Add security marks to assets

Demonstrates adding security marks to assets

Explore further

For detailed documentation that includes this code sample, see the following:

Code sample


import (

	securitycenter ""
	securitycenterpb ""

// addSecurityMarks adds/updates the security marks for the assetName.
// Specifically, it sets "key_a" and "key_b" to "value_a" and "value_b"
// respectively.  assetName is the resource path for an asset.
func addSecurityMarks(w io.Writer, assetName string) error {
	// assetName := "organizations/123123342/assets/12312321"
	// Instantiate a context and a security service client to make API calls.
	ctx := context.Background()
	client, err := securitycenter.NewClient(ctx)
	if err != nil {
		return fmt.Errorf("securitycenter.NewClient: %v", err)
	defer client.Close() // Closing the client safely cleans up background resources.

	req := &securitycenterpb.UpdateSecurityMarksRequest{
		// If not set or empty, all marks would be cleared before
		// adding the new marks below.
		UpdateMask: &field_mask.FieldMask{
			Paths: []string{"marks.key_a", "marks.key_b"},
		SecurityMarks: &securitycenterpb.SecurityMarks{
			Name: fmt.Sprintf("%s/securityMarks", assetName),
			// Note keys correspond to the last part of each path.
			Marks: map[string]string{"key_a": "value_a", "key_b": "value_b"},
	updatedMarks, err := client.UpdateSecurityMarks(ctx, req)
	if err != nil {
		return fmt.Errorf("UpdateSecurityMarks: %v", err)

	fmt.Fprintf(w, "Updated marks: %s\n", updatedMarks.Name)
	for k, v := range updatedMarks.Marks {
		fmt.Fprintf(w, "%s = %s\n", k, v)
	return nil



// Imports the Google Cloud client library.
const {SecurityCenterClient} = require('@google-cloud/security-center');

// Creates a new client.
const client = new SecurityCenterClient();

async function addSecurityMarks() {
  // assetName is the full resource path for the asset to update.
   * TODO(developer): Uncomment the following lines
  // const assetName = "organizations/123123342/assets/12312321";
  const [newMarks] = await client.updateSecurityMarks({
    securityMarks: {
      name: `${assetName}/securityMarks`,
      marks: {key_a: 'value_a', key_b: 'value_b'},
    // Only update the marks with these keys.
    updateMask: {paths: ['marks.key_a', 'marks.key_b']},

  console.log('New marks: %', newMarks);


from import securitycenter
from google.protobuf import field_mask_pb2

# Create a new client.
client = securitycenter.SecurityCenterClient()

# asset_name is the resource path for an asset that exists in CSCC.
# Its format is "organization/{organization_id}/assets/{asset_id}
# e.g.:
# asset_name = organizations/123123342/assets/12312321
marks_name = "{}/securityMarks".format(asset_name)

# Notice the suffix after "marks." in the field mask matches the keys
# in marks.
field_mask = field_mask_pb2.FieldMask(paths=["marks.key_a", "marks.key_b"])
marks = {"key_a": "value_a", "key_b": "value_b"}

updated_marks = client.update_security_marks(
        "security_marks": {"name": marks_name, "marks": marks},
        "update_mask": field_mask,

What's next

To search and filter code samples for other Google Cloud products, see the Google Cloud sample browser.