id: gcloud-func-auto-runtime-updates-disabled info: name: Automatic Runtime Security Updates Disabled in Google Cloud Functions author: princechaddha severity: medium description: | Ensure that automatic runtime security updates are enabled for your Google Cloud functions in order to keep the functions secure and protected against vulnerabilities without manual intervention. impact: | Having automatic runtime security updates disabled can expose Google Cloud functions to vulnerabilities which could be mitigated by timely updates. remediation: | Enable automatic runtime security updates for each Google Cloud function by setting the `serviceConfig.minInstanceCount` to a non-null value, ensuring functions are automatically updated with the latest security patches. reference: - https://cloud.google.com/functions/docs/securing/managing-security tags: cloud,devops,gcp,gcloud,google-cloud-functions,gcp-cloud-config flow: | code(1) for(let projectId of iterate(template.projectIds)){ set("projectId", projectId) code(2) for(let functionDetail of iterate(template.functions)){ set("functionName", functionDetail) code(3) } } self-contained: true code: - engine: - sh - bash source: | gcloud projects list --format="json(projectId)" extractors: - type: json name: projectIds internal: true json: - '.[].projectId' - engine: - sh - bash source: | gcloud functions list --project $projectId --format="json(name)" extractors: - type: json name: functions internal: true json: - '.[].name' - engine: - sh - bash source: | gcloud functions describe $functionName --format="json(serviceConfig.minInstanceCount)" matchers: - type: word words: - 'null' extractors: - type: dsl dsl: - '"Automatic Runtime Security Updates Disabled in function: " + functionName + " in Project: " + projectId' # digest: 4b0a00483046022100f41be90788c213768a91b9c804665007a6c775591d782d20231cd9998493e0e0022100b4216a242eded9560fcb101e7f96643795aa055c7fe359c346a82eca90de74cb:922c64590222798bb761d5b6d8e72950