Skip to content

fmalik100/gcp-security-agent

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
gcp_security_agent
gcp_security_agent
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
pyproject.toml
pyproject.toml
 
 

Repository files navigation

GCP Security Agent

A GCP security expert agent built with Google ADK, exposed over the A2A protocol so any orchestrator or agent framework can call it.

What it does

  • Audits IAM policies, Cloud Storage buckets, firewall rules, Compute instances, Cloud SQL, and GKE
  • Accesses GCP via a local GCP MCP server (stdio subprocess — no manual setup)
  • Returns severity-ranked findings with verbatim evidence and gcloud remediation commands
  • Exposes itself as an A2A service — any agent (CrewAI, LangChain, another ADK agent) can call it over HTTP

Architecture

Calling agent / orchestrator
        │  HTTP JSON-RPC (A2A protocol)
        ▼
┌─────────────────────────────┐
│   GCP Security Agent (ADK)  │
│   /.well-known/agent.json   │  ← Agent Card (auto-generated)
│   POST /                    │  ← Task endpoint
│  ┌─────────────────────┐    │
│  │  Local GCP MCP      │    │  ← stdio subprocess (gcp-mcp)
│  │  Server             │    │
│  └─────────────────────┘    │
└─────────────────────────────┘

Setup

1. Install

cd gcp-security-agent
pip install -e .

2. Configure

cp .env.example .env
# Edit .env: set ANTHROPIC_API_KEY, GCP_SERVICE_ACCOUNT_JSON, GCP_PROJECT_ID

3. Install uv (for the MCP server)

curl -LsSf https://astral.sh/uv/install.sh | sh

4. Start the agent

gcp-agent

The agent starts on http://0.0.0.0:8001 by default.

Calling the agent

From another ADK agent

from google.adk.agents import Agent
from google.adk.agents.remote_a2a_agent import RemoteA2aAgent

gcp_security = RemoteA2aAgent(
    name="gcp_security_agent",
    description="GCP security expert",
    agent_card="http://localhost:8001/.well-known/agent.json",
)

orchestrator = Agent(
    model="gemini-2.5-flash",
    name="orchestrator",
    sub_agents=[gcp_security],
    instruction="Delegate all GCP security tasks to gcp_security_agent.",
)

From any HTTP client (CrewAI, LangChain, curl)

curl -X POST http://localhost:8001/ \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "method": "message/send",
    "params": {
      "message": {
        "role": "user",
        "parts": [{"kind": "text", "text": "Audit project my-project-id for public storage buckets and overly permissive IAM roles."}]
      }
    },
    "id": "1"
  }'

Agent Card

curl http://localhost:8001/.well-known/agent.json

Configuration

Variable Default Description
AGENT_MODEL claude-sonnet-4-6 LLM model
ANTHROPIC_API_KEY Required for Claude
GCP_SERVICE_ACCOUNT_JSON Path to SA key file
GCP_PROJECT_ID Default GCP project to audit
GCP_ORG_ID Optional org ID for SCC
GCP_MCP_COMMAND uvx MCP server executable
GCP_MCP_ARGS gcp-mcp MCP server arguments
GCP_MCP_TIMEOUT 60 MCP tool call timeout (seconds)
A2A_HOST 0.0.0.0 Server bind host
A2A_PORT 8001 Server port

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages