Conversation
…est checks
GCP was absent from the Monitoring & Alerting and Encryption at Rest evidence
tasks while AWS and Azure appeared, because an integration only shows on a task
when one of its checks declares a matching taskMapping — and GCP shipped no
checks for those templates (it covered only 4 of the templates AWS/Azure cover).
Add three GCP checks, reusing the existing GCP check runtime
(resolveGcpProjectIds, gcpListItems, ctx.fetch, isGcpApiDisabled):
- gcp-cloud-monitoring-alerting (→ monitoringAlerting): two prongs per project,
mirroring the Azure Monitor check — an enabled alert policy wired to a
notification channel, and a configured log-export sink beyond the managed
_Default/_Required sinks. An unreadable prong fails "could not verify" rather
than silently passing.
- gcp-storage-encryption / gcp-cloud-sql-encryption (→ encryptionAtRest): GCP
always encrypts at rest (Google-managed AES-256, non-disableable), so these
pass each resource and record the key type (Google-managed vs CMEK), matching
the intent of the AWS default-encryption checks. Only read failures emit a
finding.
Both run identically on the manual run-check path and the scheduled orchestrator:
GCP is a static manifest (getManifest resolves it with these checks),
shouldRunOnServer('gcp') is false so it runs in-process in the Trigger.dev
runtime, and it calls public *.googleapis.com — so it is unaffected by the AWS
VPC / dynamic-integration scheduler constraints.
GCP coverage: 4 → 6 task templates (5 → 8 checks). Adds 20 tests.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…on-checks feat(integrations): add GCP Monitoring & Alerting and Encryption at Rest checks
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
1 issue found across 6 files
Confidence score: 3/5
- In
packages/integration-platform/src/manifests/gcp/checks/cloud-monitoring-alerting.ts, the log-export pass condition appears overly broad, so a non-default enabled sink can incorrectly satisfy the check even without a durable export target; merging as-is risks false positives that misreport monitoring/alerting compliance to users — tighten the predicate to require a durable export destination before marking the control as passed.
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
…rong Addresses review feedback: the Monitoring & Alerting log-export prong counted any enabled, non-default-named sink as durable export. A custom-named sink can still target the project's `_Default` log bucket, which is not durable export — a false positive. Now key off the sink DESTINATION (BigQuery / Cloud Storage / Pub/Sub, or a non-default Cloud Logging bucket), matching the Azure Monitor check's "export to a real destination" bar. Adds 2 tests (custom-named sink to the _Default bucket fails; sink to a dedicated log bucket passes). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…on-checks [dev] [tofikwest] tofik/gcp-monitoring-encryption-checks
Contributor
|
🎉 This PR is included in version 3.85.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Add GCP Monitoring & Alerting and Encryption at Rest checks so GCP now appears on those tasks and records clear evidence across projects, buckets, and Cloud SQL instances.
gcp-cloud-monitoring-alerting(→monitoringAlerting): passes when a project has an enabled alert policy with a notification channel and a sink exporting to a durable destination (BigQuery, Cloud Storage, Pub/Sub, or a non-default Cloud Logging bucket); default_Default/_Requiredsinks and custom sinks targeting_Defaultdon’t count; skips if APIs are disabled; read errors produce “could not verify” findings.gcp-storage-encryptionandgcp-cloud-sql-encryption(→encryptionAtRest): always encrypted by default; record key type (Google-managed vs CMEK) per bucket/instance; only read errors create findings; skip when APIs are disabled.Written for commit a26a527. Summary will update on new commits.