Using Cloud Security Scanner with App Engine

Before you scan

Before you scan, carefully audit your application for any feature that may affect data, users, or systems beyond the desired scope of your scan.

Because Cloud Security Scanner populates fields, pushes buttons, clicks links, and so on, it should be used with caution. Cloud Security Scanner could potentially activate features that change the state of your data or system, with undesirable results. For example:

  • In a blog application that allows public comments, Cloud Security Scanner may post test strings as comments on all your blog articles.
  • In an email sign-up page, Cloud Security Scanner may generate large numbers of test emails.

For tips on how to minimize risk, see Preventing unintended consequences.

Creating a scan

  1. If you haven't created a test account, do so now and then log into the test account. The test account must be an owner or developer of the App Engine instance to be scanned.

  2. Go to the Google Cloud Platform Console

  3. On the project drop-down list, select a project that already has an App Engine application deployed.

  4. Go to the Google Cloud Platform Console Security Scan page.
    Open the Security Scan page

  5. Select App Engine > Security scan.

  6. The first time you scan your application, you'll be prompted to create a new scan:

  7. To display the new scan form, click Create scan. If a scan already exists for the application, click New scan. The following image shows all the possible form fields:

  8. Use the table below as a guide to add values to the new scan form. The following table provides information on some of the scan fields.

  9. When you're finished adding values, click Create. You can now run the new scan.

Field Description
Starting URLs A simple site usually requires only one starting URL, like the home, main, or landing page for the site, from which Cloud Security Scanner can find all other site pages. However, Cloud Security Scanner may fail to find all the pages if a site has a large number of pages, or islands of unconnected pages, or if the navigation requires complex JavaScript like as a mouseover-driven multilevel menu. In such cases, specify additional starting URLs to increase scan coverage.
Excluded URLs To reduce complexity, exclusions are defined using a simplified proto-language using one or more * wildcards, instead of requiring a valid regex. For details and sample valid patterns, see Excluding URLs in Scans.
Google accounts You can create a test account in Gmail and use the account to scan your product. If you are a Google Apps customer, you can create test accounts within your domain, for example, test-account@yourdomain.com. In Cloud Security Scanner, these accounts work like Gmail accounts. Two factor authentication is not supported.

Note that Google enforces a real name policy on Google accounts. Your test account may be blocked if the name does not look real.
Non-Google accounts Select this option if you have created your own authentication system and you aren't using Google Account services. Specify the login form's URL, the username, and the password. These credentials are used to sign in to your application and scan it.

Note that support for login forms is still in development, and may not work out-of-the-box with your system.
Schedule You can set the scan to run daily, weekly, fortnightly or every four weeks. It's best to create a scheduled scan to ensure that future versions of your application are tested. Also, because we occasionally release new scanners that find additional bug types, running a scheduled scan gives you the benefits of the additional coverage without manual effort.

Running a scan

To run a scan:

  1. Sign in to the test account used to create the scan.

  2. Go to the Google Cloud Platform Console Security Scan page.

  3. On the project drop-down list, select a project for which you've created a scan.

  4. If you have created multiple scans for your app, select the scan you want to run. If you created only one scan for this app, the scan is displayed and is ready to run:

  5. To start scanning your app, click Run scan.

The scan is placed in a queue, and there might be a delay before it runs. It can take several minutes or many hours to run, depending on the system load and features like site complexity, number of actionable elements per page, numbers of links, and the amount of JavaScript (including navigation).

Editing and deleting scans

  1. Sign in to the test account used to create the scan.

  2. Go to the Google Cloud Platform Console Security Scan page.

  3. On the project drop-down list, select the project for which you've created a scan.

  4. Select App Engine > Security scan.

  5. If you have created multiple scans for your app, select the scan you want to edit from the list that is displayed. If you created only one scan for this app, the scan is displayed and is ready for editing or deletion:

  6. Click Edit to edit the scan or Delete to delete it from your project.

The status and results of the scan are displayed on the Security Scan page. You can also find helpful information in the project logs page.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Scanner Documentation