regscale-cli 6.16.0.0__py3-none-any.whl

regscale/integrations/commercial/ecr.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""ECR RegScale integration"""
+import os
+from datetime import datetime
+from typing import Optional
+
+import click
+
+from regscale.models.integration_models.ecr_models.ecr import ECR
+from regscale.models.integration_models.flat_file_importer import FlatFileImporter
+
+
+@click.group()
+def ecr():
+    """Performs actions on ECR Scanner artifacts."""
+
+
+@ecr.command(name="import_ecr")
+@FlatFileImporter.common_scanner_options(
+    message="File path to the folder containing ECR files to process to RegScale.",
+    prompt="File path for ECR files",
+    import_name="ecr",
+)
+def import_ecr(
+    folder_path: os.PathLike[str],
+    regscale_ssp_id: click.INT,
+    scan_date: datetime,
+    mappings_path: os.PathLike[str],
+    disable_mapping: click.BOOL,
+    s3_bucket: str,
+    s3_prefix: str,
+    aws_profile: str,
+    upload_file: bool,
+):
+    """
+    Import ECR scans, vulnerabilities and assets to RegScale from ECR JSON files
+    """
+    import_ecr_scans(
+        folder_path=folder_path,
+        regscale_ssp_id=regscale_ssp_id,
+        scan_date=scan_date,
+        mappings_path=mappings_path,
+        disable_mapping=disable_mapping,
+        s3_bucket=s3_bucket,
+        s3_prefix=s3_prefix,
+        aws_profile=aws_profile,
+        upload_file=upload_file,
+    )
+
+
+def import_ecr_scans(
+    folder_path: os.PathLike[str],
+    regscale_ssp_id: click.INT,
+    scan_date: datetime,
+    mappings_path: os.PathLike[str],
+    disable_mapping: click.BOOL,
+    s3_bucket: str,
+    s3_prefix: str,
+    aws_profile: str,
+    upload_file: Optional[bool] = True,
+) -> None:
+    """
+    Function to import ECR scans to RegScale as assets and vulnerabilities
+
+    :param os.PathLike[str] folder_path: Path to the folder containing ECR files
+    :param int regscale_ssp_id: RegScale System Security Plan ID
+    :param datetime scan_date: Date of the scan
+    :param click.Path mappings_path: Path to the header mapping file
+    :param bool disable_mapping: Disable header mapping
+    :param str s3_bucket: S3 bucket name
+    :param str s3_prefix: S3 prefix
+    :param str aws_profile: AWS profile
+    :param bool upload_file: Whether to upload the file to RegScale after processing, defaults to True
+    :rtype: None
+    """
+    FlatFileImporter.import_files(
+        import_type=ECR,
+        import_name="ECR",
+        file_types=[".csv", ".json"],
+        folder_path=folder_path,
+        regscale_ssp_id=regscale_ssp_id,
+        scan_date=scan_date,
+        mappings_path=mappings_path,
+        disable_mapping=disable_mapping,
+        s3_bucket=s3_bucket,
+        s3_prefix=s3_prefix,
+        aws_profile=aws_profile,
+        upload_file=upload_file,
+    )

regscale/integrations/commercial/gcp/__init__.py

@@ -0,0 +1,237 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""RegScale GCP Package"""
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from google.cloud.securitycenter_v1 import Finding
+    from google.cloud.securitycenter_v1.services.security_center.pagers import ListFindingsPager
+    from google.cloud import asset_v1
+
+import copy
+from typing import List, Optional
+
+import click
+
+from regscale.core.utils.date import default_date_format
+from regscale.integrations.commercial.gcp.auth import (
+    get_gcp_security_center_client,
+    get_gcp_asset_service_client,
+)
+from regscale.integrations.commercial.gcp.control_tests import gcp_control_tests
+from regscale.integrations.commercial.gcp.variables import GcpVariables
+from regscale.integrations.scanner_integration import (
+    logger,
+    IntegrationFinding,
+    ScannerIntegration,
+    IntegrationAsset,
+)
+from regscale.models import regscale_models
+
+
+@click.group()
+def gcp():
+    """GCP Integrations"""
+
+
+@gcp.command(name="sync_findings")
+@click.option(
+    "--regscale_ssp_id",
+    type=click.INT,
+    help="The ID number from RegScale of the System Security Plan",
+    prompt="Enter RegScale System Security Plan ID",
+    required=True,
+)
+def sync_findings(regscale_ssp_id):
+    """Sync GCP Findings to RegScale."""
+    GCPScannerIntegration.sync_findings(plan_id=regscale_ssp_id)
+
+
+@gcp.command(name="sync_assets")
+@click.option(
+    "--regscale_ssp_id",
+    type=click.INT,
+    help="The ID number from RegScale of the System Security Plan",
+    prompt="Enter RegScale System Security Plan ID",
+    required=True,
+)
+def sync_assets(regscale_ssp_id):
+    """Sync GCP Assets to RegScale."""
+    GCPScannerIntegration.sync_assets(plan_id=regscale_ssp_id)
+
+
+class GCPScannerIntegration(ScannerIntegration):
+    title = "GCP Scanner Integration"
+    asset_identifier_field = "googleIdentifier"
+    gcp_control_tests: dict[str, dict[str, dict[str, str]]] = {}
+    finding_severity_map = {
+        0: regscale_models.IssueSeverity.Low,
+        1: regscale_models.IssueSeverity.Critical,
+        2: regscale_models.IssueSeverity.High,
+        3: regscale_models.IssueSeverity.Moderate,
+        4: regscale_models.IssueSeverity.Low,
+    }
+
+    @staticmethod
+    def get_failed_findings() -> "ListFindingsPager":
+        """
+        Fetches GCP findings using the SecurityCenterClient
+
+        :raises NameError: If gcpFindingSources is set incorrectly
+        :return: A list of parsed findings
+        :rtype: ListFindingsPager
+        """
+        from google.api_core.exceptions import InvalidArgument  # Optimize import performance
+
+        logger.info("Fetching GCP findings...")
+
+        if str(GcpVariables.gcpScanType) == "project":  # type: ignore
+            sources = f"projects/{GcpVariables.gcpProjectId}/sources/-"
+        else:
+            sources = f"organizations/{GcpVariables.gcpOrganizationId}/sources/-"
+        try:
+            client = get_gcp_security_center_client()
+            gcp_findings = client.list_findings(request={"parent": sources})
+            logger.info("Fetched GCP findings.")
+            return gcp_findings
+        except InvalidArgument:
+            error_msg = f"gcpFindingSources is set incorrectly: {sources}."
+            logger.error(error_msg)
+            raise NameError(error_msg)
+
+    def get_passed_findings(self) -> List[IntegrationFinding]:
+        """
+        Gets passed findings for from the GCP control tests
+
+        :return: A list of passed findings
+        :rtype: List[IntegrationFinding]
+        """
+        passed_findings = []
+        self.gcp_control_tests = copy.copy(gcp_control_tests)
+
+        for control_label, categories in self.gcp_control_tests.items():
+            for category, control_test in categories.items():
+                if control_test.get("status", "") == "Failed":
+                    logger.debug(
+                        f"Control {control_label} had findings in category {category}, "
+                        f"skipping passed control test creation"
+                    )
+                    continue
+                passed_findings.append(
+                    IntegrationFinding(
+                        control_labels=[control_label.lower()],
+                        title=f"{self.title} Control Assessment",
+                        category=category,
+                        description=control_test.get("description", ""),
+                        severity=regscale_models.IssueSeverity.Low,
+                        status=regscale_models.ControlTestResultStatus.PASS,
+                        impact=regscale_models.IssueSeverity.Low,
+                        plugin_name=category,
+                    )
+                )
+        return passed_findings
+
+    def fetch_findings(self, **kwargs) -> List[IntegrationFinding]:
+        """
+        Fetches GCP findings using the SecurityCenterClient
+
+        :return: A list of parsed findings
+        :rtype: List[IntegrationFinding]
+        """
+        gcp_findings = self.get_failed_findings()
+
+        self.gcp_control_tests = copy.copy(gcp_control_tests)
+        failed_findings = list(filter(None, [self.parse_finding(finding.finding) for finding in gcp_findings]))
+        passed_findings = self.get_passed_findings()
+        return failed_findings + passed_findings
+
+    def parse_finding(self, gcp_finding: "Finding") -> Optional[IntegrationFinding]:
+        """
+        Parses GCP findings
+
+        :param Finding gcp_finding: The GCP finding to parse
+        :return: The parsed IntegrationFinding
+        :rtype: Optional[IntegrationFinding]
+        """
+        from google.cloud.securitycenter_v1 import Finding  # Optimize import performance
+
+        if any(
+            control_labels := [
+                label.lower() for c in gcp_finding.compliances if c.standard == "nist" for label in c.ids
+            ]
+        ):
+            control_labels = [label.lower() for label in control_labels]
+
+            # Set control test status to failed since we found a finding for it
+            for control_label in control_labels:
+                # Ensure control_id is a string when used as a key
+                control_label = str(control_label)
+                if self.gcp_control_tests.get(control_label, {}).get(gcp_finding.category):
+                    self.gcp_control_tests[control_label][gcp_finding.category]["status"] = "Failed"
+
+            severity = self.finding_severity_map.get(
+                gcp_finding.severity, regscale_models.IssueSeverity.Low
+            )  # Default to Low
+            return IntegrationFinding(
+                control_labels=control_labels,
+                title=f"{self.title} Control Assessment",
+                category=gcp_finding.category,
+                description=gcp_finding.description,
+                severity=severity,
+                status=regscale_models.ControlTestResultStatus.FAIL,
+                external_id=gcp_finding.external_uri,
+                gaps=f"Resource out of compliance: {gcp_finding.resource_name}\n"
+                f"Recommendation: {gcp_finding.source_properties.get('Recommendation', '')}",
+                observations=gcp_finding.source_properties.get("Explanation", ""),
+                evidence=Finding.to_json(gcp_finding),
+                identified_risk=gcp_finding.source_properties.get("Explanation", ""),
+                impact=severity,
+                recommendation_for_mitigation=gcp_finding.source_properties.get("Recommendation", ""),
+                plugin_name=gcp_finding.category,
+            )
+        logger.info(f"Finding {gcp_finding.name} has no NIST controls.")
+        return None
+
+    def fetch_assets(self):
+        """
+        Fetches GCP assets using the AssetServiceClient
+
+        :yields: Iterator[IntegrationAsset]
+        """
+        from google.cloud import asset_v1  # Optimize import performance
+
+        logger.info("Fetching GCP assets...")
+        client = get_gcp_asset_service_client()
+        if str(GcpVariables.gcpScanType) == "project":  # type: ignore
+            sources = f"projects/{GcpVariables.gcpProjectId}"
+        else:
+            sources = f"organizations/{GcpVariables.gcpOrganizationId}"
+        request = asset_v1.ListAssetsRequest(parent=sources)  # type: ignore
+        logger.info("Fetched GCP assets.")
+        self.num_assets_to_process = 0
+        for asset in client.list_assets(request=request):
+            self.num_assets_to_process += 1
+            yield self.parse_asset(asset)
+
+    def parse_asset(self, asset: "asset_v1.Asset") -> IntegrationAsset:
+        """
+        Parses GCP assets
+
+        :param asset_v1.Asset asset: The GCP asset to parse
+        :return: The parsed IntegrationAsset
+        :rtype: IntegrationAsset
+        """
+        from google.cloud import asset_v1  # type: ignore  # Optimize import performance
+
+        return IntegrationAsset(
+            name=asset.name,
+            identifier=asset.name,
+            asset_type=asset.asset_type,
+            asset_owner_id=self.assessor_id,
+            parent_id=self.plan_id,
+            parent_module=regscale_models.SecurityPlan.get_module_slug(),
+            asset_category="GCP",
+            date_last_updated=asset.update_time.strftime(default_date_format),
+            component_names=[asset.asset_type],
+            status="Active (On Network)",
+        )

regscale/integrations/commercial/gcp/auth.py

@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""Sync GCP Authentication and Checks"""
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from google.cloud import securitycenter
+    from google.cloud import asset_v1
+
+import logging
+import os
+
+from regscale.core.app.utils.app_utils import error_and_exit
+from regscale.integrations.commercial.gcp.variables import GcpVariables
+
+logger = logging.getLogger(__name__)
+
+
+def ensure_gcp_credentials() -> None:
+    """
+    Ensures that the GCP credentials are set in the environment
+
+    :rtype: None
+    """
+    if not os.environ.get("GOOGLE_APPLICATION_CREDENTIALS"):
+        os.environ["GOOGLE_APPLICATION_CREDENTIALS"] = GcpVariables.gcpCredentials
+
+
+def ensure_gcp_api_enabled(service_name: str) -> None:
+    """
+    Ensures that the Security Center API is enabled
+    Checks if the API is enabled and raises an exception or prints a message if it is not
+
+    :param str service_name: The name of the service to check
+    :raises RuntimeError: If the API is not enabled or any other error occurs
+    :rtype: None
+    """
+    from google.auth.exceptions import GoogleAuthError  # Optimize import performance
+    from googleapiclient.discovery import build  # Optimize import performance
+
+    ensure_gcp_credentials()  # Assuming this function sets up authentication
+    project_id = GcpVariables.gcpProjectId
+
+    try:
+        service = build("serviceusage", "v1")
+        request = service.services().get(name=f"projects/{project_id}/services/{service_name}")
+        response = request.execute()
+
+        if response and response.get("state") == "ENABLED":
+            logger.info(f"{service_name} api is enabled for project {project_id}.")
+        else:
+            error_and_exit(
+                f"{service_name} api is not enabled for project {project_id}. Please enable it.\n"
+                f"Run the following command:\n"
+                f"gcloud services enable {service_name} --project {project_id}"
+            )
+    except GoogleAuthError as e:
+        raise RuntimeError(f"Authentication error: {e}")
+    except Exception as e:
+        raise RuntimeError(f"An error occurred: {e}")
+
+
+def ensure_security_center_api_enabled() -> None:
+    """
+    Ensures that the Security Center API is enabled
+
+    :rtype: None
+    """
+    ensure_gcp_credentials()
+    os.system(f"gcloud services enable securitycenter.googleapis.com --project {GcpVariables.gcpProjectId}")
+
+
+def get_gcp_security_center_client() -> "securitycenter.SecurityCenterClient":
+    """
+    Gets the GCP Security Center client
+
+    :return: The GCP client
+    :rtype: securitycenter.SecurityCenterClient
+    """
+    from google.cloud import securitycenter  # Optimize import performance
+
+    ensure_gcp_api_enabled("securitycenter.googleapis.com")
+    return securitycenter.SecurityCenterClient()
+
+
+def get_gcp_asset_service_client() -> "asset_v1.AssetServiceClient":
+    """
+    Gets the GCP Asset Service client
+
+    :return: The GCP client
+    :rtype: asset_v1.AssetServiceClient
+    """
+    from google.cloud import asset_v1  # Optimize import performance
+
+    ensure_gcp_api_enabled("cloudasset.googleapis.com")
+    return asset_v1.AssetServiceClient()

regscale/integrations/commercial/gcp/control_tests.py

@@ -0,0 +1,238 @@
+gcp_control_tests = {
+    "ac-2": {
+        "PUBLIC_BUCKET_ACL": {
+            "severity": "HIGH",
+            "description": "Cloud Storage buckets should not be anonymously or publicly accessible",
+        },
+        "PUBLIC_DATASET": {
+            "severity": "HIGH",
+            "description": "Datasets should not be publicly accessible by anyone on the internet",
+        },
+        "AUDIT_LOGGING_DISABLED": {
+            "severity": "LOW",
+            "description": "Cloud Audit Logging should be configured properly across all services and all users from a "
+            "project",
+        },
+    },
+    "au-2": {
+        "AUDIT_LOGGING_DISABLED": {
+            "severity": "LOW",
+            "description": "Cloud Audit Logging should be configured properly across all services and all users from a "
+            "project",
+        }
+    },
+    "ac-3": {
+        "NON_ORG_IAM_MEMBER": {
+            "severity": "HIGH",
+            "description": "Corporate login credentials should be used instead of Gmail accounts",
+        },
+        "SQL_NO_ROOT_PASSWORD": {
+            "severity": "HIGH",
+            "description": "MySQL database instance should not allow anyone to connect with administrative privileges.",
+        },
+    },
+    "ac-5": {
+        "KMS_ROLE_SEPARATION": {
+            "severity": "MEDIUM",
+            "description": "Separation of duties should be enforced while assigning KMS related roles to users",
+        },
+        "SERVICE_ACCOUNT_ROLE_SEPARATION": {
+            "severity": "MEDIUM",
+            "description": "Separation of duties should be enforced while assigning service account related roles to "
+            "users",
+        },
+    },
+    "ac-6": {
+        "FULL_API_ACCESS": {
+            "severity": "MEDIUM",
+            "description": "Instances should not be configured to use the default service account with full access to "
+            "all Cloud APIs",
+        },
+        "OVER_PRIVILEGED_SERVICE_ACCOUNT_USER": {
+            "severity": "MEDIUM",
+            "description": "The iam.serviceAccountUser and iam.serviceAccountTokenCreator roles should not be assigned "
+            "to a user at the project level",
+        },
+        "PRIMITIVE_ROLES_USED": {
+            "severity": "MEDIUM",
+            "description": "Basic roles (Owner, Writer, Reader) are too permissive and should not be used",
+        },
+        "OVER_PRIVILEGED_ACCOUNT": {
+            "severity": "MEDIUM",
+            "description": "Default Service account should not used for Project access in Kubernetes Clusters",
+        },
+        "KMS_PROJECT_HAS_OWNER": {
+            "severity": "MEDIUM",
+            "description": 'Users should not have "Owner" permissions on a project that has cryptographic keys',
+        },
+    },
+    "au-9": {
+        "PUBLIC_LOG_BUCKET": {
+            "severity": "HIGH",
+            "description": "Storage buckets used as log sinks should not be publicly accessible",
+        }
+    },
+    "au-11": {
+        "LOCKED_RETENTION_POLICY_NOT_SET": {
+            "severity": "LOW",
+            "description": "A locked retention policy should be configured for Cloud Storage buckets",
+        },
+        "OBJECT_VERSIONING_DISABLED": {
+            "severity": "LOW",
+            "description": "Log-buckets should have Object Versioning enabled",
+        },
+    },
+    "ca-3": {
+        "PUBLIC_IP_ADDRESS": {
+            "severity": "HIGH",
+            "description": "VMs should not be assigned public IP addresses",
+        },
+        "PUBLIC_SQL_INSTANCE": {
+            "severity": "HIGH",
+            "description": "Cloud SQL database instances should not be publicly accessible by anyone on the internet",
+        },
+    },
+    "cp-9": {
+        "AUTO_BACKUP_DISABLED": {
+            "severity": "MEDIUM",
+            "description": "Automated backups should be Enabled",
+        }
+    },
+    "ia-2": {
+        "MFA_NOT_ENFORCED": {
+            "severity": "HIGH",
+            "description": "Multi-factor authentication should be enabled for all users in your org unit",
+        }
+    },
+    "sc-7": {
+        "OVER_PRIVILEGED_ACCOUNT": {
+            "severity": "MEDIUM",
+            "description": "Default Service account should not used for Project access in Kubernetes Clusters",
+        },
+        "PUBLIC_IP_ADDRESS": {
+            "severity": "HIGH",
+            "description": "VMs should not be assigned public IP addresses",
+        },
+        "PUBLIC_SQL_INSTANCE": {
+            "severity": "HIGH",
+            "description": "Cloud SQL database instances should not be publicly accessible by anyone on the internet",
+        },
+        "NETWORK_POLICY_DISABLED": {
+            "severity": "MEDIUM",
+            "description": "Network policy should be Enabled on Kubernetes Engine Clusters",
+        },
+        "OPEN_CASSANDRA_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP ports 7000-7001, "
+            "7199, 8888, 9042, 9160, 61620-61621",
+        },
+        "OPEN_CISCOSECURE_WEBSM_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 9090",
+        },
+        "OPEN_DIRECTORY_SERVICES_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP or UDP port 445",
+        },
+        "OPEN_DNS_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP or UDP port 53",
+        },
+        "OPEN_ELASTICSEARCH_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP ports 9200, 9300",
+        },
+        "OPEN_FTP_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 21",
+        },
+        "OPEN_HTTP_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 80",
+        },
+        "OPEN_LDAP_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP ports 389, 636"
+            " or UDP port 389",
+        },
+        "OPEN_MEMCACHED_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP ports 11211, "
+            "11214-11215 or UDP ports 11211, 11214-11215",
+        },
+        "OPEN_MONGODB_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP ports 27017-27019",
+        },
+        "OPEN_MYSQL_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 3306",
+        },
+        "OPEN_NETBIOS_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP or UDP ports "
+            "137-139",
+        },
+        "OPEN_ORACLEDB_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP ports 1521, "
+            "2483-2484 or UDP ports 2483-2484",
+        },
+        "OPEN_POP3_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 110",
+        },
+        "OPEN_POSTGRESQL_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP or UDP port 5432",
+        },
+        "OPEN_RDP_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP or UDP port 3389",
+        },
+        "OPEN_REDIS_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 6379",
+        },
+        "OPEN_SMTP_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 25",
+        },
+        "OPEN_SSH_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP or SCTP port 22",
+        },
+        "OPEN_TELNET_PORT": {
+            "severity": "HIGH",
+            "description": "Firewall rules should not allow connections from all IP addresses on TCP port 23",
+        },
+        "SSL_NOT_ENFORCED": {
+            "severity": "HIGH",
+            "description": "Cloud SQL database instance should require all incoming connections to use SSL",
+        },
+        "WEAK_SSL_POLICY": {
+            "severity": "MEDIUM",
+            "description": "Weak or insecure SSL Policys should not be used",
+        },
+    },
+    "sc-12": {
+        "KMS_PROJECT_HAS_OWNER": {
+            "severity": "MEDIUM",
+            "description": 'Users should not have "Owner" permissions on a project that has cryptographic keys',
+        },
+        "KMS_KEY_NOT_ROTATED": {
+            "severity": "MEDIUM",
+            "description": "Encryption keys should be rotated within a period of 90 days",
+        },
+    },
+    "si-4": {
+        "FIREWALL_RULE_LOGGING_DISABLED": {
+            "severity": "MEDIUM",
+            "description": "Firewall rule logging should be enabled so you can audit network access",
+        },
+        "FLOW_LOGS_DISABLED": {
+            "severity": "LOW",
+            "description": "VPC Flow logs should be Enabled for every subnet in VPC Network",
+        },
+    },
+}

regscale/integrations/commercial/gcp/variables.py

@@ -0,0 +1,18 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+"""GCP Variables"""
+
+from regscale.core.app.utils.variables import RsVariableType, RsVariablesMeta
+
+
+class GcpVariables(metaclass=RsVariablesMeta):
+    """
+    GCP Variables class to define class-level attributes with type annotations and examples
+    """
+
+    # Define class-level attributes with type annotations and examples
+    gcpProjectId: RsVariableType(str, "000000000000")  # type: ignore
+    gcpOrganizationId: RsVariableType(str, "000000000000")  # type: ignore
+    gcpScanType: RsVariableType(str, "organization | project")  # type: ignore # noqa: F821
+    gcpCredentials: RsVariableType(str, "path/to/credentials.json")  # type: ignore # noqa: F821
+    # gcpOrganizationId: RsVariableTypeWithExample(str, "000000000000", required=False)