Adding and deleting security marks

Demonstrates adding and deleting security marks in the same request

Explore further

For detailed documentation that includes this code sample, see the following:

Code sample

Go

To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

import (
	"context"
	"fmt"
	"io"

	securitycenter "cloud.google.com/go/securitycenter/apiv1"
	"cloud.google.com/go/securitycenter/apiv1/securitycenterpb"
	"google.golang.org/genproto/protobuf/field_mask"
)

// addDeleteSecurityMarks adds/updates "key_a" and deletes  "key_b" from
// assetName's securityMarks. assetName is the resource path for an asset.
func addDeleteSecurityMarks(w io.Writer, assetName string) error {
	// Specify the value of 'assetName' in one of the following formats:
	// 		assetName := "organizations/{org_id}/assets/{asset_id}"
	//		assetName := "projects/{project_id}/assets/{asset_id}"
	//		assetName := "folders/{folder_id}/assets/{asset_id}"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %w", err)
	}
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.UpdateSecurityMarksRequest{
		// If not set or empty, all marks would be cleared.
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"marks.key_a", "marks.key_b"},
		},
		SecurityMarks: &securitycenterpb.SecurityMarks{
			Name: fmt.Sprintf("%s/securityMarks", assetName),
			// Intentionally not setting marks for key_b to
			// delete it.
			Marks: map[string]string{"key_a": "new_value_a"},
		},
	}

	updatedMarks, err := client.UpdateSecurityMarks(ctx, req)
	if err != nil {
		return fmt.Errorf("UpdateSecurityMarks: %w", err)
	}

	fmt.Fprintf(w, "Updated marks: %s\n", updatedMarks.Name)
	for k, v := range updatedMarks.Marks {
		fmt.Fprintf(w, "%s = %s\n", k, v)
	}
	return nil
}

Java

To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

static SecurityMarks deleteAndUpdateMarks(String assetName) {
  try (SecurityCenterClient client = SecurityCenterClient.create()) {
    // Specify the value of 'assetName' in one of the following formats:
    //    String assetName = "organizations/{org-id}/assets/{asset-id}";
    //    String assetName = "projects/{project-id}/assets/{asset-id}";
    //    String assetName = "folders/{folder-id}/assets/{asset-id}";
    // Start setting up a request to clear and update security marks for an asset.
    // Create security mark and field mask for clearing security marks.
    SecurityMarks securityMarks =
        SecurityMarks.newBuilder()
            .setName(assetName + "/securityMarks")
            .putMarks("key_a", "new_value_for_a")
            .build();
    FieldMask updateMask =
        FieldMask.newBuilder().addPaths("marks.key_a").addPaths("marks.key_b").build();

    UpdateSecurityMarksRequest request =
        UpdateSecurityMarksRequest.newBuilder()
            .setSecurityMarks(securityMarks)
            .setUpdateMask(updateMask)
            .build();

    // Call the API.
    SecurityMarks response = client.updateSecurityMarks(request);

    System.out.println("Security Marks updated and cleared:");
    System.out.println(response);
    return response;
  } catch (IOException e) {
    throw new RuntimeException("Couldn't create client.", e);
  }
}

Node.js

To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function addDeleteSecurityMarks() {
  // assetName is the full resource path for the asset to update.
  // Specify the value of 'assetName' in one of the following formats:
  //    `organizations/${org-id}/assets/${asset-id}`;
  //    `projects/${project-id}/assets/${asset-id}`;
  //    `folders/${folder-id}/assets/${asset-id}`;
  const [newMarks] = await client.updateSecurityMarks({
    securityMarks: {
      name: `${assetName}/securityMarks`,
      marks: {key_a: 'new_value_a'},
    },
    // Only update the enableAssetDiscovery field.
    updateMask: {paths: ['marks.key_a', 'marks.key_b']},
  });

  console.log('New marks: %j', newMarks);
}
addDeleteSecurityMarks();

Python

To authenticate to Security Command Center, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.

from google.cloud import securitycenter
from google.protobuf import field_mask_pb2

client = securitycenter.SecurityCenterClient()
# 'asset_name' is the resource path for an asset that exists in SCC.
# Specify the value of 'asset_name' in one of the following formats:
#   f"organizations/{org_id}/assets/{asset_id}"
#   f"projects/{project_id}/assets/{asset_id}"
#   f"folders/{folder_id}/assets/{asset_id}"
# asset_name = organizations/123123342/assets/12312321
marks_name = f"{asset_name}/securityMarks"

field_mask = field_mask_pb2.FieldMask(paths=["marks.key_a", "marks.key_b"])
marks = {"key_a": "new_value_for_a"}

updated_marks = client.update_security_marks(
    request={
        "security_marks": {"name": marks_name, "marks": marks},
        "update_mask": field_mask,
    }
)
print(updated_marks)

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.