Google Cloud Platform Integration

Integrate Toranj with Google Cloud Build and GCP services

Overview

Toranj integrates seamlessly with Google Cloud Platform services including Cloud Build, Container Registry, Cloud Run, and Google Kubernetes Engine to provide continuous security scanning throughout your cloud-native development workflow.

Cloud Build Integration

Native CI/CD pipeline integration

Container Security

Image scanning and vulnerability detection

IAM & Security

Secure credential management with Secret Manager

Prerequisites

Requirements for setting up GCP integration with Toranj

GCP Project

Active Google Cloud Platform project with billing enabled

Toranj API Key

Valid API key from your Toranj dashboard

Cloud Build API

Cloud Build API enabled in your GCP project

Source Repository

GitHub, Cloud Source Repositories, or Bitbucket

Required GCP APIs

Enable necessary APIs in your GCP project

Ensure you have the necessary permissions to enable APIs and create resources.

Enable required APIs

gcloud services enable cloudbuild.googleapis.com
gcloud services enable containerregistry.googleapis.com
gcloud services enable run.googleapis.com
gcloud services enable secretmanager.googleapis.com
gcloud services enable storage.googleapis.com

Core APIs

Cloud Build API

Required

Container Registry API

Required

Secret Manager API

Required

Optional APIs

Cloud Run API

Deployment

GKE API

Kubernetes

Cloud Storage API

Artifacts

IAM Permissions Setup

Configure service account permissions for Cloud Build

Grant Cloud Build permissions

# Get your project number
PROJECT_NUMBER=$(gcloud projects list --filter="PROJECT_ID:YOUR_PROJECT_ID" --format="value(PROJECT_NUMBER)")

# Grant necessary roles to Cloud Build service account
gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/secretmanager.secretAccessor"

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/storage.objectAdmin"

gcloud projects add-iam-policy-binding YOUR_PROJECT_ID \
    --member="serviceAccount:${PROJECT_NUMBER}@cloudbuild.gserviceaccount.com" \
    --role="roles/run.developer"

Required Roles

• Cloud Build Service Account

• Secret Manager Secret Accessor

• Storage Object Admin

• Cloud Run Developer

Security Best Practices

• Use least privilege principle

• Store API keys in Secret Manager

• Enable audit logging

• Regular permission reviews