Setting up Cloud SCC tools

This page provides information about how to prepare your Google Cloud Platform (GCP) project to install a package of apps that add new functionality as an example of how you could use Cloud Security Command Center (Cloud SCC) in your organization. These apps can be used as examples of how to develop integrations or add-ons to the Cloud SCC platform, particularly if you are a third-party security solution developer or if you need something more specific for your organization.

This guide was written for tools version 3.3.0. If you're using a different version, please see the README file included with the tools version you downloaded. As of May 22, 2019, the most recent release version is 4.0.1.


The Cloud SCC tools package includes the following components:

Hello World

Hello World is a minimalist app that shows you how to call the Cloud SCC API to retrieve the discovered organization's assets.


Creator is an app that can do queries on Cloud SCC data at regular intervals and send the results to a Cloud Pub/Sub topic.


Notifier is an app that subscribes to the Notifications Cloud Pub/Sub Topic and sends notifications to a configured channel, like e-mail or SMS. Notifications refers to Cloud SCC query results from other apps, like the Creator app mentioned above.

You can develop your own application and easily subscribe to the same Notifications Cloud Pub/Sub Topic, and customize how you handle the messages you get. For example, you could process the results and send them to one of your organization's internal systems, or store the results in another database of your choice for further analysis.

Query Builder

Query Builder is an app that enables you to create and schedule advanced, multi-step queries on Cloud SCC data using a web application interface. When these queries run, the results can be sent to a Cloud Pub/Sub topic where they can be consumed by other apps. You can also configure Query Builder to add Cloud SCC security marks to query results.

For example, you could schedule a query to periodically look for network firewalls with port 22 allowed, and use Query Builder to mark the results in Cloud SCC and notify your security team so they can take appropriate action.

Audit Logs

The Audit logs app can ingest Cloud Audit Logs logs through export sinks and create Cloud SCC security findings. The Audit Logs example app includes integration of Access Transparency alerts and Binary Authorization alerts for Blocked Deployments and Breakglass scenarios.


The Connector App ingests security findings stored in a Cloud Storage bucket populated by a partner. The findings ingestion process is triggered when a new file completes the upload process to the bucket.

Setup scripts

Cloud SCC tools includes a set of companion scripts and utilities that will be used in the installation process to create the necessary Google Cloud Platform (GCP) infrastructure for each app, and help in deploying the apps.

These scripts do things like: create projects, create service accounts, generate SSL certificates, and deploy apps. This guide includes detailed instructions about how to execute the commands to install the Cloud SCC tools using the setup scripts.

The diagram below provides a high-level overview of the Cloud SCC tools, not including the setup scripts:

Cloud SCC Tools overview diagram

Before you begin

To complete this guide, you'll need the following:

  • An active GCP Organization with Cloud SCC enabled.
  • An active Cloud Billing account.
  • Cloud SCC enabled for your GCP Organization.
  • The project ID that you want to use to access the Cloud SCC API. This project must have the securitycenter.googleapis.com API enabled.
  • The following Cloud Identity and Access Management (Cloud IAM) roles at the organization level:
    • Billing Account User - roles/billing.user
    • DNS Administrator - roles/dns.admin
    • Organization Administrator - roles/resourcemanager.organizationAdmin
    • Organization Role Administrator - roles/iam.organizationRoleAdmin
    • Organization Role Viewer - roles/iam.organizationRoleViewer
    • Project Creator - roles/resourcemanager.projectCreator
    • Pub/Sub Publisher - roles/pubsub.publisher
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
    • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin
    • Service Management Administrator - roles/servicemanagement.admin

Installing Cloud SCC tools

To install the Cloud SCC tools, complete the steps below to prepare your environment. After you complete this guide, you can install each tool independently by following its installation guide.

All installation must be done using Cloud Shell. Cloud Shell provides command-line access to your GCP resources directly from your browser.

  1. Go to the GCP Console.
    Go to the GCP Console page
  2. Click Activate Cloud Shell.
  3. Set environment variables for your working directory and the tools version you want to download. This guide was written for tools version 3.3.0. For other tools versions, see the README included with the files you downloaded.

    # the Cloud SCC tools release version you want to download.
    # directory to unzip the installation zip files.
    export WORKING_DIR=${HOME}/scc-tools-install
  4. Download the Cloud SCC tools files by running:

    gsutil cp gs://cloud-scc-beta-example-apps-download/{VERSION}.zip .
  5. Unzip the Cloud SCC tools files.

  6. On the Cloud Shell menu bar, click Upload file on the More menu.

  7. On the file selection window, select the scc-setup-scripts-${VERSION}.zip file you downloaded earlier.

After uploading, run the following commands on Cloud Shell to install the setup scripts.

  1. Unzip the uploaded files to a work directory:

    unzip -qo scc-setup-scripts-${VERSION}.zip -d ${WORKING_DIR}
  2. Update your path:

    echo "export PATH=\${HOME}/.local/bin:\$PATH:$(pwd)" >> ${HOME}/.bashrc
    export PATH=${HOME}/.local/bin:$PATH:$(pwd)
  3. Install pipenv so you have a consistent Python environment:

    pip3 install --user pipenv
  4. Enter the installation working directory:

    cd ${WORKING_DIR}
  5. Create the Python virtual env and install dependencies:

    (cd setup; \
    pipenv --python 3.5.3; \
    pipenv install --ignore-pipfile)

You're now ready to install any of the Cloud SCC tools.

Installation guides

Install one or more of the Cloud SCC tools by following its installation guide:

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.