Security Command Center (SCC) is Google Cloud's native security and risk management platform. It provides continuous vulnerability assessment, threat detection, and compliance monitoring across your entire GCP environment. Understanding how to leverage its vulnerability scanning capabilities is essential for maintaining a strong security posture.
This guide covers configuring Security Health Analytics, Web Security Scanner, and Container Threat Detection for comprehensive vulnerability management. For foundational security practices, see our 30 Cloud Security Tips for 2026 guide.
Prerequisites
- Security Center Admin role for SCC configuration
- Organization-level access for full functionality
- SCC Premium tier for advanced features (recommended)
- gcloud CLI installed and configured
Enable Security Command Center API
# Enable the SCC API
gcloud services enable securitycenter.googleapis.com
# Enable Container Analysis for vulnerability scanning
gcloud services enable containeranalysis.googleapis.com
# Enable Web Security Scanner
gcloud services enable websecurityscanner.googleapis.comStep 1: Configure Security Health Analytics
Security Health Analytics is the core vulnerability detection service in SCC:
Enable at Organization Level
-
- Navigate to [Security Command Center](https://console.cloud.google.com/security/command-center)
- Select your organization at the top
- Go to **Settings > Security Health Analytics**
- Click **Enable** if not already enabled
- Select the service tier (Standard or Premium)
Via gcloud CLI
# Enable Security Health Analytics for the organization
gcloud scc settings services enable \
--organization=ORGANIZATION_ID \
--service=SECURITY_HEALTH_ANALYTICS
# Check service status
gcloud scc settings services describe \
--organization=ORGANIZATION_ID \
--service=SECURITY_HEALTH_ANALYTICSCustomize Detection Modules
Enable or disable specific vulnerability detectors:
# List available modules
gcloud scc settings services modules list \
--organization=ORGANIZATION_ID \
--service=SECURITY_HEALTH_ANALYTICS
# Enable a specific module
gcloud scc settings services modules enable \
--organization=ORGANIZATION_ID \
--service=SECURITY_HEALTH_ANALYTICS \
--module=PUBLIC_SQL_INSTANCE
# Disable a module (use carefully)
gcloud scc settings services modules disable \
--organization=ORGANIZATION_ID \
--service=SECURITY_HEALTH_ANALYTICS \
--module=OPEN_CISCOSECURE_WEBSM_PORTStep 2: View and Manage Vulnerability Findings
Via Console
-
- Go to **Security Command Center > Findings**
- Filter by:
-
Source: Security Health Analytics
-
State: Active
-
Severity: Critical, High, Medium, Low
-
Click on a finding for details and remediation guidance
Via gcloud CLI
# List all active vulnerability findings
gcloud scc findings list ORGANIZATION_ID \
--source="-" \
--filter="state=\"ACTIVE\" AND category=\"VULNERABILITY\"" \
--format="table(finding.category,finding.severity,finding.resourceName)"
# List critical and high severity findings
gcloud scc findings list ORGANIZATION_ID \
--source="-" \
--filter="state=\"ACTIVE\" AND (severity=\"CRITICAL\" OR severity=\"HIGH\")" \
--format="table(finding.category,finding.severity,finding.resourceName,finding.createTime)"
# List findings for a specific project
gcloud scc findings list ORGANIZATION_ID \
--source="-" \
--filter="resource.projectDisplayName=\"my-project\" AND state=\"ACTIVE\"" \
--limit=50Common Security Health Analytics Findings
| Finding Category | Severity | Description |
|---|---|---|
| PUBLIC_SQL_INSTANCE | Critical | Cloud SQL instance exposed to internet |
| OPEN_FIREWALL | High | Firewall allows traffic from 0.0.0.0/0 |
| MFA_NOT_ENFORCED | High | MFA not required for user accounts |
| BUCKET_POLICY_ONLY_DISABLED | Medium | Bucket has ACLs instead of IAM only |
| COMPUTE_SECURE_BOOT_DISABLED | Medium | Shielded VM secure boot not enabled |
Step 3: Configure Web Security Scanner
Web Security Scanner identifies vulnerabilities in web applications:
Create a Managed Scan
-
- Go to **Security Command Center > Web Security Scanner**
- Click **New Scan**
- Configure:
-
Starting URLs: https://your-app.example.com
-
Excluded URLs: Paths to skip (admin, logout)
-
Authentication: Google account or custom
-
Schedule: Daily, weekly, or manual
-
Click Create
Via gcloud CLI
# Create a scan configuration
gcloud web-security-scanner scan-configs create \
--display-name="Production App Scan" \
--starting-urls="https://app.example.com" \
--excluded-urls="https://app.example.com/logout,https://app.example.com/admin/*" \
--max-qps=15 \
--project=PROJECT_ID
# List scan configurations
gcloud web-security-scanner scan-configs list --project=PROJECT_ID
# Start a scan
gcloud web-security-scanner scan-runs start SCAN_CONFIG_ID --project=PROJECT_ID
# Get scan results
gcloud web-security-scanner scan-runs describe SCAN_RUN_ID \
--scan-config=SCAN_CONFIG_ID \
--project=PROJECT_IDVulnerability Types Detected
- XSS (Cross-Site Scripting) - Reflected and stored XSS vulnerabilities
- SQL Injection - Database injection flaws
- Mixed Content - HTTPS pages loading HTTP resources
- Outdated Libraries - Known vulnerable JavaScript libraries
- Clear Text Passwords - Passwords transmitted without encryption
- Insecure Headers - Missing security headers (CSP, HSTS)
Step 4: Enable Container Threat Detection
Container Threat Detection monitors GKE clusters for runtime threats (Premium tier required):
Enable for GKE Clusters
# Enable Container Threat Detection service
gcloud scc settings services enable \
--organization=ORGANIZATION_ID \
--service=CONTAINER_THREAT_DETECTION
# Verify it's enabled
gcloud scc settings services describe \
--organization=ORGANIZATION_ID \
--service=CONTAINER_THREAT_DETECTIONEnable on Existing GKE Cluster
# Enable Security Posture on cluster
gcloud container clusters update CLUSTER_NAME \
--zone=ZONE \
--security-posture=standard
# Enable workload vulnerability scanning
gcloud container clusters update CLUSTER_NAME \
--zone=ZONE \
--workload-vulnerability-scanning=standardContainer Threats Detected
- Malicious Script Execution - Suspicious scripts running in containers
- Reverse Shell - Outbound shell connections
- Added Binary Executed - New binaries dropped and executed
- Crypto Mining - Cryptocurrency mining activity
- Privilege Escalation - Container escape attempts
Step 5: Configure Artifact Registry Vulnerability Scanning
Scan container images for CVEs before deployment:
Enable Vulnerability Scanning
# Enable Container Analysis API
gcloud services enable containeranalysis.googleapis.com
gcloud services enable containerscanning.googleapis.com
# Scanning is automatic for images in Artifact Registry
# Push an image to trigger scanning
docker push us-central1-docker.pkg.dev/PROJECT_ID/REPO/IMAGE:TAGView Image Vulnerabilities
# List vulnerabilities for an image
gcloud artifacts docker images list-vulnerabilities \
us-central1-docker.pkg.dev/PROJECT_ID/REPO/IMAGE \
--format="table(vulnerability.shortDescription,vulnerability.severity,vulnerability.packageIssue.affectedPackage)"
# Get scan results via API
gcloud artifacts docker images describe \
us-central1-docker.pkg.dev/PROJECT_ID/REPO/IMAGE:TAG \
--show-package-vulnerabilityBlock Vulnerable Images with Binary Authorization
# Enable Binary Authorization API
gcloud services enable binaryauthorization.googleapis.com
# Create attestor for vulnerability checks
gcloud container binauthz attestors create vulnerability-attestor \
--attestation-authority-note=vulnerability-note \
--attestation-authority-note-project=PROJECT_IDStep 6: Create Custom Findings and Notifications
Create Pub/Sub Notifications
# Create Pub/Sub topic for findings
gcloud pubsub topics create scc-findings
# Create notification config
gcloud scc notifications create security-alerts \
--organization=ORGANIZATION_ID \
--pubsub-topic=projects/PROJECT_ID/topics/scc-findings \
--filter="state=\"ACTIVE\" AND severity=\"CRITICAL\""Export Findings to SIEM
-
- Go to **Security Command Center > Settings > Continuous exports**
- Click **Create export**
- Configure:
-
Export name: siem-export
-
Destination: BigQuery or Pub/Sub
-
Filter: Select findings to export
-
Click Create
Step 7: Automate Remediation
Create automated responses to vulnerability findings:
# Example Cloud Function to remediate public buckets
import functions_framework
from google.cloud import storage
@functions_framework.http
def remediate_public_bucket(request):
data = request.get_json()
bucket_name = data['finding']['resource']['name'].split('/')[-1]
client = storage.Client()
bucket = client.bucket(bucket_name)
# Remove public access
bucket.iam_configuration.public_access_prevention = 'enforced'
bucket.patch()
return f'Remediated public access for bucket: {bucket_name}'Best Practices for Vulnerability Scanning
- Enable Premium tier - Required for comprehensive threat detection and compliance
- Configure all detection modules - Enable relevant detectors for your environment
- Set up notifications - Alert on critical and high severity findings immediately
- Integrate with ticketing - Export to Jira/ServiceNow for tracking remediation
- Scan containers before deployment - Block images with critical CVEs
- Schedule regular web scans - Weekly scans for production applications
- Review findings daily - Triage new vulnerabilities promptly
- Document exceptions - Track accepted risks with justification
Related Resources
- 30 Cloud Security Tips for 2026 - Comprehensive cloud security guide
- How to Set Up Security Command Center - Initial SCC configuration
- How to Enable Cloud Audit Logs in GCP - Logging for security monitoring
- Security Command Center Documentation
- Security Health Analytics Findings
Need help implementing comprehensive vulnerability management? Contact InventiveHQ for expert guidance on cloud security and threat detection.