Cloud Security Scanner for Compute Engine

Scanning web services hosted on Compute Engine

You can now use Cloud Security Scanner for web services or applications running on Compute Engine virtual machines (VMs), or running behind HTTP(S) load balancers.

Getting started

To create scans that target Compute Engine on a particular Google Cloud Platform (GCP) project, select Security scans from the Compute Engine menu.

Security scans menu

After clicking on the Compute Engine -> Security scans menu, you are redirected either to a first run experience page to create a new scan or, if at least one Compute Engine Scan exists, to the list of existing scans. Security scan pages in Compute Engine are similar to those for scans in App Engine.

Preparing to scan a web service hosted on a single Compute Engine VM

The following describes how to scan a hypothetical customer-managed Compute Engine VM named WebServiceVM. To configure Cloud Security Scanner to scan WebServiceVM for web vulernabilities, the VM should meet the following requirements:

  1. The VM must have an external and static (reserved) IP address. To ensure accuracy of scan results, Cloud Security Scanner can't target web services that are mapped to an ephemeral IP address. To reserve a static IP address for your VM, complete the following steps:
    1. Go to the Cloud Console External IP Addresses page.
      Open the External IP Addresses page
    2. Under Type, next to the VM for which you want to reserve a static IP address, select Static.
  2. The VM must have a public DNS record that's mapped to the same address. Cloud Security Scanner won't accept an IP address as a target. The service host must be a fully qualified HTTP or HTTPS domain name like https://WebServiceVM.example.com. To register your URL, you can use Cloud DNS and Google Domains or any third-party domain registrar.

Preparing to scan a web service behind an HTTP load balancer

For information on setting up an HTTP load balancer, see Load Balancing.

After the load balancer has been set up, the requirements are similar to a single VM scan:

  1. The load balancer must be mapped to an external and static (reserved) IP address.
  2. The load balancer should have a public DNS record mapped to this address.

Creating a security scan that targets Compute Engine

  1. Go to the Google Cloud Platform Console Compute Engine Security Scan page.
    Open the Security Scan page

  2. The first time you scan your service, you'll be prompted to create a new scan.

  3. To display the new scan form, click Create scan. If a scan already exists for the VM, click New scan.

  4. Use the table below as a guide to add values to the new scan form. The table provides information on some of the scan fields.

  5. When you're finished adding values, click Create. You can now run the new scan.

Field Description
Starting URLs A simple site usually requires only one starting URL, like the home, main, or landing page for the site, from which Cloud Security Scanner can find all other site pages. However, Cloud Security Scanner may fail to find all the pages if a site has a large number of pages, or islands of unconnected pages, or if the navigation requires complex JavaScript like as a mouseover-driven multilevel menu. In such cases, specify additional starting URLs to increase scan coverage.
Excluded URLs To reduce complexity, exclusions are defined using a simplified proto-language using one or more * wildcards, instead of requiring a valid regex. For details and sample valid patterns, see Excluding URLs in Scans.
Google accounts You can create a test account in Gmail and use the account to scan your product. If you are a G Suite customer, you can create test accounts within your domain, for example, test-account@yourdomain.com. In Cloud Security Scanner, these accounts work like Gmail accounts. Two factor authentication is not supported.

Note that Google enforces a real name policy on Google accounts. Your test account may be blocked if the name does not look real.
Non-Google accounts Select this option if you have created your own authentication system and you aren't using Google Account services. Specify the login form's URL, the username, and the password. These credentials are used to sign in to your application and scan it.

Note that support for login forms is still in development, and may not work out-of-the-box with your system.
Schedule You can set the scan to run daily, weekly, fortnightly or every four weeks. It's best to create a scheduled scan to ensure that future versions of your VM are tested. Also, because we occasionally release new scanners that find additional bug types, running a scheduled scan gives you the benefits of the additional coverage without manual effort.

Running a scan

To run a scan:

  1. Sign in to the test account used to create the scan.

  2. Go to the Google Cloud Platform Console Security Scan page.
    Open the Security Scan page

  3. On the project drop-down list, select a project for which you've created a scan.

  4. If you have created multiple scans for your VM, select the scan you want to run. If you created only one scan for this VM, the scan is displayed and is ready to run.

  5. To start scanning your VM, click Run scan.

The scan is placed in a queue, and there might be a delay before it runs. It can take several minutes or many hours to run, depending on the system load and features like site complexity, number of actionable elements per page, numbers of links, and the amount of JavaScript (including navigation).

Editing and deleting scans

  1. Sign in to the test account used to create the scan.

  2. Go to the Google Cloud Platform Console Security Scan page.
    Open the Security Scan page

  3. On the project drop-down list, select the project for which you've created a scan.

  4. If you have created multiple scans for your VM, select the scan you want to edit from the list that is displayed. If you created only one scan for this VM, the scan is displayed and is ready for editing or deletion:

  5. Click Edit to edit the scan or Delete to delete it from your project.

The status and results of the scan are displayed on the Security Scan page. You can also find helpful information in the project logs page.

Troubleshooting scan errors

If the URL is misconfigured, Cloud Security Scanner will reject it. Possible reasons for rejection include:

  • URL is mapped to a wrong IP address.
    • To fix this issue, refer to the instructions from your DNS registrar service to fix this issue.
  • URL is mapped to the right IP address, but it's an ephemeral IP address of the same VM.
  • URL is mapped to an IP address reserved in a different project of the same organization.
    • Define security scans that target the VM or HTTP load balancer in the project for which it is defined.
  • URL is mapped to more than one IP address.
    • Make sure that all IP addresses that are mapped to this URL are reserved for the same project. If there is at least one IP that is not, the Scan Create or Edit/Update operation will fail.

Verifying correct DNS registration

To make sure the registration is correct, use any DNS resolution tool to list its IP addresses, then make sure it's marked as static.

  1. From a command prompt, run `nslookup WebServiceVM.example.com`. This returns output like the following:
      Server:  
      Address: 
    
      Non-authoritative answer:
      Name: WebServiceVM.example.com
      Address: my.ip.is.here
    

    Note the IP address.

  2. In the Cloud console, go to the External IP Addresses page.
  3. Under Type, select Static next to the IP address you noted from the command prompt output.

Known issues, limitations, and restrictions

In the current release, Cloud Security Scanner for Compute Engine has the following known issues, limitations, and restrictions:

  • The traffic and compute cycles generated in your deployment by the Cloud Security Scanner will count towards standard billing and quotas.
  • You may use Cloud Security Scanner only to scan GCP organizations that you own.
  • Cloud Security Scanner SLAs do not apply in Alpha.
  • Still to be released: client libraries.
  • Still to be released: support for applications protected by Cloud Identity-Aware Proxy (Cloud IAP).

Contacting us

Cloud Security Scanner for Compute Engine is in Alpha and is not intended for production workloads. If you have questions, issues, or feedback, use Google Issue Tracker with the Cloud Security Scanner component.

Pricing

For the Cloud Security Scanner for Compute Engine Alpha, the pricing model is the same as for scanning App Engine.

Was this page helpful? Let us know how we did:

Send feedback about...

Cloud Security Scanner Documentation