Guía pública

Deploy the Cloud Scanner on GCP

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions. Audiencia: Cloud engineers, security engineers, platform teams. Tiempo típico de configuración: 5 minutes.

quickstart

Úsalo si

Scan GCP project posture with Prowler via a serverless Cloud Run Job triggered by Cloud Scheduler. One Terraform apply deploys to any number of projects and regions.

Audience: Cloud engineers, security engineers, platform teams
Typical time: 5 minutes

Antes de comenzar

Install Terraform ≥ 1.7: brew install terraform
Authenticate: gcloud auth application-default login
Create an ingestion API key in Settings → API Keys with Ingestion scope.

Camino rápido

Copy a working starter, run it in your environment, then come back here for the deeper rollout details.

Solo demostración

Esta configuración está diseñada para facilitar el uso. Para desplegar clientes de escaneo a escala, planifique su arquitectura de despliegue en consecuencia o contáctenos para obtener las mejores prácticas empresariales.

Obtén el bundle de código fuente

Descarga los archivos exactos usados en esta guía o ejecuta el instalador de un solo comando para escribirlos localmente antes del despliegue.

GCP cloud scanner source

Creates the Terraform module under `deploy/gcp-cloud-scanner/` and prefills the current platform API URL so the Cloud Run deployment commands on this page work unchanged.

deploy/gcp-cloud-scanner/

bash

BLACKSHIELD_CLOUD_IMAGE=public.ecr.aws/blackshield-security/cloud-scanner:1.0.6 \
BLACKSHIELD_SITE_URL=https://blackshield.chaplau.com \
BLACKSHIELD_API_URL=https://api.blackshield.chaplau.com \
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)
cd deploy/gcp-cloud-scanner

Descargar fuente

Ejecuta esto

Deploy to multiple GCP projects (two commands)

bash

# Bootstrap the local source bundle first
bash <(curl -fsSL https://blackshield.chaplau.com/source-bundles/gcp-cloud-scanner.sh)

cd deploy/gcp-cloud-scanner

# Authenticate
gcloud auth application-default login

# Deploy all targets defined in main.tf locals.targets
TF_VAR_blackshield_api_key=sp_xxxx \
terraform init && terraform apply -auto-approve

# View deployed resources
terraform output -json cloud_run_job_names
terraform output -json scheduler_job_names

Trigger manual execution + stream logs

bash

# Trigger a one-off scan
gcloud run jobs execute blackshield-cloud-scanner \
  --project my-prod-project \
  --region us-central1

# Stream execution logs
gcloud logging read \
  'resource.type="cloud_run_job" AND resource.labels.job_name="blackshield-cloud-scanner"' \
  --project my-prod-project \
  --limit 50 \
  --format "table(timestamp,textPayload)"

Entender y personalizar

Use the guided steps below when you want to tailor the rollout, validate ownership, or expand the deployment safely.

Paso 1

Prerequisites and authentication

Install Terraform, authenticate with gcloud, and set your API key.

Install Terraform ≥ 1.7: brew install terraform
Authenticate: gcloud auth application-default login
Create an Ingestion API key in Settings → API Keys.
Set TF_VAR_blackshield_api_key=sp_xxxx in your environment.

Cómo se ve el éxito

Set TF_VAR_blackshield_api_key=sp_xxxx in your environment.

Open API Keys · Requiere inicio de sesión

Paso 2

Configure targets and deploy

Edit the targets map in main.tf, then apply to deploy all project+region pairs at once.

Bootstrap the local source bundle first. It prefills `BLACKSHIELD_API_URL` from the deployed platform and writes the Terraform module to `deploy/gcp-cloud-scanner/`.
Edit deploy/gcp-cloud-scanner/main.tf — add your project IDs and regions to locals.targets.
Run: cd deploy/gcp-cloud-scanner && terraform init && terraform apply -auto-approve
Terraform creates: service account, Secret Manager secret, Cloud Run Job, Cloud Scheduler, and enables required APIs.
Each project+region pair is an independent deployment unit.

Cómo se ve el éxito

Each project+region pair is an independent deployment unit.

All Deployment Guides

Paso 3

Verify and monitor

Trigger a manual job execution and confirm findings arrive in the platform.

Trigger manually: gcloud run jobs execute blackshield-cloud-scanner --project my-project --region us-central1
Stream logs: gcloud logging read 'resource.labels.job_name=blackshield-cloud-scanner' --project my-project
Confirm findings appear in the platform with scanner=cloud.
Check terraform output for all deployed job and scheduler names.

Cómo se ve el éxito

Check terraform output for all deployed job and scheduler names.

View Findings · Requiere inicio de sesión

Cómo se ve el éxito

terraform apply completes with no errors and outputs Cloud Run Job and Scheduler names.
Manual job execution succeeds: gcloud run jobs execute blackshield-cloud-scanner
Cloud posture findings appear in the platform Findings view within 30 minutes.

Continúa

Keep your rollout moving with the next recommended step.

Ingiere tus primeros hallazgos

Enlaces útiles

Open API Keys View Findings All Deployment Guides

Guías relacionadas

Deploy the Cloud Scanner on GCP | Docs de BlackShield