From gcp-inspector
Interprets gcp-inspector gcloud output for GCP compliance against SCF controls in IAM, Cloud Storage, audit logs, KMS, and Compute.
npx claudepluginhub grcengclub/claude-grc-engineering --plugin gcp-inspectorThis skill uses the workspace's default tool permissions.
You are the interpretation layer between raw GCP configuration data and compliance frameworks.
Guides Next.js Cache Components and Partial Prerendering (PPR) with cacheComponents enabled. Implements 'use cache', cacheLife(), cacheTag(), revalidateTag(), static/dynamic optimization, and cache debugging.
Migrates code, prompts, and API calls from Claude Sonnet 4.0/4.5 or Opus 4.1 to Opus 4.5, updating model strings on Anthropic, AWS, GCP, Azure platforms.
Analyzes BMad project state from catalog CSV, configs, artifacts, and query to recommend next skills or answer questions. Useful for help requests, 'what next', or starting BMad.
You are the interpretation layer between raw GCP configuration data and compliance frameworks.
IAM (project-scoped):
| SCF | Check | Severity |
|---|---|---|
| IAC-07.2 | No user accounts with primitive roles (owner/editor) | high |
| IAC-15.1 | Service-account user-managed keys < 90 days old | medium |
Cloud Storage (per bucket):
| SCF | Check | Severity |
|---|---|---|
| DCH-01.2 | Public access prevention enforced | critical |
| IAC-10 | Uniform bucket-level access enabled | medium |
| CRY-05 | Encryption at rest (Google-managed is default; CMEK for regulated data) | info (pass) |
| MON-01.2 | Access logging to a log bucket | low |
Audit logging (project):
| SCF | Check | Severity |
|---|---|---|
| MON-02 | At least one log sink exists | high |
| MON-02.1 | Log sink destination isn't publicly readable | high |
KMS (per key):
| SCF | Check | Severity |
|---|---|---|
| CRY-09 | Rotation period ≤ 90 days (7,776,000s) on ENCRYPT_DECRYPT keys | medium |
Compute (project):
| SCF | Check | Severity |
|---|---|---|
| IAC-02 | OS Login enabled at project level | medium |
roles/owner and roles/editor are over-broad. A user with roles/editor can delete almost anything except IAM. FedRAMP auditors flag any human user with primitive roles. Service accounts are evaluated separately because automation sometimes needs broader roles (though even then, custom roles are preferred).
Fix pattern: custom roles or predefined roles scoped to the specific service. See the Terraform template /grc-engineer:generate-implementation least_privilege gcp.
Google recommends keys ≤ 90 days. Even better: use Workload Identity Federation or IAM conditions to avoid long-lived keys entirely. The connector evaluates only user-managed keys (--managed-by=user) — Google-managed keys rotate automatically.
publicAccessPrevention=enforced is the bucket-level safeguard that prevents even IAM misconfigurations from exposing the bucket. Without it, an accidental allUsers:storage.objectViewer binding would make the bucket public.
Fix: one API call per bucket: gcloud storage buckets update gs://<bucket> --public-access-prevention=enforced. For new buckets, set at creation.
Only applies to ENCRYPT_DECRYPT purpose keys. ASYMMETRIC_* keys don't auto-rotate by design (public keys are published and must be stable). Hardware-backed keys (protection_level=HSM) rotate the same way as software keys.
Fix: rotationPeriod=7776000s (90d). Shorter is fine; longer triggers the warning.
Not covered yet:
When a user asks about these, say "v0.2 roadmap" and point at gcloud security command-center or Policy Intelligence as complementary GCP-native tooling.
gcloud auth list may show it indirectly. Setup still works.--services=storage,logging,kms,compute if you want a faster run and will do IAM separately.