Google Cloud SCC Integration Guide
If your team runs infrastructure on Google Cloud, this integration brings Security Command Center findings into Openlane automatically. You get a single place to track cloud security findings, remediation timelines, and SLA compliance (SOC 2: CC7, CC8; ISO 27001: A.12.6).
Integration Snapshot
| Item | Details |
|---|---|
| Primary use case | Continuous ingestion of SCC findings into Openlane |
| Data direction | One-way (GCP -> Openlane), read-only |
| GCP services used | Security Command Center, IAM |
| Setup model | Service account key JSON |
| Openlane records created | Findings, Vulnerabilities and Risks (created or updated), linked to your SCC integration |
Key Capabilities
- Findings Ingestion: Pulls SCC findings and normalizes them into Openlane vulnerability records, giving you a unified view for remediation tracking and SLA compliance (SOC 2: CC7, CC8).
- Scoped Collection: Supports source and filter scoping to match your operating model and compliance boundary.
Prerequisites
gcloudCLI access with permissions to create service accounts and grant IAM bindings.- Security Command Center API enabled in the target project.
- Organization ID or project ID to define your SCC collection scope.
Step-by-Step Setup
Step 1: Run the GCP Setup Script
Use the Openlane setup script to configure IAM, enable required APIs, and print the exact values needed in Openlane.
- Download the script:
curl -fsSL https://docs.theopenlane.io/integrations/setup/gcp/openlane-gcp-scc-setup.sh \
-o openlane-gcp-scc-setup.sh
chmod +x openlane-gcp-scc-setup.sh
- Run the setup:
./openlane-gcp-scc-setup.sh \
--project-id <PROJECT_ID> \
--organization-id <ORGANIZATION_ID>
The script prints the service account key JSON and other values to paste into Openlane.
Step 2: Connect Google Cloud SCC in Openlane
- Navigate to Organization Settings > Integrations and find Google Cloud SCC.
- Click Configure and enter the credential fields:
| Field | Required | Description |
|---|---|---|
serviceAccountKeyJson | Yes | Service account key JSON used to authenticate to GCP SCC |
organizationId | Yes (one of organizationId or projectId) | ID of the organization to use as the parent |
projectId | Yes (one of organizationId or projectId) | ID of the project to use as the parent |
projectScope | No | Filter project scope; only applies when using an Organization ID as the parent (all or specific) |
projectIds | Conditional | List of project IDs to include; required when projectScope is specific |
sccSourceIds | No | List of SCC source IDs to limit which sources findings are pulled from |
oauthScopes | No | OAuth scopes to request for the service account; defaults to https://www.googleapis.com/auth/cloud-platform |
Option A — GCP Console: Go to Security Command Center > Settings > Sources. Each row shows a source — the numeric ID at the end of the resource name is what you need.
Option B — REST API:
curl -s \
-H "Authorization: Bearer $(gcloud auth print-access-token)" \
-H "x-goog-user-project: <PROJECT_ID>" \
"https://securitycenter.googleapis.com/v2/organizations/<ORG_ID>/sources?pageSize=100"
This returns source resource names like organizations/123/sources/456 — paste the full name or just the numeric suffix into sccSourceIds.
- Optionally configure data ingestion behavior:
Configuration
| Setting | Description |
|---|---|
| Filter Expression | CEL expression evaluated against each finding — only findings that match are ingested |
Filter expression examples:
# Exclude GKE security bulletins
payload.category != "GKE_SECURITY_BULLETIN"
# Ingest only critical findings
payload.severity == "CRITICAL"
CEL expressions have access to the full raw payload for each finding via payload.<field>.
- Click Save & Connect.
Validate Connection
After saving, Openlane runs a health check against Google Cloud SCC and displays the result on the Installed tab of the Integrations page. A Healthy badge confirms connectivity. If the badge shows Needs Attention, review the troubleshooting section below.
Supported Operations
This integration is read-only and one-directional. Openlane validates connectivity by listing sources, then pulls findings from the configured source scope. Openlane never pushes configuration changes back into GCP.
What Openlane Creates From Findings
Each SCC finding becomes a normalized vulnerability record in Openlane:
- Converts findings into vulnerability payloads with severity, state, category, timestamps, and source URIs preserved.
- Deduplicates by
externalID(with CVE fallback when available), so repeated syncs update existing records instead of creating duplicates. - Links each vulnerability to the SCC integration that produced it.
- Stores raw payload data if raw payload retention is enabled in your integration config.
What You Can Do Next
Once vulnerabilities land in Openlane, you can link them to affected assets, create remediation tasks, and track resolution against SLAs. Saves you from manually gathering evidence when an auditor asks about SOC 2 CC7 (system monitoring) or ISO 27001 A.12.6 (technical vulnerability management).
Disconnect
To remove this integration:
- Navigate to Organization Settings > Integrations
- Select the Installed tab
- Open the menu on the integration card and select Disconnect.
This removes stored credentials and stops all collection activity. You can reconnect later by configuring the integration again.
Troubleshooting
- Permission errors: verify the service account has SCC read permissions at the configured scope.
- No findings ingested: verify source scope and finding filter configuration.