilities such as cross-site scripting bugs due to JavaScript breakage
  • Alert you of accessible GIT and SVN repositories
  • Surface mixed content vulnerabilities that a man-in-the-middle attacker could exploit to gain full access to the website that loads the resource or monitor users' actions.
  • Notify you if an application appears to be transmitting a password field in plain text, displaying HTTP header issues, including misspellings, mismatching values in a duplicate security header, or invalid headers

Cloud Security Scanner surfaces these vulnerabilities as findings in Cloud Security Command Center (Cloud SCC), our Cloud Security Posture Management (CSPM) tool, so you can gain visibility into misconfigurations, vulnerabilities, and threats and quickly respond to them from a centralized dashboard. Then, when you click on a finding, you can see a description of the issue and an actionable recommendation on how you can fix and prevent it in the future.


Cloud Security Scanner is not on by default. To activate it, complete this quickstart and then go to Security Sources within Cloud SCC to ensure it’s active. You can also create customized scans for your applications using the Cloud Security Scanner UI. Once Cloud Security Scanner is on, it scans your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handles as possible. The scans run using the Chrome and Safari browsers, and those embedded in Blackberry and Nokia phones. For more flexibility, you can also schedule scans.


For additional protection of your applications running on GKE instances, you can also use the Container Registry vulnerability scanning to discover vulnerable container images before they are deployed into production. 

It’s easy to get started with Cloud Security Scanner and protect your applications. If you are new to GCP, start your free GCP trial and enable Cloud SCC then Cloud Security Scanner. If you are an existing customer, simply enable Cloud Security Scanner from Security Sources in Cloud SCC, and start using it for free. For more information on Cloud Security Scanner, read our documentation.

Posted in