Setting up Cloud SCC tools

This page provides information about how to prepare your Google Cloud Platform (GCP) project to install the Cloud Security Command Center (Cloud SCC) tools app package. These apps add new functionality that show how you could use Cloud SCC in your organization. Use these apps as examples of how to develop integrations or add-ons to the Cloud SCC platform. If you're a third-party security solution developer, or if you need something more specific for your organization, you might find these apps particularly useful.

This guide was written for tools version 3.3.0. If you're using a different version, please see the README file included with the tools version you downloaded. As of May 22, 2019, the most recent release version is 4.0.1.


The Cloud SCC tools package includes the following components:

Hello World

Hello World is a minimalist app that shows you how to call the Cloud SCC API to retrieve the discovered organization's assets.


Creator is an app that can do queries on Cloud SCC data at regular intervals and send the results to a Notifications Cloud Pub/Sub Topic.

Query Builder

Query Builder is an app that enables you to create and schedule advanced, multi-step queries on Cloud SCC data using a web application interface. When these queries run, the results can be sent to a Notifications Cloud Pub/Sub Topic where other apps can consume them. You can also configure Query Builder to add Cloud SCC security marks to query results.

For example, you could schedule a query to periodically look for network firewalls with port 22 allowed. You could then use Query Builder to mark the results in Cloud SCC and notify your security team so they can take appropriate action.


Notifier is an app that subscribes to the Notifications Cloud Pub/Sub Topic and sends notifications to a configured channel, like email or SMS. The Notifier app refers to Cloud SCC query results from other apps, like the Creator and Query Builder apps.

You can develop your own application and easily subscribe to the same Notifications Cloud Pub/Sub Topic, and customize how you handle the messages you get. For example, you could process the results and send them to one of your organization's internal systems, or store the results in another database of your choice for further analysis.

Audit Logs

The Audit logs app can ingest Cloud Audit Logs logs through export sinks and create Cloud SCC security findings. The Audit Logs example app includes integration of Access Transparency alerts and Binary Authorization alerts for Blocked Deployments and Break Glass scenarios.


The Connector App ingests security findings stored in a Cloud Storage bucket populated by a partner. The findings ingestion process is triggered when a new file completes the upload process to the bucket.

Setup scripts

The Cloud SCC tools package includes a set of companion scripts and utilities. The scripts and utilities are used during installation to create the necessary GCP infrastructure for each app and help deploy the apps.

These scripts do things like:

  • Create projects
  • Create service accounts
  • Generate SSL certificates
  • Deploy apps

This guide includes detailed instructions about how to execute the commands to install the Cloud SCC tools using the setup scripts.

Figure 1 provides a high-level overview of the Cloud SCC tools, not including the setup scripts:

Cloud SCC Tools overview diagram.
Figure 1. Diagram of the Cloud SCC tools with a description of how each tool interacts with Cloud SCC.

Before you begin

To complete this guide, you need the following:

  • An active GCP Organization with Cloud SCC enabled.
  • An active Cloud Billing account.
  • Cloud SCC enabled for your GCP Organization.
  • The project ID that you want to use to access the Cloud SCC API. This project must have the securitycenter.googleapis.com API enabled.
  • The following Cloud Identity and Access Management (Cloud IAM) roles at the organization level:
    • Billing Account User - roles/billing.user
    • DNS Administrator - roles/dns.admin
    • Organization Administrator - roles/resourcemanager.organizationAdmin
    • Organization Role Administrator - roles/iam.organizationRoleAdmin
    • Organization Role Viewer - roles/iam.organizationRoleViewer
    • Project Creator - roles/resourcemanager.projectCreator
    • Pub/Sub Publisher - roles/pubsub.publisher
    • Security Center Admin - roles/securitycenter.admin
    • Service Account Admin - roles/iam.serviceAccountAdmin
    • Service Account Key Admin - roles/iam.serviceAccountKeyAdmin
    • Service Management Administrator - roles/servicemanagement.admin

Installing Cloud SCC tools

To install the Cloud SCC tools, complete the steps below to prepare your environment. After you complete this guide, you can install each tool independently by following the installation guide linked later on this page.

All installation must be done using Cloud Shell. Cloud Shell provides command-line access to your GCP resources directly from your browser.

  1. Go to the GCP Console.
    Go to the GCP Console page
  2. Click Activate Cloud Shell.
  3. Set environment variables for your working directory and the tools version you want to download. This guide was written for tools version 3.3.0. For other tools versions, see the README included with the files you downloaded.

    # the Cloud SCC tools release version you want to download.
    # directory to unzip the installation zip files.
    export WORKING_DIR=${HOME}/scc-tools-install
  4. Download the Cloud SCC tools files by running:

    gsutil cp gs://cloud-scc-beta-example-apps-download/{VERSION}.zip .
  5. Unzip the Cloud SCC tools files.

  6. On the Cloud Shell menu bar, click Upload file under More. more_vert

  7. On the file selection window, select the scc-setup-scripts-${VERSION}.zip file you downloaded earlier.

After uploading, run the following commands on Cloud Shell to install the setup scripts.

  1. Unzip the uploaded files to a work directory:

    unzip -qo scc-setup-scripts-${VERSION}.zip -d ${WORKING_DIR}
  2. Update your path:

    echo "export PATH=\${HOME}/.local/bin:\$PATH:$(pwd)" >> ${HOME}/.bashrc
    export PATH=${HOME}/.local/bin:$PATH:$(pwd)
  3. Install pipenv so you have a consistent Python environment:

    pip3 install --user pipenv
  4. Enter the installation working directory:

    cd ${WORKING_DIR}
  5. Create the Python virtual env and install dependencies:

    (cd setup; \
    pipenv --python 3.5.3; \
    pipenv install --ignore-pipfile)

You're now ready to install any of the Cloud SCC tools.

Installation guides

Install one or more of the Cloud SCC tools by following its installation guide:

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Command Center
Need help? Visit our support page.