Cloud Security Scanner

Automatically scan your App Engine, Compute Engine, and Google Kubernetes Engine apps for common vulnerabilities.

View documentation for this product

Automated vulnerability scanning

Automated vulnerability scanning

Cloud Security Scanner is a web security scanner for common vulnerabilities in App Engine, Compute Engine, and Google Kubernetes Engine applications. It can automatically scan and detect four common vulnerabilities, including cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), and outdated/insecure libraries. It enables early identification and delivers very low false-positive rates. You can easily set up, run, schedule, and manage security scans, and it is available at no additional charge for Google Cloud Platform users.

Find common security vulnerabilities

Detect key vulnerabilities in development prior to production. After you set up a scan, Cloud Security Scanner automatically crawls your application, following all links within the scope of your starting URLs, and attempts to exercise as many user inputs and event handlers as possible.

Focus on actionable results

The findings for XSS, Flash injection, mixed content usage, and outdated/insecure libraries all have very low false-positive rates. Results are highlighted to enable you to explore and verify in detail and focus on fixes.

Integrates easily with your processes

You can easily set up and run on-demand immediate or scheduled security scans from the Google Cloud Platform console. Scans should be run from a test environment and test accounts, and are enabled for targets only within your App Engine project to prevent unintended effects.


Vulnerability detection

XSS, Flash injection, mixed content, and use of outdated/insecure JavaScript libraries.

Simple control

Set up and run either immediate or scheduled scans from your Google Cloud Platform console. Select your start point and specify excluded paths.

Actionable results

Simple and clear scan outputs available from your Google Cloud Platform console.

Selection of agent browsers

Scans are run using Chrome, Safari, Blackberry, or Nokia browser agents.

User authentication

Supports both Google and non-Google accounts and automatically handles common login scenarios.



There is no separate charge for using Cloud Security Scanner. However, using the scanner impacts App Engine instance quota limits, bandwidth (traffic) charges, and quotas for API calls to App Engine services, such as mail, search, etc. Learn more in our pricing guide.

Google Cloud

Get started

Learn and build

New to GCP? Get started with any GCP product for free with a $300 credit.

Need more help?

Our experts will help you build the right solution or find the right partner for your needs.

Send feedback about...

Web Security Scanner