This page shows you how to schedule and run a scan on a deployed application using Web Security Scanner in the Google Cloud Console. Web Security Scanner supports scans for public URLs and IPs. If your URLs and IPs are behind a firewall, you need to enable scans from static IPs so that you can configure your firewall rules to allow the Web Security Scanner predictable IP addresses.
The following video shows the steps to set up Web Security Scanner, and provides information about how to use the dashboard. The setup steps are described in text later on this page.
Before you begin
To use Web Security Scanner, you must have a deployed application on a public URL or IP.
Enabling Security Command Center
To use Web Security Scanner, your organization must have Security Command Center enabled. Learn more about Security Command Center.
Deploying a test project
To complete this quickstart, you will need the URL of a Compute Engine, Google Kubernetes Engine, or App Engine application that is already deployed. If you don't have a deployed application, or if you want to try out Web Security Scanner with a test application, deploy the test App Engine application in the language of your choice:
Assigning Cloud IAM roles
To run a Web Security Scanner scan, you must have one of the following Cloud Identity and Access Management (Cloud IAM) roles:
To add one of these roles:
- Go to the IAM & Admin page in the
Go to the IAM & Admin page
- Click the Project selector drop-down list.
- On the Select from dialog that appears, select the project that you want to scan using Web Security Scanner.
- On the IAM page, next to your username, click Edit.
- On the Edit permissions panel that appears, click Add another role,
and then select one of the following roles:
- Project > Owner
- Project > Editor
- When you're finished adding roles, click Save.
Learn more about Web Security Scanner roles.
Running a scan
When you set up a scan, it's queued to run at a later time. Depending on current load, it might be several hours before a scan executes. To create, save, and run a scan:
- Go to the Web Security Scanner page in the Cloud Console.
Go to the Web Security Scanner page
- Select the project that contains the deployed application you want to scan.
- To set up a new scan, click New scan:
On the Create a new scan page that loads, set the following values:
- Under Starting URLs, enter the URL of the application you want to scan.
- Under Schedule, select Weekly.
- Under Next run on, select a date.
The box to Export to Security Command Center is automatically checked. If you've enabled Web Security Scanner as a Security Command Center security source, this allows scan results to be displayed on the Security Command Center dashboard.
For this first scan, use the default scan without changing any other values on the Create a new scan page. For more information about scan settings, see Using Web Security Scanner.
To create the scan, click Save.
On the Web Security Scanner page, click the scan name to load its overview page, and then click Run scan.
The scan will be queued, and then it will run at a future time. It might take several hours before the scan runs.
The scan overview page displays a results section when the scan completes. The following image shows example scan results when no vulnerabilities are detected:
If you've enabled Web Security Scanner as a Security Command Center security source, scan results are also displayed on the Security Command Center dashboard.
To display details about a specific finding, click the finding name in the scan results.
You have now completed a basic Web Security Scanner scan. If you scanned your own application, learn how to customize the scan in the Using Web Security Scanner guide. If you deployed a test application to run the scan, complete the "Clean up" section to avoid incurring App Engine charges for the application.
To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.
- In the Cloud Console, go to the Manage resources page.
- In the project list, select the project that you want to delete and then click Delete delete.
- In the dialog, type the project ID and then click Shut down to delete the project.