Conversation
Surfaces GCP Vertex AI / Workbench security findings under a dedicated "Vertex AI" service instead of the generic "Security Command Center" bucket. - gcp-security.service.ts: add `vertex-ai` to SERVICE_NAMES; detect it from `aiplatform.googleapis.com` / `notebooks.googleapis.com` (GCP_API_TO_SERVICE) so its findings pass the enabled-services filter; and group findings by resource-type host (resolveGcpServiceId) — checking the authoritative resource type before the SCC category, since Google names AI detector categories inconsistently. Falls back to the category map, then the SCC bucket, so no finding is ever dropped. - integration-platform GCP manifest: add the Vertex AI service entry (the Services-tab catalog), with a description noting it requires SCC Premium / Enterprise. - ServiceCard: Vertex AI icon. - Tests: resolveGcpServiceId resource-type precedence + fallbacks. Notes: - Detection-gated: invisible to orgs not using Vertex AI. - A Vertex-AI org on SCC Standard will see the service with no findings (SCC doesn't scan Vertex AI on Standard) — the card description states the tier requirement. - Not yet verified against a live Vertex AI finding (no test org); mapping is built defensively on resource type, which is the stable SCC field. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
feat(cloud-security): add Vertex AI as a GCP Cloud Tests service
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Adds a dedicated Neptune scanner so AWS Cloud Tests cover Neptune directly in
the default `comp_scanners` mode (previously Neptune was only reachable via the
Security Hub scan mode). Requested by a customer evaluating AWS.
- neptune.adapter.ts: scans Neptune DB clusters for five checks — storage
encryption at rest (manual: enabling it needs snapshot+restore), deletion
protection, automated backup retention (>= 7 days), IAM database
authentication, and audit-log export to CloudWatch. The last four emit
auto-fix remediation via `neptune:ModifyDBClusterCommand`. Filters to
Engine === 'neptune' and paginates the DescribeDBClusters Marker.
- aws-security.service.ts: register the adapter + Cost-Explorer detection
('Amazon Neptune' -> 'neptune').
- aws-command-executor.ts: register the `@aws-sdk/client-neptune` SDK so the
ModifyDBCluster remediations execute.
- integration-platform AWS manifest: Neptune service catalog entry.
- ServiceCard: Neptune icon.
- apps/api dep: add @aws-sdk/client-neptune ^3.948.0.
- Tests: neptune.adapter.spec.ts (non-compliant, compliant, engine filter,
pagination, AccessDenied) — 5 passing.
Detection-gated (invisible to accounts without Neptune). Not yet verified
against a live Neptune cluster.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…pace Neptune's management API is part of the RDS API surface — its control-plane IAM actions use the `rds:` prefix (rds:ModifyDBCluster, rds:DescribeDBClusters); `neptune-db:` is data-plane only. The first cut used @aws-sdk/client-neptune and `neptune:ModifyDBClusterCommand` remediation, which would make permission detection suggest a non-existent `neptune:ModifyDBCluster` IAM action — so the customer's auto-fix would keep failing even after "granting" the suggestion. - neptune.adapter.ts: scan via @aws-sdk/client-rds DescribeDBClustersCommand (filter Engine === 'neptune'); remediate via rds:ModifyDBClusterCommand so permission detection emits the real rds:ModifyDBCluster action. - drop the unnecessary @aws-sdk/client-neptune dependency and its executor registration (the existing `rds` SDK module already exposes ModifyDBCluster). - spec: mock @aws-sdk/client-rds; assert rds:ModifyDBClusterCommand. Full cloud-security suite green (304 passing); changed files typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
feat(cloud-security): add Amazon Neptune as an AWS Cloud Tests service
Contributor
|
🎉 This PR is included in version 3.71.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Adds dedicated services for GCP Vertex AI and AWS Neptune. Vertex AI findings are grouped under
vertex-ai; Neptune clusters are scanned for core security settings with auto-fix where possible.vertex-aiservice and icon.resolveGcpServiceIdprioritizes resource type hosts (aiplatform.googleapis.com,notebooks.googleapis.com) over category, with fallbacks to category andsecurity-command-center. UpdatedGCP_API_TO_SERVICEand service names so Vertex AI findings pass enabled-service filters. Tests cover precedence and fallbacks.neptunescanner (via RDS DescribeDBClusters) covering encryption at rest, deletion protection, backup retention (>= 7 days), IAM auth, and audit-log export. Remediation usesrds:ModifyDBClusterCommand(encryption is manual). Registered adapter, Cost Explorer mapping (Amazon Neptune), manifest entry, ServiceCard icon, and tests (non-compliant/compliant/engine filter/pagination/AccessDenied).Written for commit d608946. Summary will update on new commits.