google-cloud-security_center-v1 0.3.5 → 0.7.0

data/lib/google/cloud/securitycenter/v1/folder_pb.rb

@@ -0,0 +1,24 @@
+# Generated by the protocol buffer compiler.  DO NOT EDIT!
+# source: google/cloud/securitycenter/v1/folder.proto
+
+require 'google/protobuf'
+
+require 'google/api/annotations_pb'
+Google::Protobuf::DescriptorPool.generated_pool.build do
+  add_file("google/cloud/securitycenter/v1/folder.proto", :syntax => :proto3) do
+    add_message "google.cloud.securitycenter.v1.Folder" do
+      optional :resource_folder, :string, 1
+      optional :resource_folder_display_name, :string, 2
+    end
+  end
+end
+
+module Google
+  module Cloud
+    module SecurityCenter
+      module V1
+        Folder = ::Google::Protobuf::DescriptorPool.generated_pool.lookup("google.cloud.securitycenter.v1.Folder").msgclass
+      end
+    end
+  end
+end

data/lib/google/cloud/securitycenter/v1/notification_config_pb.rb

@@ -3,9 +3,9 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/api/field_behavior_pb'
 require 'google/api/resource_pb'
+require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/notification_config.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.NotificationConfig" do

data/lib/google/cloud/securitycenter/v1/notification_message_pb.rb

@@ -3,9 +3,9 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/cloud/securitycenter/v1/finding_pb'
 require 'google/cloud/securitycenter/v1/resource_pb'
+require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/notification_message.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.NotificationMessage" do

data/lib/google/cloud/securitycenter/v1/organization_settings_pb.rb

@@ -3,8 +3,8 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/api/resource_pb'
+require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/organization_settings.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.OrganizationSettings" do
@@ -15,6 +15,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
     add_message "google.cloud.securitycenter.v1.OrganizationSettings.AssetDiscoveryConfig" do
       repeated :project_ids, :string, 1
       optional :inclusion_mode, :enum, 2, "google.cloud.securitycenter.v1.OrganizationSettings.AssetDiscoveryConfig.InclusionMode"
+      repeated :folder_ids, :string, 3
     end
     add_enum "google.cloud.securitycenter.v1.OrganizationSettings.AssetDiscoveryConfig.InclusionMode" do
       value :INCLUSION_MODE_UNSPECIFIED, 0

data/lib/google/cloud/securitycenter/v1/resource_pb.rb

@@ -3,6 +3,8 @@
 
 require 'google/protobuf'
 
+require 'google/api/field_behavior_pb'
+require 'google/cloud/securitycenter/v1/folder_pb'
 require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/resource.proto", :syntax => :proto3) do
@@ -12,6 +14,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :project_display_name, :string, 3
       optional :parent, :string, 4
       optional :parent_display_name, :string, 5
+      repeated :folders, :message, 7, "google.cloud.securitycenter.v1.Folder"
     end
   end
 end

data/lib/google/cloud/securitycenter/v1/run_asset_discovery_response_pb.rb

@@ -3,8 +3,8 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/protobuf/duration_pb'
+require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/run_asset_discovery_response.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.RunAssetDiscoveryResponse" do

data/lib/google/cloud/securitycenter/v1/security_marks_pb.rb

@@ -3,13 +3,14 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/api/resource_pb'
+require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/security_marks.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.SecurityMarks" do
       optional :name, :string, 1
       map :marks, :string, :string, 2
+      optional :canonical_name, :string, 3
     end
   end
 end

data/lib/google/cloud/securitycenter/v1/securitycenter_service_pb.rb

@@ -10,6 +10,7 @@ require 'google/api/field_behavior_pb'
 require 'google/api/resource_pb'
 require 'google/cloud/securitycenter/v1/asset_pb'
 require 'google/cloud/securitycenter/v1/finding_pb'
+require 'google/cloud/securitycenter/v1/folder_pb'
 require 'google/cloud/securitycenter/v1/notification_config_pb'
 require 'google/cloud/securitycenter/v1/organization_settings_pb'
 require 'google/cloud/securitycenter/v1/security_marks_pb'
@@ -155,6 +156,7 @@ Google::Protobuf::DescriptorPool.generated_pool.build do
       optional :project_display_name, :string, 3
       optional :parent_name, :string, 4
       optional :parent_display_name, :string, 5
+      repeated :folders, :message, 7, "google.cloud.securitycenter.v1.Folder"
     end
     add_enum "google.cloud.securitycenter.v1.ListFindingsResponse.ListFindingsResult.StateChange" do
       value :UNUSED, 0

data/lib/google/cloud/securitycenter/v1/securitycenter_service_services_pb.rb

@@ -27,74 +27,77 @@ module Google
           # V1 APIs for Security Center service.
           class Service
 
-            include GRPC::GenericService
+            include ::GRPC::GenericService
 
             self.marshal_class_method = :encode
             self.unmarshal_class_method = :decode
             self.service_name = 'google.cloud.securitycenter.v1.SecurityCenter'
 
             # Creates a source.
-            rpc :CreateSource, Google::Cloud::SecurityCenter::V1::CreateSourceRequest, Google::Cloud::SecurityCenter::V1::Source
+            rpc :CreateSource, ::Google::Cloud::SecurityCenter::V1::CreateSourceRequest, ::Google::Cloud::SecurityCenter::V1::Source
             # Creates a finding. The corresponding source must exist for finding creation
             # to succeed.
-            rpc :CreateFinding, Google::Cloud::SecurityCenter::V1::CreateFindingRequest, Google::Cloud::SecurityCenter::V1::Finding
+            rpc :CreateFinding, ::Google::Cloud::SecurityCenter::V1::CreateFindingRequest, ::Google::Cloud::SecurityCenter::V1::Finding
             # Creates a notification config.
-            rpc :CreateNotificationConfig, Google::Cloud::SecurityCenter::V1::CreateNotificationConfigRequest, Google::Cloud::SecurityCenter::V1::NotificationConfig
+            rpc :CreateNotificationConfig, ::Google::Cloud::SecurityCenter::V1::CreateNotificationConfigRequest, ::Google::Cloud::SecurityCenter::V1::NotificationConfig
             # Deletes a notification config.
-            rpc :DeleteNotificationConfig, Google::Cloud::SecurityCenter::V1::DeleteNotificationConfigRequest, Google::Protobuf::Empty
+            rpc :DeleteNotificationConfig, ::Google::Cloud::SecurityCenter::V1::DeleteNotificationConfigRequest, ::Google::Protobuf::Empty
             # Gets the access control policy on the specified Source.
-            rpc :GetIamPolicy, Google::Iam::V1::GetIamPolicyRequest, Google::Iam::V1::Policy
+            rpc :GetIamPolicy, ::Google::Iam::V1::GetIamPolicyRequest, ::Google::Iam::V1::Policy
             # Gets a notification config.
-            rpc :GetNotificationConfig, Google::Cloud::SecurityCenter::V1::GetNotificationConfigRequest, Google::Cloud::SecurityCenter::V1::NotificationConfig
+            rpc :GetNotificationConfig, ::Google::Cloud::SecurityCenter::V1::GetNotificationConfigRequest, ::Google::Cloud::SecurityCenter::V1::NotificationConfig
             # Gets the settings for an organization.
-            rpc :GetOrganizationSettings, Google::Cloud::SecurityCenter::V1::GetOrganizationSettingsRequest, Google::Cloud::SecurityCenter::V1::OrganizationSettings
+            rpc :GetOrganizationSettings, ::Google::Cloud::SecurityCenter::V1::GetOrganizationSettingsRequest, ::Google::Cloud::SecurityCenter::V1::OrganizationSettings
             # Gets a source.
-            rpc :GetSource, Google::Cloud::SecurityCenter::V1::GetSourceRequest, Google::Cloud::SecurityCenter::V1::Source
+            rpc :GetSource, ::Google::Cloud::SecurityCenter::V1::GetSourceRequest, ::Google::Cloud::SecurityCenter::V1::Source
             # Filters an organization's assets and  groups them by their specified
             # properties.
-            rpc :GroupAssets, Google::Cloud::SecurityCenter::V1::GroupAssetsRequest, Google::Cloud::SecurityCenter::V1::GroupAssetsResponse
+            rpc :GroupAssets, ::Google::Cloud::SecurityCenter::V1::GroupAssetsRequest, ::Google::Cloud::SecurityCenter::V1::GroupAssetsResponse
             # Filters an organization or source's findings and  groups them by their
             # specified properties.
             #
             # To group across all sources provide a `-` as the source id.
-            # Example: /v1/organizations/{organization_id}/sources/-/findings
-            rpc :GroupFindings, Google::Cloud::SecurityCenter::V1::GroupFindingsRequest, Google::Cloud::SecurityCenter::V1::GroupFindingsResponse
+            # Example: /v1/organizations/{organization_id}/sources/-/findings,
+            # /v1/folders/{folder_id}/sources/-/findings,
+            # /v1/projects/{project_id}/sources/-/findings
+            rpc :GroupFindings, ::Google::Cloud::SecurityCenter::V1::GroupFindingsRequest, ::Google::Cloud::SecurityCenter::V1::GroupFindingsResponse
             # Lists an organization's assets.
-            rpc :ListAssets, Google::Cloud::SecurityCenter::V1::ListAssetsRequest, Google::Cloud::SecurityCenter::V1::ListAssetsResponse
+            rpc :ListAssets, ::Google::Cloud::SecurityCenter::V1::ListAssetsRequest, ::Google::Cloud::SecurityCenter::V1::ListAssetsResponse
             # Lists an organization or source's findings.
             #
             # To list across all sources provide a `-` as the source id.
             # Example: /v1/organizations/{organization_id}/sources/-/findings
-            rpc :ListFindings, Google::Cloud::SecurityCenter::V1::ListFindingsRequest, Google::Cloud::SecurityCenter::V1::ListFindingsResponse
+            rpc :ListFindings, ::Google::Cloud::SecurityCenter::V1::ListFindingsRequest, ::Google::Cloud::SecurityCenter::V1::ListFindingsResponse
             # Lists notification configs.
-            rpc :ListNotificationConfigs, Google::Cloud::SecurityCenter::V1::ListNotificationConfigsRequest, Google::Cloud::SecurityCenter::V1::ListNotificationConfigsResponse
+            rpc :ListNotificationConfigs, ::Google::Cloud::SecurityCenter::V1::ListNotificationConfigsRequest, ::Google::Cloud::SecurityCenter::V1::ListNotificationConfigsResponse
             # Lists all sources belonging to an organization.
-            rpc :ListSources, Google::Cloud::SecurityCenter::V1::ListSourcesRequest, Google::Cloud::SecurityCenter::V1::ListSourcesResponse
+            rpc :ListSources, ::Google::Cloud::SecurityCenter::V1::ListSourcesRequest, ::Google::Cloud::SecurityCenter::V1::ListSourcesResponse
             # Runs asset discovery. The discovery is tracked with a long-running
             # operation.
             #
             # This API can only be called with limited frequency for an organization. If
             # it is called too frequently the caller will receive a TOO_MANY_REQUESTS
             # error.
-            rpc :RunAssetDiscovery, Google::Cloud::SecurityCenter::V1::RunAssetDiscoveryRequest, Google::Longrunning::Operation
+            rpc :RunAssetDiscovery, ::Google::Cloud::SecurityCenter::V1::RunAssetDiscoveryRequest, ::Google::Longrunning::Operation
             # Updates the state of a finding.
-            rpc :SetFindingState, Google::Cloud::SecurityCenter::V1::SetFindingStateRequest, Google::Cloud::SecurityCenter::V1::Finding
+            rpc :SetFindingState, ::Google::Cloud::SecurityCenter::V1::SetFindingStateRequest, ::Google::Cloud::SecurityCenter::V1::Finding
             # Sets the access control policy on the specified Source.
-            rpc :SetIamPolicy, Google::Iam::V1::SetIamPolicyRequest, Google::Iam::V1::Policy
+            rpc :SetIamPolicy, ::Google::Iam::V1::SetIamPolicyRequest, ::Google::Iam::V1::Policy
             # Returns the permissions that a caller has on the specified source.
-            rpc :TestIamPermissions, Google::Iam::V1::TestIamPermissionsRequest, Google::Iam::V1::TestIamPermissionsResponse
+            rpc :TestIamPermissions, ::Google::Iam::V1::TestIamPermissionsRequest, ::Google::Iam::V1::TestIamPermissionsResponse
             # Creates or updates a finding. The corresponding source must exist for a
             # finding creation to succeed.
-            rpc :UpdateFinding, Google::Cloud::SecurityCenter::V1::UpdateFindingRequest, Google::Cloud::SecurityCenter::V1::Finding
+            rpc :UpdateFinding, ::Google::Cloud::SecurityCenter::V1::UpdateFindingRequest, ::Google::Cloud::SecurityCenter::V1::Finding
+            #
             # Updates a notification config. The following update
             # fields are allowed: description, pubsub_topic, streaming_config.filter
-            rpc :UpdateNotificationConfig, Google::Cloud::SecurityCenter::V1::UpdateNotificationConfigRequest, Google::Cloud::SecurityCenter::V1::NotificationConfig
+            rpc :UpdateNotificationConfig, ::Google::Cloud::SecurityCenter::V1::UpdateNotificationConfigRequest, ::Google::Cloud::SecurityCenter::V1::NotificationConfig
             # Updates an organization's settings.
-            rpc :UpdateOrganizationSettings, Google::Cloud::SecurityCenter::V1::UpdateOrganizationSettingsRequest, Google::Cloud::SecurityCenter::V1::OrganizationSettings
+            rpc :UpdateOrganizationSettings, ::Google::Cloud::SecurityCenter::V1::UpdateOrganizationSettingsRequest, ::Google::Cloud::SecurityCenter::V1::OrganizationSettings
             # Updates a source.
-            rpc :UpdateSource, Google::Cloud::SecurityCenter::V1::UpdateSourceRequest, Google::Cloud::SecurityCenter::V1::Source
+            rpc :UpdateSource, ::Google::Cloud::SecurityCenter::V1::UpdateSourceRequest, ::Google::Cloud::SecurityCenter::V1::Source
             # Updates security marks.
-            rpc :UpdateSecurityMarks, Google::Cloud::SecurityCenter::V1::UpdateSecurityMarksRequest, Google::Cloud::SecurityCenter::V1::SecurityMarks
+            rpc :UpdateSecurityMarks, ::Google::Cloud::SecurityCenter::V1::UpdateSecurityMarksRequest, ::Google::Cloud::SecurityCenter::V1::SecurityMarks
           end
 
           Stub = Service.rpc_stub_class

data/lib/google/cloud/securitycenter/v1/source_pb.rb

@@ -3,14 +3,15 @@
 
 require 'google/protobuf'
 
-require 'google/api/annotations_pb'
 require 'google/api/resource_pb'
+require 'google/api/annotations_pb'
 Google::Protobuf::DescriptorPool.generated_pool.build do
   add_file("google/cloud/securitycenter/v1/source.proto", :syntax => :proto3) do
     add_message "google.cloud.securitycenter.v1.Source" do
       optional :name, :string, 1
       optional :display_name, :string, 2
       optional :description, :string, 3
+      optional :canonical_name, :string, 14
     end
   end
 end

data/proto_docs/google/api/field_behavior.rb

@@ -54,6 +54,12 @@ module Google
       # This indicates that the field may be set once in a request to create a
       # resource, but may not be changed thereafter.
       IMMUTABLE = 5
+
+      # Denotes that a (repeated) field is an unordered list.
+      # This indicates that the service may provide the elements of the list
+      # in any arbitrary order, rather than the order the user originally
+      # provided. Additionally, the list's order may or may not be stable.
+      UNORDERED_LIST = 6
     end
   end
 end

data/proto_docs/google/api/resource.rb

@@ -43,12 +43,12 @@ module Google
     #
     # The ResourceDescriptor Yaml config will look like:
     #
-    #    resources:
-    #    - type: "pubsub.googleapis.com/Topic"
-    #      name_descriptor:
-    #        - pattern: "projects/\\{project}/topics/\\{topic}"
-    #          parent_type: "cloudresourcemanager.googleapis.com/Project"
-    #          parent_name_extractor: "projects/\\{project}"
+    #     resources:
+    #     - type: "pubsub.googleapis.com/Topic"
+    #       name_descriptor:
+    #         - pattern: "projects/{project}/topics/{topic}"
+    #           parent_type: "cloudresourcemanager.googleapis.com/Project"
+    #           parent_name_extractor: "projects/{project}"
     #
     # Sometimes, resources have multiple patterns, typically because they can
     # live under multiple parents.
@@ -183,15 +183,24 @@ module Google
     #         }
     # @!attribute [rw] plural
     #   @return [::String]
-    #     The plural name used in the resource name, such as 'projects' for
-    #     the name of 'projects/\\{project}'. It is the same concept of the `plural`
-    #     field in k8s CRD spec
+    #     The plural name used in the resource name and permission names, such as
+    #     'projects' for the resource name of 'projects/\\{project}' and the permission
+    #     name of 'cloudresourcemanager.googleapis.com/projects.get'. It is the same
+    #     concept of the `plural` field in k8s CRD spec
     #     https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
+    #
+    #     Note: The plural form is required even for singleton resources. See
+    #     https://aip.dev/156
     # @!attribute [rw] singular
     #   @return [::String]
     #     The same concept of the `singular` field in k8s CRD spec
     #     https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions/
     #     Such as "project" for the `resourcemanager.googleapis.com/Project` type.
+    # @!attribute [rw] style
+    #   @return [::Array<::Google::Api::ResourceDescriptor::Style>]
+    #     Style flag(s) for this resource.
+    #     These indicate that a resource is expected to conform to a given
+    #     style. See the specific style flags for additional information.
     class ResourceDescriptor
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -211,6 +220,22 @@ module Google
         # that from being necessary once there are multiple patterns.)
         FUTURE_MULTI_PATTERN = 2
       end
+
+      # A flag representing a specific style that a resource claims to conform to.
+      module Style
+        # The unspecified value. Do not use.
+        STYLE_UNSPECIFIED = 0
+
+        # This resource is intended to be "declarative-friendly".
+        #
+        # Declarative-friendly resources must be more strictly consistent, and
+        # setting this to true communicates to tools that this resource should
+        # adhere to declarative-friendly expectations.
+        #
+        # Note: This is used by the API linter (linter.aip.dev) to enable
+        # additional checks.
+        DECLARATIVE_FRIENDLY = 1
+      end
     end
 
     # Defines a proto annotation that describes a string field that refers to
@@ -226,6 +251,17 @@ module Google
     #             type: "pubsub.googleapis.com/Topic"
     #           }];
     #         }
+    #
+    #     Occasionally, a field may reference an arbitrary resource. In this case,
+    #     APIs use the special value * in their resource reference.
+    #
+    #     Example:
+    #
+    #         message GetIamPolicyRequest {
+    #           string resource = 2 [(google.api.resource_reference) = {
+    #             type: "*"
+    #           }];
+    #         }
     # @!attribute [rw] child_type
     #   @return [::String]
     #     The resource type of a child collection that the annotated field
@@ -234,11 +270,11 @@ module Google
     #
     #     Example:
     #
-    #       message ListLogEntriesRequest {
-    #         string parent = 1 [(google.api.resource_reference) = {
-    #           child_type: "logging.googleapis.com/LogEntry"
-    #         };
-    #       }
+    #         message ListLogEntriesRequest {
+    #           string parent = 1 [(google.api.resource_reference) = {
+    #             child_type: "logging.googleapis.com/LogEntry"
+    #           };
+    #         }
     class ResourceReference
       include ::Google::Protobuf::MessageExts
       extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/securitycenter/v1/asset.rb

@@ -51,14 +51,20 @@ module Google
         #     The time at which the asset was created in Security Command Center.
         # @!attribute [rw] update_time
         #   @return [::Google::Protobuf::Timestamp]
-        #     The time at which the asset was last updated, added, or deleted in Security
-        #     Command Center.
+        #     The time at which the asset was last updated or added in Cloud SCC.
         # @!attribute [rw] iam_policy
         #   @return [::Google::Cloud::SecurityCenter::V1::Asset::IamPolicy]
         #     Cloud IAM Policy information associated with the Google Cloud resource
         #     described by the Security Command Center asset. This information is managed
         #     and defined by the Google Cloud resource and cannot be modified by the
         #     user.
+        # @!attribute [rw] canonical_name
+        #   @return [::String]
+        #     The canonical name of the resource. It's either
+        #     "organizations/\\{organization_id}/assets/\\{asset_id}",
+        #     "folders/\\{folder_id}/assets/\\{asset_id}" or
+        #     "projects/\\{project_number}/assets/\\{asset_id}", depending on the closest CRM
+        #     ancestor of the resource.
         class Asset
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -96,6 +102,11 @@ module Google
           # @!attribute [rw] resource_project_display_name
           #   @return [::String]
           #     The user defined display name for the project of this resource.
+          # @!attribute [rw] folders
+          #   @return [::Array<::Google::Cloud::SecurityCenter::V1::Folder>]
+          #     Contains a Folder message for each folder in the assets ancestry.
+          #     The first folder is the deepest nested folder, and the last folder is the
+          #     folder directly under the Organization.
           class SecurityCenterProperties
             include ::Google::Protobuf::MessageExts
             extend ::Google::Protobuf::MessageExts::ClassMethods

data/proto_docs/google/cloud/securitycenter/v1/finding.rb

@@ -79,10 +79,23 @@ module Google
         #     occurred. For example, if the finding represents an open firewall it would
         #     capture the time the detector believes the firewall became open. The
         #     accuracy is determined by the detector. If the finding were to be resolved
-        #     afterward, this time would reflect when the finding was resolved.
+        #     afterward, this time would reflect when the finding was resolved. Must not
+        #     be set to a value greater than the current timestamp.
         # @!attribute [rw] create_time
         #   @return [::Google::Protobuf::Timestamp]
         #     The time at which the finding was created in Security Command Center.
+        # @!attribute [rw] severity
+        #   @return [::Google::Cloud::SecurityCenter::V1::Finding::Severity]
+        #     The severity of the finding. This field is managed by the source that
+        #     writes the finding.
+        # @!attribute [rw] canonical_name
+        #   @return [::String]
+        #     The canonical name of the finding. It's either
+        #     "organizations/\\{organization_id}/sources/\\{source_id}/findings/\\{finding_id}",
+        #     "folders/\\{folder_id}/sources/\\{source_id}/findings/\\{finding_id}" or
+        #     "projects/\\{project_number}/sources/\\{source_id}/findings/\\{finding_id}",
+        #     depending on the closest CRM ancestor of the resource associated with the
+        #     finding.
         class Finding
           include ::Google::Protobuf::MessageExts
           extend ::Google::Protobuf::MessageExts::ClassMethods
@@ -108,6 +121,65 @@ module Google
             # and is no longer active.
             INACTIVE = 2
           end
+
+          # The severity of the finding.
+          module Severity
+            # This value is used for findings when a source doesn't write a severity
+            # value.
+            SEVERITY_UNSPECIFIED = 0
+
+            # Vulnerability:
+            # A critical vulnerability is easily discoverable by an external actor,
+            # exploitable, and results in the direct ability to execute arbitrary code,
+            # exfiltrate data, and otherwise gain additional access and privileges to
+            # cloud resources and workloads. Examples include publicly accessible
+            # unprotected user data, public SSH access with weak or no passwords, etc.
+            #
+            # Threat:
+            # Indicates a threat that is able to access, modify, or delete data or
+            # execute unauthorized code within existing resources.
+            CRITICAL = 1
+
+            # Vulnerability:
+            # A high risk vulnerability can be easily discovered and exploited in
+            # combination with other vulnerabilities in order to gain direct access and
+            # the ability to execute arbitrary code, exfiltrate data, and otherwise
+            # gain additional access and privileges to cloud resources and workloads.
+            # An example is a database with weak or no passwords that is only
+            # accessible internally. This database could easily be compromised by an
+            # actor that had access to the internal network.
+            #
+            # Threat:
+            # Indicates a threat that is able to create new computational resources in
+            # an environment but not able to access data or execute code in existing
+            # resources.
+            HIGH = 2
+
+            # Vulnerability:
+            # A medium risk vulnerability could be used by an actor to gain access to
+            # resources or privileges that enable them to eventually (through multiple
+            # steps or a complex exploit) gain access and the ability to execute
+            # arbitrary code or exfiltrate data. An example is a service account with
+            # access to more projects than it should have. If an actor gains access to
+            # the service account, they could potentially use that access to manipulate
+            # a project the service account was not intended to.
+            #
+            # Threat:
+            # Indicates a threat that is able to cause operational impact but may not
+            # access data or execute unauthorized code.
+            MEDIUM = 3
+
+            # Vulnerability:
+            # A low risk vulnerability hampers a security organization’s ability to
+            # detect vulnerabilities or active threats in their deployment, or prevents
+            # the root cause investigation of security issues. An example is monitoring
+            # and logs being disabled for resource configurations and access.
+            #
+            # Threat:
+            # Indicates a threat that has obtained minimal access to an environment but
+            # is not able to access data, execute code, or create resources.
+            LOW = 4
+          end
         end
       end
     end