BLACKSHIELD

Public Guide

Deploy the Cloud Scanner on GCP

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions. Audience: Cloud engineers, security engineers, platform teams. Typical setup time: 5 minutes.

quickstart

Use this if

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions.

Audience
Cloud engineers, security engineers, platform teams
Typical time
5 minutes

Before You Begin

  • Install Terraform ≥ 1.7: brew install terraform
  • Authenticate: gcloud auth application-default login
  • Create an ingestion API key in Settings → API Keys with Ingestion scope.

Fast path

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Get the source bundle

Download the exact source files referenced on this page, or run the one-command installer to write them locally before following the deployment steps.

GCP cloud scanner source

Creates the Terraform module under `deploy/gcp-cloud-scanner/` and prefills the current platform API URL so the Cloud Run deployment commands on this page work unchanged.

deploy/gcp-cloud-scanner/
bash
BLACKSHIELD_CLOUD_IMAGE=public.ecr.aws/blackshield-security/cloud-scanner:1.0.0 \
BLACKSHIELD_SITE_URL=https://blackshield.chaplau.com \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)
cd deploy/gcp-cloud-scanner
Download source

Run This

Deploy to multiple GCP projects (two commands)

bash
# Bootstrap the local source bundle first
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)

cd deploy/gcp-cloud-scanner

# Authenticate
gcloud auth application-default login

# Deploy all targets defined in main.tf locals.targets
TF_VAR_blackshield_api_key=sp_xxxx \
terraform init && terraform apply -auto-approve

# View deployed resources
terraform output -json cloud_run_job_names
terraform output -json scheduler_job_names

Trigger manual execution + stream logs

bash
# Trigger a one-off scan
gcloud run jobs execute blackshield-cloud-scanner \
  --project my-prod-project \
  --region us-central1

# Stream execution logs
gcloud logging read \
  'resource.type="cloud_run_job" AND resource.labels.job_name="blackshield-cloud-scanner"' \
  --project my-prod-project \
  --limit 50 \
  --format "table(timestamp,textPayload)"

Understand and customize

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Step 1

Prerequisites and authentication

Install Terraform, authenticate with gcloud, and set your API key.

  • Install Terraform ≥ 1.7: brew install terraform
  • Authenticate: gcloud auth application-default login
  • Create an Ingestion API key in Settings → API Keys.
  • Set TF_VAR_blackshield_api_key=sp_xxxx in your environment.

What success looks like

Set TF_VAR_blackshield_api_key=sp_xxxx in your environment.

Open API Keys · Sign-in required

Step 2

Configure targets and deploy

Edit the targets map in main.tf, then apply to deploy all project+region pairs at once.

  • Bootstrap the local source bundle first. It prefills `BLACKSHIELD_API_URL` from the deployed platform and writes the Terraform module to `deploy/gcp-cloud-scanner/`.
  • Edit deploy/gcp-cloud-scanner/main.tf — add your project IDs and regions to locals.targets.
  • Run: cd deploy/gcp-cloud-scanner && terraform init && terraform apply -auto-approve
  • Terraform creates: service account, Secret Manager secret, Cloud Run Job, Cloud Scheduler, and enables required APIs.
  • Each project+region pair is an independent deployment unit.

What success looks like

Each project+region pair is an independent deployment unit.

All Deployment Guides

Step 3

Verify and monitor

Trigger a manual job execution and confirm findings arrive in the platform.

  • Trigger manually: gcloud run jobs execute blackshield-cloud-scanner --project my-project --region us-central1
  • Stream logs: gcloud logging read 'resource.labels.job_name=blackshield-cloud-scanner' --project my-project
  • Confirm findings appear in the platform with scanner=cloud.
  • Check terraform output for all deployed job and scheduler names.

What success looks like

Check terraform output for all deployed job and scheduler names.

View Findings · Sign-in required

What success looks like

  • terraform apply completes with no errors and outputs Cloud Run Job and Scheduler names.
  • Manual job execution succeeds: gcloud run jobs execute blackshield-cloud-scanner
  • Cloud posture findings appear in the platform Findings view within 30 minutes.
Deploy the Cloud Scanner on GCP | BlackShield Docs