prowler-gcp
GCP cloud security assessment
TLDR
SYNOPSIS
prowler gcp [options]
DESCRIPTION
prowler gcp performs a security assessment of Google Cloud Platform projects. It evaluates configurations against best practices and compliance frameworks such as CIS, MITRE ATT&CK, and GDPR, and reports findings as CSV, JSON, or HTML reports.By default, Prowler scans every project accessible to the authenticated principal. Authentication can use Application Default Credentials (ADC), a credentials file, or service account impersonation.
PARAMETERS
--project-ids ID...
Scan only the given GCP project IDs (default: all accessible projects).--excluded-project-ids ID...
Exclude the given project IDs from scanning.--list-project-ids
List all GCP project IDs accessible with the current credentials and exit.--credentials-file PATH
Path to a service account application credentials JSON file.--impersonate-service-account EMAIL
Impersonate the given service account when making API calls.--skip-api-check
Skip API activation verification and assume all required APIs are enabled.-c, --checks CHECK...
Run only the specified checks.-s, --services SERVICE...
Run only checks for the specified GCP services (e.g. iam, compute, cloudstorage).--compliance FRAMEWORK
Run the specified compliance framework (e.g. cis2.0gcp, mitreattackgcp).-M, --output-modes FORMAT
Output format(s): csv, json-ocsf, json-asff, html.-F, --output-filename NAME
Base name for output files.-o, --output-directory DIR
Directory where output reports are written.
CAVEATS
Requires valid GCP credentials with at least the Viewer and Security Reviewer roles on target projects. Some checks need additional APIs (Cloud Asset, Cloud Resource Manager, IAM) enabled. Rate limiting on large organizations may slow scans significantly.
SEE ALSO
prowler(1), prowler-aws(1), prowler-azure(1), prowler-kubernetes(1), gcloud(1)
