Built-in scenario

gcp/sample_gcp_serverless_plan.json

GCP Serverless Demo

Analyzed sample_gcp_serverless_plan.json with 11 normalized resources and 4 trust boundaries.

Analyze another plan

Active findings

5

Trust boundaries

4

Resources

11

Observations

0
High 2
Medium 3
Low 0

Analysis coverage

Audit trail for this run

Terraform resources 11
Unsupported 0
Enabled rules 78
Unresolved refs 0

Resource coverage

Provider resources considered
11
Normalized resources
11

No unsupported GCP resource types were encountered.

Rule coverage

Registered rules
78
Disabled rules
0
  • gcp-subnetwork-flow-logs-not-configured1
  • gcp-cloud-run-public-invoker1
  • gcp-cloud-functions-public-invoker1
  • gcp-public-workload-sensitive-data-access2

Findings

Severity bands

High

2

Internet-exposed GCP workload can access sensitive data services

gcp-public-workload-sensitive-data-access

google_cloud_run_v2_service.api is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.

Category
Information Disclosure
Boundary
workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key
Resources
google_cloud_run_v2_service.api, google_secret_manager_secret.api_key, google_secret_manager_secret_iam_member.run_accessor
Evidence
  • public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
  • workload identity: serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com
  • cloud run secret access paths: secret_resource=google_secret_manager_secret.api_key; secret_reference=projects/tfstride-demo/secrets/tfstride-api-key; secret_version=5; service_account=tfstride-run@tfstride-demo.iam.gserviceaccount.com; iam_resource=google_secret_manager_secret_iam_member.run_accessor; role=roles/secretmanager.secretAccessor; grant_scope=secret:projects/tfstride-demo/secrets/tfstride-api-key; access_state=granted; condition_state=not_configured
  • resource policy sources: google_secret_manager_secret_iam_member.run_accessor

Internet-exposed GCP workload can access sensitive data services

gcp-public-workload-sensitive-data-access

google_cloudfunctions_function.worker is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.

Category
Information Disclosure
Boundary
workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key
Resources
google_cloudfunctions_function.worker, google_secret_manager_secret.api_key, google_secret_manager_secret_iam_member.run_accessor, google_secret_manager_secret_iam_member.function_accessor
Evidence
  • public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
  • workload identity: serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com
  • data access path: google_cloudfunctions_function.worker reaches google_secret_manager_secret.api_key
  • boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.
  • resource policy sources: google_secret_manager_secret_iam_member.run_accessor; google_secret_manager_secret_iam_member.function_accessor

Medium

3

Cloud Functions function is publicly invokable

gcp-cloud-functions-public-invoker

google_cloudfunctions_function.worker allows public HTTP access and grants Cloud Functions invoke permission to public GCP principals. Unauthenticated internet clients can reach the function entry point without an organization-owned identity boundary.

Category
Spoofing
Boundary
internet-to-service:internet->google_cloudfunctions_function.worker
Resources
google_cloudfunctions_function.worker, google_cloudfunctions_function_iam_member.public_invoker
Evidence
  • public invoker bindings: source=google_cloudfunctions_function_iam_member.public_invoker; role=roles/cloudfunctions.invoker; member=allAuthenticatedUsers
  • public access reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
  • public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers

Cloud Run service is publicly invokable

gcp-cloud-run-public-invoker

google_cloud_run_v2_service.api allows public ingress and grants Cloud Run invoke permission to public GCP principals. Unauthenticated internet clients can reach the service entry point without an organization-owned identity boundary.

Category
Spoofing
Boundary
internet-to-service:internet->google_cloud_run_v2_service.api
Resources
google_cloud_run_v2_service.api, google_cloud_run_v2_service_iam_member.public_invoker
Evidence
  • public invoker bindings: source=google_cloud_run_v2_service_iam_member.public_invoker; role=roles/run.invoker; member=allUsers
  • public access reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
  • public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers

GCP subnetwork Flow Logs are not configured

gcp-subnetwork-flow-logs-not-configured

google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.

Category
Repudiation
Boundary
not-applicable
Resources
google_compute_subnetwork.app
Evidence
  • subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo

Low

0

No low findings.

Observations

Controls and mitigating signals

No observations were recorded for this plan.

Trust boundaries

Crossings that drive the model

internet-to-service

internet -> google_cloud_run_v2_service.api

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

internet-to-service

internet -> google_cloudfunctions_function.worker

The resource is directly reachable or intentionally exposed to unauthenticated network clients.

workload-to-data-store

google_cloud_run_v2_service.api -> google_secret_manager_secret.api_key

GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.run_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com.

workload-to-data-store

google_cloudfunctions_function.worker -> google_secret_manager_secret.api_key

GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.

Raw outputs

Stable contract and markdown

JSON report
{
  "kind": "tfstride-report",
  "version": "1.1",
  "tool": {
    "name": "tfstride",
    "version": "0.4.23"
  },
  "title": "GCP Serverless Demo",
  "analyzed_file": "sample_gcp_serverless_plan.json",
  "analyzed_path": "sample_gcp_serverless_plan.json",
  "summary": {
    "normalized_resources": 11,
    "unsupported_resources": 0,
    "trust_boundaries": 4,
    "active_findings": 5,
    "total_findings": 5,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "severity_counts": {
      "high": 2,
      "medium": 3,
      "low": 0
    }
  },
  "filtering": {
    "total_findings": 5,
    "active_findings": 5,
    "suppressed_findings": 0,
    "baselined_findings": 0,
    "suppressions_path": null,
    "baseline_path": null
  },
  "analysis_coverage": {
    "resources": {
      "total_resources": 11,
      "provider_resources": 11,
      "normalized_resources": 11,
      "unsupported_resources": 0,
      "unsupported_resource_types": {}
    },
    "rules": {
      "registered_rule_count": 78,
      "enabled_rules": [
        "gcp-sensitive-resource-iam-external-access",
        "gcp-pubsub-public-access",
        "gcp-pubsub-topic-customer-managed-encryption-missing",
        "gcp-pubsub-message-retention-insufficient",
        "gcp-pubsub-subscription-dead-letter-policy-missing",
        "gcp-bigquery-public-access",
        "gcp-cloud-sql-public-authorized-network",
        "gcp-cloud-sql-backup-disabled",
        "gcp-cloud-sql-public-ip-without-private-network",
        "gcp-cloud-sql-ssl-not-required",
        "gcp-cloud-sql-point-in-time-recovery-disabled",
        "gcp-cloud-sql-deletion-protection-disabled",
        "gcp-cloud-sql-zonal-availability",
        "gcp-cloud-sql-query-insights-disabled",
        "gcp-cloud-sql-connector-enforcement-not-required",
        "gcp-cloud-sql-private-connectivity-not-modeled",
        "gcp-private-workload-private-google-access-disabled",
        "gcp-gcs-public-access",
        "gcp-gcs-uniform-bucket-level-access-disabled",
        "gcp-gcs-public-access-prevention-not-enforced",
        "gcp-gcs-versioning-disabled",
        "gcp-gcs-customer-managed-encryption-missing",
        "gcp-gcs-retention-policy-insufficient",
        "gcp-artifact-registry-docker-tags-mutable",
        "gcp-artifact-registry-customer-managed-encryption-missing",
        "gcp-artifact-registry-vulnerability-scanning-disabled",
        "gcp-secret-manager-customer-managed-encryption-missing",
        "gcp-secret-manager-lifecycle-posture-incomplete",
        "gcp-kms-key-rotation-not-configured-or-too-long",
        "gcp-kms-key-destroy-scheduled-duration-too-short",
        "gcp-public-compute-broad-ingress",
        "gcp-public-load-balanced-workload",
        "gcp-load-balancer-http-public-proxy",
        "gcp-load-balancer-ssl-policy-missing-or-weak",
        "gcp-public-load-balancer-cloud-armor-missing",
        "gcp-compute-os-login-disabled",
        "gcp-gke-public-control-plane",
        "gcp-gke-broad-authorized-networks",
        "gcp-gke-workload-identity-disabled",
        "gcp-gke-legacy-metadata-endpoints-enabled",
        "gcp-gke-broad-node-service-account",
        "gcp-gke-control-plane-logging-incomplete",
        "gcp-scc-asset-discovery-disabled",
        "gcp-logging-exclusion-drops-audit-security-logs",
        "gcp-logging-sink-audit-export-incomplete",
        "gcp-central-audit-sink-not-modeled",
        "gcp-subnetwork-flow-logs-not-configured",
        "gcp-subnetwork-flow-log-capture-incomplete",
        "gcp-gke-network-policy-disabled",
        "gcp-gke-secrets-encryption-not-configured",
        "gcp-gke-legacy-abac-enabled-or-unknown",
        "gcp-gke-client-certificate-auth-enabled-or-unknown",
        "gcp-gke-shielded-nodes-disabled-or-unknown",
        "gcp-gke-binary-authorization-not-enabled",
        "gcp-cloud-run-public-invoker",
        "gcp-cloud-functions-public-invoker",
        "gcp-cloud-run-image-not-digest-pinned",
        "gcp-cloud-run-artifact-registry-mutable-tag",
        "gcp-cloud-run-can-modify-image-repository",
        "gcp-cloud-run-sensitive-environment-value-inline",
        "gcp-cloud-run-secret-access-blast-radius",
        "gcp-public-cloud-run-gcs-mutation-access",
        "gcp-public-cloud-run-pubsub-mutation-access",
        "gcp-service-account-iam-broad-principal",
        "gcp-service-account-iam-privileged-role",
        "gcp-service-account-key-hygiene",
        "gcp-service-account-key-effective-access",
        "gcp-workload-identity-pool-wide-impersonation",
        "gcp-workload-identity-provider-unconditioned-broad-trust",
        "gcp-workload-identity-privileged-service-account-access",
        "gcp-org-folder-iam-broad-principal",
        "gcp-org-folder-iam-privileged-role",
        "gcp-project-iam-broad-principal",
        "gcp-project-iam-privileged-role",
        "gcp-iam-privileged-assignment",
        "gcp-inherited-iam-sensitive-resource-access",
        "gcp-inherited-iam-blast-radius",
        "gcp-public-workload-sensitive-data-access"
      ],
      "disabled_rules": [],
      "severity_overrides": {},
      "finding_counts_by_rule": {
        "gcp-sensitive-resource-iam-external-access": 0,
        "gcp-pubsub-public-access": 0,
        "gcp-pubsub-topic-customer-managed-encryption-missing": 0,
        "gcp-pubsub-message-retention-insufficient": 0,
        "gcp-pubsub-subscription-dead-letter-policy-missing": 0,
        "gcp-bigquery-public-access": 0,
        "gcp-cloud-sql-public-authorized-network": 0,
        "gcp-cloud-sql-backup-disabled": 0,
        "gcp-cloud-sql-public-ip-without-private-network": 0,
        "gcp-cloud-sql-ssl-not-required": 0,
        "gcp-cloud-sql-point-in-time-recovery-disabled": 0,
        "gcp-cloud-sql-deletion-protection-disabled": 0,
        "gcp-cloud-sql-zonal-availability": 0,
        "gcp-cloud-sql-query-insights-disabled": 0,
        "gcp-cloud-sql-connector-enforcement-not-required": 0,
        "gcp-cloud-sql-private-connectivity-not-modeled": 0,
        "gcp-private-workload-private-google-access-disabled": 0,
        "gcp-gcs-public-access": 0,
        "gcp-gcs-uniform-bucket-level-access-disabled": 0,
        "gcp-gcs-public-access-prevention-not-enforced": 0,
        "gcp-gcs-versioning-disabled": 0,
        "gcp-gcs-customer-managed-encryption-missing": 0,
        "gcp-gcs-retention-policy-insufficient": 0,
        "gcp-artifact-registry-docker-tags-mutable": 0,
        "gcp-artifact-registry-customer-managed-encryption-missing": 0,
        "gcp-artifact-registry-vulnerability-scanning-disabled": 0,
        "gcp-secret-manager-customer-managed-encryption-missing": 0,
        "gcp-secret-manager-lifecycle-posture-incomplete": 0,
        "gcp-kms-key-rotation-not-configured-or-too-long": 0,
        "gcp-kms-key-destroy-scheduled-duration-too-short": 0,
        "gcp-public-compute-broad-ingress": 0,
        "gcp-public-load-balanced-workload": 0,
        "gcp-load-balancer-http-public-proxy": 0,
        "gcp-load-balancer-ssl-policy-missing-or-weak": 0,
        "gcp-public-load-balancer-cloud-armor-missing": 0,
        "gcp-compute-os-login-disabled": 0,
        "gcp-gke-public-control-plane": 0,
        "gcp-gke-broad-authorized-networks": 0,
        "gcp-gke-workload-identity-disabled": 0,
        "gcp-gke-legacy-metadata-endpoints-enabled": 0,
        "gcp-gke-broad-node-service-account": 0,
        "gcp-gke-control-plane-logging-incomplete": 0,
        "gcp-scc-asset-discovery-disabled": 0,
        "gcp-logging-exclusion-drops-audit-security-logs": 0,
        "gcp-logging-sink-audit-export-incomplete": 0,
        "gcp-central-audit-sink-not-modeled": 0,
        "gcp-subnetwork-flow-logs-not-configured": 1,
        "gcp-subnetwork-flow-log-capture-incomplete": 0,
        "gcp-gke-network-policy-disabled": 0,
        "gcp-gke-secrets-encryption-not-configured": 0,
        "gcp-gke-legacy-abac-enabled-or-unknown": 0,
        "gcp-gke-client-certificate-auth-enabled-or-unknown": 0,
        "gcp-gke-shielded-nodes-disabled-or-unknown": 0,
        "gcp-gke-binary-authorization-not-enabled": 0,
        "gcp-cloud-run-public-invoker": 1,
        "gcp-cloud-functions-public-invoker": 1,
        "gcp-cloud-run-image-not-digest-pinned": 0,
        "gcp-cloud-run-artifact-registry-mutable-tag": 0,
        "gcp-cloud-run-can-modify-image-repository": 0,
        "gcp-cloud-run-sensitive-environment-value-inline": 0,
        "gcp-cloud-run-secret-access-blast-radius": 0,
        "gcp-public-cloud-run-gcs-mutation-access": 0,
        "gcp-public-cloud-run-pubsub-mutation-access": 0,
        "gcp-service-account-iam-broad-principal": 0,
        "gcp-service-account-iam-privileged-role": 0,
        "gcp-service-account-key-hygiene": 0,
        "gcp-service-account-key-effective-access": 0,
        "gcp-workload-identity-pool-wide-impersonation": 0,
        "gcp-workload-identity-provider-unconditioned-broad-trust": 0,
        "gcp-workload-identity-privileged-service-account-access": 0,
        "gcp-org-folder-iam-broad-principal": 0,
        "gcp-org-folder-iam-privileged-role": 0,
        "gcp-project-iam-broad-principal": 0,
        "gcp-project-iam-privileged-role": 0,
        "gcp-iam-privileged-assignment": 0,
        "gcp-inherited-iam-sensitive-resource-access": 0,
        "gcp-inherited-iam-blast-radius": 0,
        "gcp-public-workload-sensitive-data-access": 2
      }
    },
    "references": {
      "unresolved_reference_count": 0,
      "unresolved_references": []
    }
  },
  "inventory": {
    "provider": "gcp",
    "unsupported_resources": [],
    "metadata": {
      "supported_resource_types": [
        "google_artifact_registry_repository",
        "google_artifact_registry_repository_iam_binding",
        "google_artifact_registry_repository_iam_member",
        "google_artifact_registry_repository_iam_policy",
        "google_bigquery_dataset",
        "google_bigquery_dataset_iam_binding",
        "google_bigquery_dataset_iam_member",
        "google_bigquery_dataset_iam_policy",
        "google_bigquery_table",
        "google_bigquery_table_iam_binding",
        "google_bigquery_table_iam_member",
        "google_bigquery_table_iam_policy",
        "google_cloud_run_service",
        "google_cloud_run_service_iam_binding",
        "google_cloud_run_service_iam_member",
        "google_cloud_run_service_iam_policy",
        "google_cloud_run_v2_service",
        "google_cloud_run_v2_service_iam_binding",
        "google_cloud_run_v2_service_iam_member",
        "google_cloud_run_v2_service_iam_policy",
        "google_cloudfunctions2_function",
        "google_cloudfunctions2_function_iam_binding",
        "google_cloudfunctions2_function_iam_member",
        "google_cloudfunctions2_function_iam_policy",
        "google_cloudfunctions_function",
        "google_cloudfunctions_function_iam_binding",
        "google_cloudfunctions_function_iam_member",
        "google_cloudfunctions_function_iam_policy",
        "google_compute_backend_bucket",
        "google_compute_backend_service",
        "google_compute_firewall",
        "google_compute_firewall_policy",
        "google_compute_firewall_policy_association",
        "google_compute_firewall_policy_rule",
        "google_compute_forwarding_rule",
        "google_compute_global_address",
        "google_compute_global_forwarding_rule",
        "google_compute_instance",
        "google_compute_managed_ssl_certificate",
        "google_compute_network",
        "google_compute_network_endpoint_group",
        "google_compute_region_backend_service",
        "google_compute_region_network_endpoint_group",
        "google_compute_region_security_policy",
        "google_compute_region_target_http_proxy",
        "google_compute_region_target_https_proxy",
        "google_compute_region_url_map",
        "google_compute_route",
        "google_compute_router",
        "google_compute_router_nat",
        "google_compute_security_policy",
        "google_compute_service_attachment",
        "google_compute_ssl_policy",
        "google_compute_subnetwork",
        "google_compute_target_http_proxy",
        "google_compute_target_https_proxy",
        "google_compute_url_map",
        "google_container_cluster",
        "google_container_node_pool",
        "google_folder_iam_binding",
        "google_folder_iam_member",
        "google_folder_iam_policy",
        "google_folder_organization_policy",
        "google_iam_workload_identity_pool",
        "google_iam_workload_identity_pool_provider",
        "google_kms_crypto_key",
        "google_kms_crypto_key_iam_binding",
        "google_kms_crypto_key_iam_member",
        "google_kms_crypto_key_iam_policy",
        "google_kms_key_ring_iam_binding",
        "google_kms_key_ring_iam_member",
        "google_kms_key_ring_iam_policy",
        "google_logging_organization_exclusion",
        "google_logging_organization_sink",
        "google_logging_project_exclusion",
        "google_logging_project_sink",
        "google_network_connectivity_service_connection_policy",
        "google_org_policy_policy",
        "google_organization_iam_binding",
        "google_organization_iam_custom_role",
        "google_organization_iam_member",
        "google_organization_iam_policy",
        "google_organization_policy",
        "google_project_iam_binding",
        "google_project_iam_custom_role",
        "google_project_iam_member",
        "google_project_iam_policy",
        "google_project_organization_policy",
        "google_pubsub_subscription",
        "google_pubsub_subscription_iam_binding",
        "google_pubsub_subscription_iam_member",
        "google_pubsub_subscription_iam_policy",
        "google_pubsub_topic",
        "google_pubsub_topic_iam_binding",
        "google_pubsub_topic_iam_member",
        "google_pubsub_topic_iam_policy",
        "google_scc_organization_settings",
        "google_secret_manager_secret",
        "google_secret_manager_secret_iam_binding",
        "google_secret_manager_secret_iam_member",
        "google_secret_manager_secret_iam_policy",
        "google_service_account",
        "google_service_account_iam_binding",
        "google_service_account_iam_member",
        "google_service_account_iam_policy",
        "google_service_account_key",
        "google_service_networking_connection",
        "google_sql_database_instance",
        "google_storage_bucket",
        "google_storage_bucket_iam_binding",
        "google_storage_bucket_iam_member",
        "google_storage_bucket_iam_policy"
      ],
      "total_input_resources": 11,
      "provider_resource_count": 11,
      "normalized_resource_count": 11,
      "unsupported_resource_types": {}
    },
    "resources": [
      {
        "address": "google_bigquery_dataset.analytics",
        "provider": "gcp",
        "resource_type": "google_bigquery_dataset",
        "name": "analytics",
        "category": "data",
        "identifier": "projects/tfstride-demo/datasets/tfstride_analytics",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "projects/tfstride-demo/datasets/tfstride_analytics",
          "project": "tfstride-demo",
          "bigquery_dataset_id": "tfstride_analytics",
          "bigquery_dataset_reference": "projects/tfstride-demo/datasets/tfstride_analytics",
          "labels": {
            "app": "tfstride"
          },
          "delete_contents_on_destroy": false,
          "default_table_expiration_ms": null,
          "description": null,
          "friendly_name": null,
          "location": "US",
          "max_time_travel_hours": null,
          "storage_billing_model": null,
          "customer_managed_encryption": false,
          "storage_encrypted": true
        }
      },
      {
        "address": "google_bigquery_table.events",
        "provider": "gcp",
        "resource_type": "google_bigquery_table",
        "name": "events",
        "category": "data",
        "identifier": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
          "project": "tfstride-demo",
          "bigquery_dataset_id": "google_bigquery_dataset.analytics.dataset_id",
          "bigquery_dataset_reference": "google_bigquery_dataset.analytics.dataset_id",
          "bigquery_table_id": "events",
          "bigquery_table_reference": "projects/tfstride-demo/datasets/google_bigquery_dataset.analytics.dataset_id/tables/events",
          "labels": {},
          "clustering": [],
          "deletion_protection": true,
          "description": null,
          "friendly_name": null,
          "schema": null,
          "time_partitioning": [],
          "view": [],
          "customer_managed_encryption": false,
          "storage_encrypted": true
        }
      },
      {
        "address": "google_cloud_run_v2_service.api",
        "provider": "gcp",
        "resource_type": "google_cloud_run_v2_service",
        "name": "api",
        "category": "compute",
        "identifier": "tfstride-api",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-api",
          "project": "tfstride-demo",
          "service_account_email": "tfstride-run@tfstride-demo.iam.gserviceaccount.com",
          "service_account_member": "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
          "service_accounts": [
            {
              "email": "tfstride-run@tfstride-demo.iam.gserviceaccount.com"
            }
          ],
          "labels": {},
          "vpc_enabled": false,
          "provider_managed_egress": true,
          "cloud_run_service_reference": "tfstride-api",
          "region": "us-central1",
          "serverless_ingress": "INGRESS_TRAFFIC_ALL",
          "uri": "https://tfstride-api.run.app",
          "container_image_references": [],
          "container_image_posture_uncertainties": [],
          "cloud_run_secret_references": [
            {
              "source": "google_cloud_run_v2_service",
              "path": "template[0].containers[0].env[0]",
              "value_path": "template[0].containers[0].env[0].value_source",
              "container_name": "api",
              "setting_name": "DB_PASSWORD",
              "state": "reference",
              "is_resolved": true,
              "normalized_setting_name": "db_password",
              "sensitive_category": "password",
              "reference": "projects/tfstride-demo/secrets/tfstride-api-key",
              "reference_kind": "secret_manager",
              "secret_reference": "projects/tfstride-demo/secrets/tfstride-api-key",
              "secret_name": "projects/tfstride-demo/secrets/tfstride-api-key",
              "secret_version": "5",
              "version": "5",
              "secret_version_state": "configured",
              "version_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.version",
              "secret_reference_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.secret",
              "target_resolution": "resolved"
            }
          ],
          "cloud_run_secret_posture_uncertainties": [],
          "public_access_reasons": [
            "google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
          ],
          "direct_internet_reachable": true,
          "public_exposure_reasons": [
            "google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
          ],
          "iam_bindings": [
            {
              "role": "roles/run.invoker",
              "members": [
                "allUsers"
              ],
              "source": "google_cloud_run_v2_service_iam_member.public_invoker"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_cloud_run_v2_service_iam_member.public_invoker"
          ],
          "cloud_run_gcs_access_paths": [],
          "cloud_run_pubsub_access_paths": [],
          "cloud_run_secret_access_paths": [
            {
              "workload_address": "google_cloud_run_v2_service.api",
              "workload_type": "google_cloud_run_v2_service",
              "secret_reference": "projects/tfstride-demo/secrets/tfstride-api-key",
              "secret_reference_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.secret",
              "secret_resource_name": "projects/tfstride-demo/secrets/tfstride-api-key",
              "secret_resource_address": "google_secret_manager_secret.api_key",
              "secret_target_resolution": "resolved_in_plan",
              "secret_resolution_basis": "canonical_resource_name",
              "secret_version": "5",
              "secret_version_state": "configured",
              "version_path": "template[0].containers[0].env[0].value_source[0].secret_key_ref.version",
              "container_name": "api",
              "setting_name": "DB_PASSWORD",
              "service_account_email": "tfstride-run@tfstride-demo.iam.gserviceaccount.com",
              "service_account_member": "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
              "identity_kind": "cloud_run_service_account",
              "credential_context": "workload_runtime",
              "iam_resource_address": "google_secret_manager_secret_iam_member.run_accessor",
              "iam_resource_type": "google_secret_manager_secret_iam_member",
              "role": "roles/secretmanager.secretAccessor",
              "role_kind": "built_in",
              "custom_role_permissions": [],
              "grant_scope_type": "secret",
              "grant_scope": "projects/tfstride-demo/secrets/tfstride-api-key",
              "grant_basis": "secret_resource_iam",
              "condition": {},
              "condition_state": "not_configured",
              "access_state": "granted"
            }
          ],
          "artifact_registry_write_paths": []
        }
      },
      {
        "address": "google_cloud_run_v2_service_iam_member.public_invoker",
        "provider": "gcp",
        "resource_type": "google_cloud_run_v2_service_iam_member",
        "name": "public_invoker",
        "category": "iam",
        "identifier": "tfstride-api:roles/run.invoker:allUsers",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cloud_run_service_reference": "tfstride-api",
          "region": "us-central1",
          "iam_role": "roles/run.invoker",
          "iam_member": "allUsers",
          "iam_members": [
            "allUsers"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/run.invoker",
              "members": [
                "allUsers"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_cloudfunctions_function.worker",
        "provider": "gcp",
        "resource_type": "google_cloudfunctions_function",
        "name": "worker",
        "category": "compute",
        "identifier": "tfstride-worker",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": true,
        "public_exposure": true,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-worker",
          "project": "tfstride-demo",
          "service_account_email": "tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
          "service_account_member": "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
          "service_accounts": [
            {
              "email": "tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
            }
          ],
          "labels": {},
          "vpc_enabled": false,
          "provider_managed_egress": true,
          "cloud_function_reference": "tfstride-worker",
          "region": "us-central1",
          "runtime": "python312",
          "trigger_http": true,
          "https_trigger_url": null,
          "public_access_reasons": [
            "google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
          ],
          "direct_internet_reachable": true,
          "public_exposure_reasons": [
            "google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
          ],
          "iam_bindings": [
            {
              "role": "roles/cloudfunctions.invoker",
              "members": [
                "allAuthenticatedUsers"
              ],
              "source": "google_cloudfunctions_function_iam_member.public_invoker"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_cloudfunctions_function_iam_member.public_invoker"
          ]
        }
      },
      {
        "address": "google_cloudfunctions_function_iam_member.public_invoker",
        "provider": "gcp",
        "resource_type": "google_cloudfunctions_function_iam_member",
        "name": "public_invoker",
        "category": "iam",
        "identifier": "tfstride-worker:roles/cloudfunctions.invoker:allAuthenticatedUsers",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "cloud_function_reference": "tfstride-worker",
          "region": "us-central1",
          "iam_role": "roles/cloudfunctions.invoker",
          "iam_member": "allAuthenticatedUsers",
          "iam_members": [
            "allAuthenticatedUsers"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/cloudfunctions.invoker",
              "members": [
                "allAuthenticatedUsers"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_compute_network.main",
        "provider": "gcp",
        "resource_type": "google_compute_network",
        "name": "main",
        "category": "network",
        "identifier": "tfstride-main",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-main",
          "project": "tfstride-demo",
          "auto_create_subnetworks": false,
          "routing_mode": "REGIONAL",
          "description": null
        }
      },
      {
        "address": "google_compute_subnetwork.app",
        "provider": "gcp",
        "resource_type": "google_compute_subnetwork",
        "name": "app",
        "category": "network",
        "identifier": "tfstride-app",
        "arn": null,
        "vpc_id": "google_compute_network.main.id",
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "name": "tfstride-app",
          "project": "tfstride-demo",
          "region": "us-central1",
          "network": "google_compute_network.main.id",
          "cidr_range": "10.10.1.0/24",
          "private_ip_google_access": true,
          "purpose": null,
          "stack_type": null,
          "secondary_ip_ranges": [],
          "subnetwork_flow_log_state": "not_configured",
          "subnetwork_flow_log_config": {},
          "subnetwork_flow_log_metadata_fields": [],
          "network_telemetry_posture_uncertainties": [],
          "has_public_route": false,
          "is_public_subnet": false,
          "has_nat_gateway_egress": false
        }
      },
      {
        "address": "google_secret_manager_secret.api_key",
        "provider": "gcp",
        "resource_type": "google_secret_manager_secret",
        "name": "api_key",
        "category": "data",
        "identifier": "projects/tfstride-demo/secrets/tfstride-api-key",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "sensitive",
        "metadata": {
          "name": "projects/tfstride-demo/secrets/tfstride-api-key",
          "secret_id": "tfstride-api-key",
          "project": "tfstride-demo",
          "labels": {
            "app": "tfstride"
          },
          "secret_manager_replication_mode": "automatic",
          "secret_manager_kms_key_names": [
            "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-secret-manager"
          ],
          "secret_manager_replication": {
            "mode": "automatic",
            "kms_key_names": [
              "projects/tfstride-demo/locations/global/keyRings/tfstride-app/cryptoKeys/tfstride-secret-manager"
            ]
          },
          "secret_manager_posture_uncertainties": [],
          "secret_manager_ttl": "2592000s",
          "secret_manager_version_destroy_ttl": "604800s",
          "annotations": {},
          "topics": [],
          "customer_managed_encryption": true,
          "storage_encrypted": true,
          "iam_bindings": [
            {
              "role": "roles/secretmanager.secretAccessor",
              "members": [
                "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
              ],
              "source": "google_secret_manager_secret_iam_member.run_accessor"
            },
            {
              "role": "roles/secretmanager.secretAccessor",
              "members": [
                "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
              ],
              "source": "google_secret_manager_secret_iam_member.function_accessor"
            }
          ],
          "gcp_resource_policy_source_addresses": [
            "google_secret_manager_secret_iam_member.run_accessor",
            "google_secret_manager_secret_iam_member.function_accessor"
          ]
        }
      },
      {
        "address": "google_secret_manager_secret_iam_member.function_accessor",
        "provider": "gcp",
        "resource_type": "google_secret_manager_secret_iam_member",
        "name": "function_accessor",
        "category": "iam",
        "identifier": "google_secret_manager_secret.api_key.id:roles/secretmanager.secretAccessor:serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "secret_reference": "google_secret_manager_secret.api_key.id",
          "project": "tfstride-demo",
          "iam_role": "roles/secretmanager.secretAccessor",
          "iam_member": "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com",
          "iam_members": [
            "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/secretmanager.secretAccessor",
              "members": [
                "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      },
      {
        "address": "google_secret_manager_secret_iam_member.run_accessor",
        "provider": "gcp",
        "resource_type": "google_secret_manager_secret_iam_member",
        "name": "run_accessor",
        "category": "iam",
        "identifier": "google_secret_manager_secret.api_key.id:roles/secretmanager.secretAccessor:serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
        "arn": null,
        "vpc_id": null,
        "subnet_ids": [],
        "security_group_ids": [],
        "attached_role_arns": [],
        "network_rules": [],
        "policy_statements": [],
        "public_access_configured": false,
        "public_exposure": false,
        "data_sensitivity": "standard",
        "metadata": {
          "secret_reference": "google_secret_manager_secret.api_key.id",
          "project": "tfstride-demo",
          "iam_role": "roles/secretmanager.secretAccessor",
          "iam_member": "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com",
          "iam_members": [
            "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
          ],
          "iam_condition": {},
          "iam_bindings": [
            {
              "role": "roles/secretmanager.secretAccessor",
              "members": [
                "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
              ]
            }
          ],
          "privileged_access_grants": []
        }
      }
    ]
  },
  "trust_boundaries": [
    {
      "identifier": "internet-to-service:internet->google_cloud_run_v2_service.api",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "google_cloud_run_v2_service.api",
      "description": "Traffic can cross from the public internet to google_cloud_run_v2_service.api.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "internet-to-service:internet->google_cloudfunctions_function.worker",
      "boundary_type": "internet-to-service",
      "source": "internet",
      "target": "google_cloudfunctions_function.worker",
      "description": "Traffic can cross from the public internet to google_cloudfunctions_function.worker.",
      "rationale": "The resource is directly reachable or intentionally exposed to unauthenticated network clients."
    },
    {
      "identifier": "workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key",
      "boundary_type": "workload-to-data-store",
      "source": "google_cloud_run_v2_service.api",
      "target": "google_secret_manager_secret.api_key",
      "description": "google_cloud_run_v2_service.api can interact with google_secret_manager_secret.api_key.",
      "rationale": "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.run_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com."
    },
    {
      "identifier": "workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key",
      "boundary_type": "workload-to-data-store",
      "source": "google_cloudfunctions_function.worker",
      "target": "google_secret_manager_secret.api_key",
      "description": "google_cloudfunctions_function.worker can interact with google_secret_manager_secret.api_key.",
      "rationale": "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com."
    }
  ],
  "findings": [
    {
      "fingerprint": "sha256:f04001c2e8493937559935380c234dbbba2f0569bd188b4b7037ec8597d14fa5",
      "title": "Internet-exposed GCP workload can access sensitive data services",
      "rule_id": "gcp-public-workload-sensitive-data-access",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_cloud_run_v2_service.api",
        "google_secret_manager_secret.api_key",
        "google_secret_manager_secret_iam_member.run_accessor"
      ],
      "trust_boundary_id": "workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key",
      "rationale": "google_cloud_run_v2_service.api is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.",
      "recommended_mitigation": "Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.",
      "evidence": [
        {
          "key": "public_exposure_reasons",
          "values": [
            "google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
          ]
        },
        {
          "key": "workload_identity",
          "values": [
            "serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com"
          ]
        },
        {
          "key": "cloud_run_secret_access_paths",
          "values": [
            "secret_resource=google_secret_manager_secret.api_key; secret_reference=projects/tfstride-demo/secrets/tfstride-api-key; secret_version=5; service_account=tfstride-run@tfstride-demo.iam.gserviceaccount.com; iam_resource=google_secret_manager_secret_iam_member.run_accessor; role=roles/secretmanager.secretAccessor; grant_scope=secret:projects/tfstride-demo/secrets/tfstride-api-key; access_state=granted; condition_state=not_configured"
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_secret_manager_secret_iam_member.run_accessor"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 1,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 7,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:6a8fba2f6eb1f9409d6f281891d9c1a34d53cbf01e3f05ad0fcc88af1150aa35",
      "title": "Internet-exposed GCP workload can access sensitive data services",
      "rule_id": "gcp-public-workload-sensitive-data-access",
      "category": "Information Disclosure",
      "severity": "high",
      "affected_resources": [
        "google_cloudfunctions_function.worker",
        "google_secret_manager_secret.api_key",
        "google_secret_manager_secret_iam_member.run_accessor",
        "google_secret_manager_secret_iam_member.function_accessor"
      ],
      "trust_boundary_id": "workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key",
      "rationale": "google_cloudfunctions_function.worker is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.",
      "recommended_mitigation": "Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.",
      "evidence": [
        {
          "key": "public_exposure_reasons",
          "values": [
            "google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
          ]
        },
        {
          "key": "workload_identity",
          "values": [
            "serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com"
          ]
        },
        {
          "key": "data_access_path",
          "values": [
            "google_cloudfunctions_function.worker reaches google_secret_manager_secret.api_key"
          ]
        },
        {
          "key": "boundary_rationale",
          "values": [
            "GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com."
          ]
        },
        {
          "key": "resource_policy_sources",
          "values": [
            "google_secret_manager_secret_iam_member.run_accessor",
            "google_secret_manager_secret_iam_member.function_accessor"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 1,
        "data_sensitivity": 2,
        "lateral_movement": 1,
        "blast_radius": 1,
        "final_score": 7,
        "severity": "high",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:26d830ba0ec2a53756c3eaced1c3be81057169315b2b42d8c7419e083cfc77d6",
      "title": "Cloud Functions function is publicly invokable",
      "rule_id": "gcp-cloud-functions-public-invoker",
      "category": "Spoofing",
      "severity": "medium",
      "affected_resources": [
        "google_cloudfunctions_function.worker",
        "google_cloudfunctions_function_iam_member.public_invoker"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_cloudfunctions_function.worker",
      "rationale": "google_cloudfunctions_function.worker allows public HTTP access and grants Cloud Functions invoke permission to public GCP principals. Unauthenticated internet clients can reach the function entry point without an organization-owned identity boundary.",
      "recommended_mitigation": "Remove `allUsers` and `allAuthenticatedUsers` from Cloud Functions invoker bindings unless anonymous access is intentional, and require authentication, IAP, API Gateway, or a controlled edge policy for public HTTP functions.",
      "evidence": [
        {
          "key": "public_invoker_bindings",
          "values": [
            "source=google_cloudfunctions_function_iam_member.public_invoker; role=roles/cloudfunctions.invoker; member=allAuthenticatedUsers"
          ]
        },
        {
          "key": "public_access_reasons",
          "values": [
            "google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
          ]
        },
        {
          "key": "public_exposure_reasons",
          "values": [
            "google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:fdfa137966c89eb875eb160f45285149877d78495eec49c0a7250ae0a64e7a28",
      "title": "Cloud Run service is publicly invokable",
      "rule_id": "gcp-cloud-run-public-invoker",
      "category": "Spoofing",
      "severity": "medium",
      "affected_resources": [
        "google_cloud_run_v2_service.api",
        "google_cloud_run_v2_service_iam_member.public_invoker"
      ],
      "trust_boundary_id": "internet-to-service:internet->google_cloud_run_v2_service.api",
      "rationale": "google_cloud_run_v2_service.api allows public ingress and grants Cloud Run invoke permission to public GCP principals. Unauthenticated internet clients can reach the service entry point without an organization-owned identity boundary.",
      "recommended_mitigation": "Remove `allUsers` and `allAuthenticatedUsers` from Cloud Run invoker bindings unless anonymous access is intentional, and front public services with authentication, IAP, API Gateway, or a controlled edge policy.",
      "evidence": [
        {
          "key": "public_invoker_bindings",
          "values": [
            "source=google_cloud_run_v2_service_iam_member.public_invoker; role=roles/run.invoker; member=allUsers"
          ]
        },
        {
          "key": "public_access_reasons",
          "values": [
            "google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
          ]
        },
        {
          "key": "public_exposure_reasons",
          "values": [
            "google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 2,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 0,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    },
    {
      "fingerprint": "sha256:d7380b4b3e19c2f29c68019a1757075b9455a4465c9cf613a0fd4a3a2d8dc9e9",
      "title": "GCP subnetwork Flow Logs are not configured",
      "rule_id": "gcp-subnetwork-flow-logs-not-configured",
      "category": "Repudiation",
      "severity": "medium",
      "affected_resources": [
        "google_compute_subnetwork.app"
      ],
      "trust_boundary_id": null,
      "rationale": "google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.",
      "recommended_mitigation": "Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.",
      "evidence": [
        {
          "key": "subnetwork_flow_log_posture",
          "values": [
            "address=google_compute_subnetwork.app",
            "type=google_compute_subnetwork",
            "name=app",
            "identifier=tfstride-app",
            "flow_log_state=not_configured",
            "network=google_compute_network.main.id",
            "project=tfstride-demo"
          ]
        }
      ],
      "severity_reasoning": {
        "internet_exposure": 0,
        "privilege_breadth": 0,
        "data_sensitivity": 0,
        "lateral_movement": 2,
        "blast_radius": 1,
        "final_score": 3,
        "severity": "medium",
        "computed_severity": null
      }
    }
  ],
  "suppressed_findings": [],
  "baselined_findings": [],
  "observations": [],
  "limitations": [
    "GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.",
    "The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity."
  ]
}
Markdown report
# GCP Serverless Demo

- Analyzed file: `sample_gcp_serverless_plan.json`
- Provider: `gcp`
- Normalized resources: `11`
- Unsupported resources: `0`

## Summary

This run identified **4 trust boundaries** and **5 findings** across **11 normalized resources**.

- High severity findings: `2`
- Medium severity findings: `3`
- Low severity findings: `0`

## Analysis Coverage

- Terraform resources seen: `11`
- Provider resources considered: `11`
- Normalized resources: `11`
- Unsupported resources: `0`
- Registered provider rules (GCP): `78`
- Enabled provider rules (GCP): `78`
- Disabled rules: `0`
- Severity overrides: `0`
- Unresolved in-plan references: `0`
- Findings by rule:
  - `gcp-subnetwork-flow-logs-not-configured`: `1`
  - `gcp-cloud-run-public-invoker`: `1`
  - `gcp-cloud-functions-public-invoker`: `1`
  - `gcp-public-workload-sensitive-data-access`: `2`

## Discovered Trust Boundaries

### `internet-to-service`

- Source: `internet`
- Target: `google_cloud_run_v2_service.api`
- Description: Traffic can cross from the public internet to google_cloud_run_v2_service.api.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `internet-to-service`

- Source: `internet`
- Target: `google_cloudfunctions_function.worker`
- Description: Traffic can cross from the public internet to google_cloudfunctions_function.worker.
- Rationale: The resource is directly reachable or intentionally exposed to unauthenticated network clients.

### `workload-to-data-store`

- Source: `google_cloud_run_v2_service.api`
- Target: `google_secret_manager_secret.api_key`
- Description: google_cloud_run_v2_service.api can interact with google_secret_manager_secret.api_key.
- Rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.run_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com.

### `workload-to-data-store`

- Source: `google_cloudfunctions_function.worker`
- Target: `google_secret_manager_secret.api_key`
- Description: google_cloudfunctions_function.worker can interact with google_secret_manager_secret.api_key.
- Rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.

## Findings

### High

#### Internet-exposed GCP workload can access sensitive data services

- STRIDE category: Information Disclosure
- Affected resources: `google_cloud_run_v2_service.api`, `google_secret_manager_secret.api_key`, `google_secret_manager_secret_iam_member.run_accessor`
- Trust boundary: `workload-to-data-store:google_cloud_run_v2_service.api->google_secret_manager_secret.api_key`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_cloud_run_v2_service.api is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Recommended mitigation: Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.
- Evidence:
  - public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
  - workload identity: serviceAccount:tfstride-run@tfstride-demo.iam.gserviceaccount.com
  - cloud run secret access paths: secret_resource=google_secret_manager_secret.api_key; secret_reference=projects/tfstride-demo/secrets/tfstride-api-key; secret_version=5; service_account=tfstride-run@tfstride-demo.iam.gserviceaccount.com; iam_resource=google_secret_manager_secret_iam_member.run_accessor; role=roles/secretmanager.secretAccessor; grant_scope=secret:projects/tfstride-demo/secrets/tfstride-api-key; access_state=granted; condition_state=not_configured
  - resource policy sources: google_secret_manager_secret_iam_member.run_accessor

#### Internet-exposed GCP workload can access sensitive data services

- STRIDE category: Information Disclosure
- Affected resources: `google_cloudfunctions_function.worker`, `google_secret_manager_secret.api_key`, `google_secret_manager_secret_iam_member.run_accessor`, `google_secret_manager_secret_iam_member.function_accessor`
- Trust boundary: `workload-to-data-store:google_cloudfunctions_function.worker->google_secret_manager_secret.api_key`
- Severity reasoning: internet_exposure +2, privilege_breadth +1, data_sensitivity +2, lateral_movement +1, blast_radius +1, final_score 7 => high
- Rationale: google_cloudfunctions_function.worker is internet-exposed and runs with GCP workload identity serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com. That identity can access google_secret_manager_secret.api_key. A compromise of the public workload can therefore become direct access to sensitive GCP data services.
- Recommended mitigation: Run public GCP workloads with narrowly scoped service accounts, remove direct Secret Manager, Cloud KMS, GCS, or Cloud SQL grants from internet-facing instances, and broker sensitive data access through private services where possible.
- Evidence:
  - public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
  - workload identity: serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com
  - data access path: google_cloudfunctions_function.worker reaches google_secret_manager_secret.api_key
  - boundary rationale: GCP workloads cross into a higher-sensitivity data plane when their attached service account is granted data access through IAM: google_secret_manager_secret_iam_member.function_accessor grants roles/secretmanager.secretAccessor to serviceAccount:tfstride-fn@tfstride-demo.iam.gserviceaccount.com.
  - resource policy sources: google_secret_manager_secret_iam_member.run_accessor; google_secret_manager_secret_iam_member.function_accessor

### Medium

#### Cloud Functions function is publicly invokable

- STRIDE category: Spoofing
- Affected resources: `google_cloudfunctions_function.worker`, `google_cloudfunctions_function_iam_member.public_invoker`
- Trust boundary: `internet-to-service:internet->google_cloudfunctions_function.worker`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_cloudfunctions_function.worker allows public HTTP access and grants Cloud Functions invoke permission to public GCP principals. Unauthenticated internet clients can reach the function entry point without an organization-owned identity boundary.
- Recommended mitigation: Remove `allUsers` and `allAuthenticatedUsers` from Cloud Functions invoker bindings unless anonymous access is intentional, and require authentication, IAP, API Gateway, or a controlled edge policy for public HTTP functions.
- Evidence:
  - public invoker bindings: source=google_cloudfunctions_function_iam_member.public_invoker; role=roles/cloudfunctions.invoker; member=allAuthenticatedUsers
  - public access reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers
  - public exposure reasons: google_cloudfunctions_function_iam_member.public_invoker grants roles/cloudfunctions.invoker to allAuthenticatedUsers

#### Cloud Run service is publicly invokable

- STRIDE category: Spoofing
- Affected resources: `google_cloud_run_v2_service.api`, `google_cloud_run_v2_service_iam_member.public_invoker`
- Trust boundary: `internet-to-service:internet->google_cloud_run_v2_service.api`
- Severity reasoning: internet_exposure +2, privilege_breadth +0, data_sensitivity +0, lateral_movement +0, blast_radius +1, final_score 3 => medium
- Rationale: google_cloud_run_v2_service.api allows public ingress and grants Cloud Run invoke permission to public GCP principals. Unauthenticated internet clients can reach the service entry point without an organization-owned identity boundary.
- Recommended mitigation: Remove `allUsers` and `allAuthenticatedUsers` from Cloud Run invoker bindings unless anonymous access is intentional, and front public services with authentication, IAP, API Gateway, or a controlled edge policy.
- Evidence:
  - public invoker bindings: source=google_cloud_run_v2_service_iam_member.public_invoker; role=roles/run.invoker; member=allUsers
  - public access reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers
  - public exposure reasons: google_cloud_run_v2_service_iam_member.public_invoker grants roles/run.invoker to allUsers

#### GCP subnetwork Flow Logs are not configured

- STRIDE category: Repudiation
- Affected resources: `google_compute_subnetwork.app`
- Trust boundary: `not-applicable`
- Severity reasoning: internet_exposure +0, privilege_breadth +0, data_sensitivity +0, lateral_movement +2, blast_radius +1, final_score 3 => medium
- Rationale: google_compute_subnetwork.app does not configure VPC Flow Logs in this Terraform plan. Without subnetwork flow telemetry, network investigation, lateral-movement review, and egress analysis can lack packet-flow evidence for workloads attached to this subnet.
- Recommended mitigation: Enable VPC Flow Logs on subnetworks that host workloads, keep the flow log configuration in Terraform, and export or retain those logs according to investigation and monitoring requirements.
- Evidence:
  - subnetwork flow log posture: address=google_compute_subnetwork.app; type=google_compute_subnetwork; name=app; identifier=tfstride-app; flow_log_state=not_configured; network=google_compute_network.main.id; project=tfstride-demo

### Low

No findings in this severity band.

## Limitations / Unsupported Resources

- GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
- The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.

Limits

Unsupported or intentionally scoped areas

  • GCP support covers a curated set of compute, serverless, data, IAM, Kubernetes, networking, audit, private-connectivity, messaging, registry, and key-management resources. Analysis is plan-local and does not model every provider resource, runtime drift, or every organization-level control; provider-specific positive observations remain more limited than finding coverage.
  • The engine reasons over Terraform planned values only and does not validate runtime drift, CloudTrail evidence, or post-deploy control-plane activity.