From b4be9f959024ab8217cf94b09cc01f9fd1473103 Mon Sep 17 00:00:00 2001
From: Luc Charpentier <lcharpentier@deezer.com>
Date: Wed, 27 Aug 2025 09:47:51 +0200
Subject: [PATCH 1/5] feat(gcloud-service-account-keys-rotation): add detection
 for non-rotating service account keys

---
 .../gcloud-service-account-keys-rotation.yaml | 78 +++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml

diff --git a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
new file mode 100644
index 00000000000..4806f84273a
--- /dev/null
+++ b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
@@ -0,0 +1,78 @@
+id: gcloud-service-account-keys-rotation
+
+info:
+  name: Service Account Keys without rotation Found
+  author: kelu27
+  severity: critical
+  description: |
+    EDetects Google Cloud Platform (GCP) service account keys that have no rotation enabled. 
+    Keys with an expiration date of 9999-12-31T23:59:59 are considered non-rotating and pose 
+    security risks if compromised.
+  impact: |
+    Service account keys without rotation can remain valid indefinitely, making them vulnerable 
+    to compromise or misuse if leaked, stolen, or improperly secured.
+  remediation: |
+    Implement a key rotation policy for user-managed service account keys. Regularly rotate keys 
+    and delete old ones. Consider using Workload Identity Federation to eliminate the need for 
+    long-lived keys entirely.
+  reference:
+    - https://cloud.google.com/iam/docs/understanding-service-accounts
+    - https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts
+    - https://cloud.google.com/iam/docs/key-rotation
+  tags: cloud,devops,gcp,gcloud,google-cloud-iam,gcp-cloud-config,security,rotation
+
+flow: |
+  code(1)
+  for(let projectId of iterate(template.projectIds)){
+    set("projectId", projectId)
+    code(2)
+    for(let email of iterate(template.emails)){
+      set("email", email)
+      code(3)
+    }
+  }
+
+self-contained: true
+
+code:
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud projects list --format="json(projectId)"
+
+    extractors:
+      - type: json
+        name: projectIds
+        internal: true
+        json:
+          - ".[].projectId"
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud iam service-accounts list --project $projectId --format="json(email)"
+
+    extractors:
+      - type: json
+        name: emails
+        internal: true
+        json:
+          - ".[].email"
+
+  - engine:
+      - sh
+      - bash
+    source: |
+      gcloud iam service-accounts keys list --iam-account=$email --managed-by=user --format="json"
+
+    matchers:
+      - type: word
+        words:
+          - "9999-12-31T23:59:59"
+
+    extractors:
+      - type: dsl
+        dsl:
+          - '"Service Account Keys without Rotation Found in Service Account " + email + " in project " + projectId'

From 07c4661071f9cab8f96d9c3325cf0d3a84823e23 Mon Sep 17 00:00:00 2001
From: Luc Charpentier <lcharpentier@deezer.com>
Date: Wed, 27 Aug 2025 09:53:33 +0200
Subject: [PATCH 2/5] Don't need to filter by user-manged service account

---
 cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
index 4806f84273a..03216c38400 100644
--- a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
+++ b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
@@ -65,7 +65,7 @@ code:
       - sh
       - bash
     source: |
-      gcloud iam service-accounts keys list --iam-account=$email --managed-by=user --format="json"
+      gcloud iam service-accounts keys list --iam-account=$email --format="json"
 
     matchers:
       - type: word

From 3e2c2cc1abbfac6fbdc8763cb04a65385b0c2bad Mon Sep 17 00:00:00 2001
From: Luc Charpentier <github@charpentier.cloud>
Date: Wed, 27 Aug 2025 09:59:32 +0200
Subject: [PATCH 3/5] Update gcloud-service-account-keys-rotation.yaml

---
 cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
index 03216c38400..33e12d32c50 100644
--- a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
+++ b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
@@ -5,7 +5,7 @@ info:
   author: kelu27
   severity: critical
   description: |
-    EDetects Google Cloud Platform (GCP) service account keys that have no rotation enabled. 
+    Detects Google Cloud Platform (GCP) service account keys that have no rotation enabled. 
     Keys with an expiration date of 9999-12-31T23:59:59 are considered non-rotating and pose 
     security risks if compromised.
   impact: |
@@ -75,4 +75,4 @@ code:
     extractors:
       - type: dsl
         dsl:
-          - '"Service Account Keys without Rotation Found in Service Account " + email + " in project " + projectId'
+          - '"Service Account Key without Rotation Found in Service Account " + email + " in project " + projectId'

From 196f27e35684548138934248d0c5f373dd3c2765 Mon Sep 17 00:00:00 2001
From: Luc Charpentier <lcharpentier@deezer.com>
Date: Wed, 27 Aug 2025 10:40:51 +0200
Subject: [PATCH 4/5] Fix trailing-spaces

---
 .../iam/gcloud-service-account-keys-rotation.yaml    | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
index 33e12d32c50..765c31144c1 100644
--- a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
+++ b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
@@ -5,16 +5,12 @@ info:
   author: kelu27
   severity: critical
   description: |
-    Detects Google Cloud Platform (GCP) service account keys that have no rotation enabled. 
-    Keys with an expiration date of 9999-12-31T23:59:59 are considered non-rotating and pose 
-    security risks if compromised.
+    Detects Google Cloud Platform (GCP) service account keys that have no rotation enabled.
+    Keys with an expiration date of 9999-12-31T23:59:59 are considered non-rotating and pose security risks if compromised.
   impact: |
-    Service account keys without rotation can remain valid indefinitely, making them vulnerable 
-    to compromise or misuse if leaked, stolen, or improperly secured.
+    Service account keys without rotation can remain valid indefinitely, making them vulnerable to compromise or misuse if leaked, stolen, or improperly secured.
   remediation: |
-    Implement a key rotation policy for user-managed service account keys. Regularly rotate keys 
-    and delete old ones. Consider using Workload Identity Federation to eliminate the need for 
-    long-lived keys entirely.
+    Implement a key rotation policy for user-managed service account keys. Regularly rotate keys and delete old ones. Consider using Workload Identity Federation to eliminate the need for long-lived keys entirely.
   reference:
     - https://cloud.google.com/iam/docs/understanding-service-accounts
     - https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts

From 99203cd59445b365bdc170cb72d93457eac33fc4 Mon Sep 17 00:00:00 2001
From: Prince Chaddha <prince@projectdiscovery.io>
Date: Sat, 3 Jan 2026 09:58:07 +0530
Subject: [PATCH 5/5] Update template info block and tags

- Update name to follow standard format
- Adjust severity from critical to high
- Add iam tag
- Add metadata with max-request field
---
 cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
index 765c31144c1..d282b3ea3aa 100644
--- a/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
+++ b/cloud/gcp/iam/gcloud-service-account-keys-rotation.yaml
@@ -1,9 +1,9 @@
 id: gcloud-service-account-keys-rotation
 
 info:
-  name: Service Account Keys without rotation Found
+  name: GCP Service Account Keys - No Rotation Configured
   author: kelu27
-  severity: critical
+  severity: high
   description: |
     Detects Google Cloud Platform (GCP) service account keys that have no rotation enabled.
     Keys with an expiration date of 9999-12-31T23:59:59 are considered non-rotating and pose security risks if compromised.
@@ -15,7 +15,9 @@ info:
     - https://cloud.google.com/iam/docs/understanding-service-accounts
     - https://cloud.google.com/iam/docs/best-practices-for-securing-service-accounts
     - https://cloud.google.com/iam/docs/key-rotation
-  tags: cloud,devops,gcp,gcloud,google-cloud-iam,gcp-cloud-config,security,rotation
+  metadata:
+    max-request: 3
+  tags: cloud,devops,gcp,gcloud,iam,google-cloud-iam,gcp-cloud-config,security,rotation
 
 flow: |
   code(1)