Scanning web services hosted on Compute Engine
You can now use Cloud Security Scanner for web services or applications running on Compute Engine virtual machines (VMs), or running behind HTTP(S) load balancers.
To create scans that target Compute Engine on a particular Google Cloud Platform (GCP) project, select Security scans from the Compute Engine menu.
After clicking on the Compute Engine -> Security scans menu, you are redirected either to a first run experience page to create a new scan or, if at least one Compute Engine Scan exists, to the list of existing scans. Security scan pages in Compute Engine are similar to those for scans in App Engine.
Preparing to scan a web service hosted on a single Compute Engine VM
The following describes how to scan a hypothetical customer-managed Compute Engine VM named WebServiceVM. To configure Cloud Security Scanner to scan WebServiceVM for web vulernabilities, the VM should meet the following requirements:
- The VM must have an external and static (reserved) IP address. To ensure accuracy of scan results, Cloud Security Scanner can't target web services that are mapped to an ephemeral IP address. To reserve a static IP address for your VM, complete the following steps:
- The VM must have a public DNS record that's mapped to the same address.
Cloud Security Scanner won't accept an IP address as a target. The service host
must be a fully qualified HTTP or HTTPS domain name like
https://WebServiceVM.example.com. To register your URL, you can use Cloud DNS and Google Domains or any third-party domain registrar.
Preparing to scan a web service behind an HTTP load balancer
For information on setting up an HTTP load balancer, see Load Balancing.
After the load balancer has been set up, the requirements are similar to a single VM scan:
- The load balancer must be mapped to an external and static (reserved) IP address.
- The load balancer should have a public DNS record mapped to this address.
Creating a security scan that targets Compute Engine
The first time you scan your service, you'll be prompted to create a new scan.
To display the new scan form, click Create scan. If a scan already exists for the VM, click New scan.
Use the table below as a guide to add values to the new scan form. The table provides information on some of the scan fields.
When you're finished adding values, click Create. You can now run the new scan.
|Excluded URLs||To reduce complexity, exclusions are defined using a simplified proto-language using one or more * wildcards, instead of requiring a valid regex. For details and sample valid patterns, see Excluding URLs in Scans.|
|Google accounts||You can create a test account in Gmail and use the account to scan your product. If you are a G Suite customer, you can create test accounts within your domain, for example,
Note that Google enforces a real name policy on Google accounts. Your test account may be blocked if the name does not look real.
|Non-Google accounts||Select this option if you have created your own authentication system and you aren't using Google Account services. Specify the login form's URL, the username, and the password. These credentials are used to sign in to your application and scan it.
Note that support for login forms is still in development, and may not work out-of-the-box with your system.
|Schedule||You can set the scan to run daily, weekly, fortnightly or every four weeks. It's best to create a scheduled scan to ensure that future versions of your VM are tested. Also, because we occasionally release new scanners that find additional bug types, running a scheduled scan gives you the benefits of the additional coverage without manual effort.|
Running a scan
To run a scan:
Sign in to the test account used to create the scan.
On the project drop-down list, select a project for which you've created a scan.
If you have created multiple scans for your VM, select the scan you want to run. If you created only one scan for this VM, the scan is displayed and is ready to run.
To start scanning your VM, click Run scan.
Editing and deleting scans
Sign in to the test account used to create the scan.
On the project drop-down list, select the project for which you've created a scan.
If you have created multiple scans for your VM, select the scan you want to edit from the list that is displayed. If you created only one scan for this VM, the scan is displayed and is ready for editing or deletion:
Click Edit to edit the scan or Delete to delete it from your project.
Troubleshooting scan errors
If the URL is misconfigured, Cloud Security Scanner will reject it. Possible reasons for rejection include:
- URL is mapped to a wrong IP address.
- To fix this issue, refer to the instructions from your DNS registrar service to fix this issue.
- URL is mapped to the right IP address, but it's an ephemeral IP address of
the same VM.
- Mark this IP address as static. To do this, follow the steps in scanning a web service on a single VM.
- URL is mapped to an IP address reserved in a different project of the same
- Define security scans that target the VM or HTTP load balancer in the project for which it is defined.
- URL is mapped to more than one IP address.
- Make sure that all IP addresses that are mapped to this URL are reserved for the same project. If there is at least one IP that is not, the Scan Create or Edit/Update operation will fail.
Verifying correct DNS registration
To make sure the registration is correct, use any DNS resolution tool to list its IP addresses, then make sure it's marked as static.
- From a command prompt, run `nslookup WebServiceVM.example.com`. This returns
output like the following:
Address: Non-authoritative answer: Name: WebServiceVM.example.com Address: my.ip.is.here
Note the IP address.
- In the Cloud console, go to the External IP Addresses page.
- Under Type, select Static next to the IP address you noted from the command prompt output.
Known issues, limitations, and restrictions
In the current release, Cloud Security Scanner for Compute Engine has the following known issues, limitations, and restrictions:
- The traffic and compute cycles generated in your deployment by the Cloud Security Scanner will count towards standard billing and quotas.
- You may use Cloud Security Scanner only to scan GCP organizations that you own.
- Cloud Security Scanner SLAs do not apply in Alpha.
- Still to be released: client libraries.
- Still to be released: support for applications protected by Cloud Identity-Aware Proxy (Cloud IAP).
Cloud Security Scanner for Compute Engine is in Alpha and is not intended for production workloads. If you have questions, issues, or feedback, use Google Issue Tracker with the Cloud Security Scanner component.
For the Cloud Security Scanner for Compute Engine Alpha, the pricing model is the same as for scanning App Engine.