⭐ Add GCP Security Command Center and VPC Service Controls resources (#7118)

* ⭐ Add Security Command Center and VPC Service Controls resources

Add two new GCP service areas to the provider:

**Security Command Center (SCC):**
- Sources, Findings, NotificationConfigs, MuteConfigs, BigQueryExports
- Available at org level (gcp.organization.scc*) and project level (gcp.project.sccFindings)
- Uses wildcard source listing (sources/-) for cross-source finding queries

**VPC Service Controls (Access Context Manager):**
- AccessPolicies, AccessLevels, ServicePerimeters
- Available at org level (gcp.organization.accessPolicies)
- AccessLevels and ServicePerimeters lazy-loaded as sub-resources of AccessPolicy

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address review comments: filter active findings, remove unused constant

- Add state="ACTIVE" filter to listSCCFindings to avoid unbounded results
- Remove unused service_accesscontextmanager constant (ACM is org-level only)
- Update .lr comments to document active-only filtering
- Add accesscontextmanager and scc to spelling expect.txt

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address review comments: simplify sccParent, document org-level service check

Use g.Id.Data directly in sccParent() instead of redundantly calling
conn.OrganizationID(). Add comment explaining why org-level SCC methods
skip isServiceEnabled.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Add isServiceEnabled checks to GCP services missing them

Discovery would fatally crash when a GCP API was not enabled in the
target project. Services like DNS, BigQuery, and GKE already had the
serviceEnabled guard pattern, but 10 other services did not: Redis,
Secret Manager, Pub/Sub, Cloud Run, Cloud Functions, Logging, KMS,
Cloud SQL, Storage, and IAM.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* 🐛 Add missing serviceEnabled guards to logging and cloudrun methods

Address review: add guards to metrics(), sinks() on loggingservice
and operations() on cloudRunService for consistency with other methods.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: tas50

.github/actions/spelling/expect.txt

@@ -1,5 +1,6 @@
 aad
 ACCOUNTADMIN
+accesscontextmanager
 activedirectory
 ACTIVEMQ
 adr
@@ -247,6 +248,7 @@ runbooks
 saas
 Sas
 sbom
+scc
 scim
 scm
 SECRETID

providers/gcp/go.mod

@@ -6,6 +6,7 @@ go 1.25.7
 
 require (
 	cloud.google.com/go/accessapproval v1.8.8
+	cloud.google.com/go/accesscontextmanager v1.9.7
 	cloud.google.com/go/aiplatform v1.121.0
 	cloud.google.com/go/alloydb v1.21.0
 	cloud.google.com/go/artifactregistry v1.20.0
@@ -31,6 +32,7 @@ require (
 	cloud.google.com/go/run v1.16.0
 	cloud.google.com/go/scheduler v1.11.8
 	cloud.google.com/go/security v1.19.2
+	cloud.google.com/go/securitycenter v1.38.1
 	cloud.google.com/go/serviceusage v1.9.7
 	cloud.google.com/go/spanner v1.89.0
 	github.com/aws/smithy-go v1.24.2
@@ -43,7 +45,7 @@ require (
 	go.mondoo.com/mql/v13 v13.2.0
 	go.mondoo.com/ranger-rpc v0.8.0
 	golang.org/x/oauth2 v0.36.0
-	google.golang.org/api v0.273.0
+	google.golang.org/api v0.273.1
 	google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7
 	google.golang.org/protobuf v1.36.11
 )
@@ -293,8 +295,8 @@ require (
 	golang.org/x/time v0.15.0 // indirect
 	golang.org/x/tools v0.43.0 // indirect
 	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260401001100-f93e5f3e9f0f // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260401001100-f93e5f3e9f0f // indirect
 	google.golang.org/grpc v1.79.3
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect

providers/gcp/go.sum

@@ -33,6 +33,8 @@ cloud.google.com/go v0.123.0 h1:2NAUJwPR47q+E35uaJeYoNhuNEM9kM8SjgRgdeOJUSE=
 cloud.google.com/go v0.123.0/go.mod h1:xBoMV08QcqUGuPW65Qfm1o9Y4zKZBpGS+7bImXLTAZU=
 cloud.google.com/go/accessapproval v1.8.8 h1:gq8OS+rQWgGRo91D2qztN+ion6AZ2T1CxBIu0ifCmVo=
 cloud.google.com/go/accessapproval v1.8.8/go.mod h1:RFwPY9JDKseP4gJrX1BlAVsP5O6kI8NdGlTmaeDefmk=
+cloud.google.com/go/accesscontextmanager v1.9.7 h1:aKIfg7Jyc73pe8bzx0zypNdS5gfFdSvFvB8YNA9k2kA=
+cloud.google.com/go/accesscontextmanager v1.9.7/go.mod h1:i6e0nd5CPcrh7+YwGq4bKvju5YB9sgoAip+mXU73aMM=
 cloud.google.com/go/aiplatform v1.121.0 h1:8y8sNfVAW1DVhFbSbI7d8rrqBGGJFk6EoV6atidlyQc=
 cloud.google.com/go/aiplatform v1.121.0/go.mod h1:juMdDWeNphHV40KhWdN+563zNCOKNmLJjk5D2TA43ls=
 cloud.google.com/go/alloydb v1.21.0 h1:f8udyaV5PmAKcsTOOsIlgJdLBf4DrO+ML5o/iJvdCLY=
@@ -110,6 +112,8 @@ cloud.google.com/go/secretmanager v1.16.0 h1:19QT7ZsLJ8FSP1k+4esQvuCD7npMJml6hYz
 cloud.google.com/go/secretmanager v1.16.0/go.mod h1://C/e4I8D26SDTz1f3TQcddhcmiC3rMEl0S1Cakvs3Q=
 cloud.google.com/go/security v1.19.2 h1:cF3FkCRRbRC1oXuaGZFl3qU2sdu2gP3iOAHKzL5y04Y=
 cloud.google.com/go/security v1.19.2/go.mod h1:KXmf64mnOsLVKe8mk/bZpU1Rsvxqc0Ej0A6tgCeN93w=
+cloud.google.com/go/securitycenter v1.38.1 h1:D9zpeguY4frQU35GBw8+M6Gw79CiuTF9iVs4sFm3FDY=
+cloud.google.com/go/securitycenter v1.38.1/go.mod h1:Ge2D/SlG2lP1FrQD7wXHy8qyeloRenvKXeB4e7zO6z0=
 cloud.google.com/go/serviceusage v1.9.7 h1:vrBBeI2ESmri4BLGPz1YH2o37loIQ3DDTloYiDOe2lY=
 cloud.google.com/go/serviceusage v1.9.7/go.mod h1:JpBpv+4Zbe7+RiC9ydc6xgBUOntIL9tA85d2xKgV83g=
 cloud.google.com/go/spanner v1.89.0 h1:r3h5Z5RA8JRPf3HCvA6ujNhREIMhPY+MrDL9mkY8jS0=
@@ -1351,8 +1355,8 @@ google.golang.org/api v0.57.0/go.mod h1:dVPlbZyBo2/OjBpmvNdpn2GRm6rPy75jyU7bmhdr
 google.golang.org/api v0.59.0/go.mod h1:sT2boj7M9YJxZzgeZqXogmhfmRWDtPzT31xkieUbuZU=
 google.golang.org/api v0.61.0/go.mod h1:xQRti5UdCmoCEqFxcz93fTl338AVqDgyaDRuOZ3hg9I=
 google.golang.org/api v0.62.0/go.mod h1:dKmwPCydfsad4qCH08MSdgWjfHOyfpd4VtDGgRFdavw=
-google.golang.org/api v0.273.0 h1:r/Bcv36Xa/te1ugaN1kdJ5LoA5Wj/cL+a4gj6FiPBjQ=
-google.golang.org/api v0.273.0/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew=
+google.golang.org/api v0.273.1 h1:L7G/TmpAMz0nKx/ciAVssVmWQiOF6+pOuXeKrWVsquY=
+google.golang.org/api v0.273.1/go.mod h1:JbAt7mF+XVmWu6xNP8/+CTiGH30ofmCmk9nM8d8fHew=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1425,10 +1429,10 @@ google.golang.org/genproto v0.0.0-20211206160659-862468c7d6e0/go.mod h1:5CzLGKJ6
 google.golang.org/genproto v0.0.0-20211208223120-3a66f561d7aa/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7 h1:XzmzkmB14QhVhgnawEVsOn6OFsnpyxNPRY9QV01dNB0=
 google.golang.org/genproto v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:L43LFes82YgSonw6iTXTxXUX1OlULt4AQtkik4ULL/I=
-google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7 h1:41r6JMbpzBMen0R/4TZeeAmGXSJC7DftGINUodzTkPI=
-google.golang.org/genproto/googleapis/api v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7 h1:ndE4FoJqsIceKP2oYSnUZqhTdYufCYYkqwtFzfrhI7w=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260319201613-d00831a3d3e7/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401001100-f93e5f3e9f0f h1:K3zPU40OFjwD5YKADLMLoiL0L7JJpBgEdLqGuCNPfp0=
+google.golang.org/genproto/googleapis/api v0.0.0-20260401001100-f93e5f3e9f0f/go.mod h1:EIQZ5bFCfRQDV4MhRle7+OgjNtZ6P1PiZBgAKuxXu/Y=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260401001100-f93e5f3e9f0f h1:Rka45QInERYknkHYfJEPBQaoobXl+YpxTMjAKgWUq2A=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260401001100-f93e5f3e9f0f/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
 google.golang.org/grpc v1.21.1/go.mod h1:oYelfM1adQP15Ek0mdvEgi9Df8B9CZIaU1084ijfRaM=

providers/gcp/resources/accesscontextmanager.go

@@ -0,0 +1,191 @@
+// Copyright Mondoo, Inc. 2024, 2026
+// SPDX-License-Identifier: BUSL-1.1
+
+package resources
+
+import (
+	"context"
+
+	accesscontextmanager "cloud.google.com/go/accesscontextmanager/apiv1"
+	acmpb "cloud.google.com/go/accesscontextmanager/apiv1/accesscontextmanagerpb"
+	"go.mondoo.com/mql/v13/llx"
+	"go.mondoo.com/mql/v13/providers/gcp/connection"
+	"google.golang.org/api/iterator"
+	"google.golang.org/api/option"
+)
+
+func (g *mqlGcpAccesscontextmanagerAccessPolicy) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}
+
+func (g *mqlGcpAccesscontextmanagerAccessLevel) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}
+
+func (g *mqlGcpAccesscontextmanagerServicePerimeter) id() (string, error) {
+	return g.Name.Data, g.Name.Error
+}
+
+func newACMClient(conn *connection.GcpConnection) (*accesscontextmanager.Client, error) {
+	creds, err := conn.Credentials(accesscontextmanager.DefaultAuthScopes()...)
+	if err != nil {
+		return nil, err
+	}
+	return accesscontextmanager.NewClient(context.Background(), option.WithCredentials(creds))
+}
+
+func (g *mqlGcpOrganization) accessPolicies() ([]any, error) {
+	if g.Id.Error != nil {
+		return nil, g.Id.Error
+	}
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	orgId, err := conn.OrganizationID()
+	if err != nil {
+		return nil, err
+	}
+
+	client, err := newACMClient(conn)
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListAccessPolicies(context.Background(), &acmpb.ListAccessPoliciesRequest{
+		Parent: "organizations/" + orgId,
+	})
+
+	var res []any
+	for {
+		policy, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		mqlPolicy, err := CreateResource(g.MqlRuntime, "gcp.accesscontextmanager.accessPolicy", map[string]*llx.RawData{
+			"name":   llx.StringData(policy.Name),
+			"title":  llx.StringData(policy.Title),
+			"parent": llx.StringData(policy.Parent),
+			"etag":   llx.StringData(policy.Etag),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlPolicy)
+	}
+
+	return res, nil
+}
+
+func (g *mqlGcpAccesscontextmanagerAccessPolicy) accessLevels() ([]any, error) {
+	if g.Name.Error != nil {
+		return nil, g.Name.Error
+	}
+	policyName := g.Name.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	client, err := newACMClient(conn)
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListAccessLevels(context.Background(), &acmpb.ListAccessLevelsRequest{
+		Parent: policyName,
+	})
+
+	var res []any
+	for {
+		level, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		basic, err := protoToDict(level.GetBasic())
+		if err != nil {
+			return nil, err
+		}
+		custom, err := protoToDict(level.GetCustom())
+		if err != nil {
+			return nil, err
+		}
+
+		mqlLevel, err := CreateResource(g.MqlRuntime, "gcp.accesscontextmanager.accessLevel", map[string]*llx.RawData{
+			"name":        llx.StringData(level.Name),
+			"title":       llx.StringData(level.Title),
+			"description": llx.StringData(level.Description),
+			"basic":       llx.DictData(basic),
+			"custom":      llx.DictData(custom),
+			"createTime":  llx.TimeDataPtr(timestampAsTimePtr(level.CreateTime)),
+			"updateTime":  llx.TimeDataPtr(timestampAsTimePtr(level.UpdateTime)),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlLevel)
+	}
+
+	return res, nil
+}
+
+func (g *mqlGcpAccesscontextmanagerAccessPolicy) servicePerimeters() ([]any, error) {
+	if g.Name.Error != nil {
+		return nil, g.Name.Error
+	}
+	policyName := g.Name.Data
+
+	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
+	client, err := newACMClient(conn)
+	if err != nil {
+		return nil, err
+	}
+	defer client.Close()
+
+	it := client.ListServicePerimeters(context.Background(), &acmpb.ListServicePerimetersRequest{
+		Parent: policyName,
+	})
+
+	var res []any
+	for {
+		perimeter, err := it.Next()
+		if err == iterator.Done {
+			break
+		}
+		if err != nil {
+			return nil, err
+		}
+
+		status, err := protoToDict(perimeter.Status)
+		if err != nil {
+			return nil, err
+		}
+		spec, err := protoToDict(perimeter.Spec)
+		if err != nil {
+			return nil, err
+		}
+
+		mqlPerimeter, err := CreateResource(g.MqlRuntime, "gcp.accesscontextmanager.servicePerimeter", map[string]*llx.RawData{
+			"name":                  llx.StringData(perimeter.Name),
+			"title":                 llx.StringData(perimeter.Title),
+			"description":           llx.StringData(perimeter.Description),
+			"perimeterType":         llx.StringData(perimeter.PerimeterType.String()),
+			"status":                llx.DictData(status),
+			"spec":                  llx.DictData(spec),
+			"useExplicitDryRunSpec": llx.BoolData(perimeter.UseExplicitDryRunSpec),
+			"createTime":            llx.TimeDataPtr(timestampAsTimePtr(perimeter.CreateTime)),
+			"updateTime":            llx.TimeDataPtr(timestampAsTimePtr(perimeter.UpdateTime)),
+		})
+		if err != nil {
+			return nil, err
+		}
+		res = append(res, mqlPerimeter)
+	}
+
+	return res, nil
+}

providers/gcp/resources/cloud_functions.go

@@ -8,6 +8,7 @@ import (
 	"errors"
 	"fmt"
 
+	"github.com/rs/zerolog/log"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/plugin"
 	"go.mondoo.com/mql/v13/providers-sdk/v1/util/convert"
 	"go.mondoo.com/mql/v13/providers/gcp/connection"
@@ -24,6 +25,16 @@ func (g *mqlGcpProject) cloudFunctions() ([]any, error) {
 	if g.Id.Error != nil {
 		return nil, g.Id.Error
 	}
+
+	serviceEnabled, err := g.isServiceEnabled(service_cloudfunctions)
+	if err != nil {
+		return nil, err
+	}
+	if !serviceEnabled {
+		log.Debug().Str("service", service_cloudfunctions).Msg("gcp service is not enabled, skipping")
+		return nil, nil
+	}
+
 	projectId := g.Id.Data
 
 	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)

providers/gcp/resources/cloudrun.go

@@ -49,6 +49,10 @@ func initGcpProjectCloudRunService(runtime *plugin.Runtime, args map[string]*llx
 	return args, nil, nil
 }
 
+type mqlGcpProjectCloudRunServiceInternal struct {
+	serviceEnabled bool
+}
+
 func (g *mqlGcpProject) cloudRun() (*mqlGcpProjectCloudRunService, error) {
 	if g.Id.Error != nil {
 		return nil, g.Id.Error
@@ -61,7 +65,19 @@ func (g *mqlGcpProject) cloudRun() (*mqlGcpProjectCloudRunService, error) {
 	if err != nil {
 		return nil, err
 	}
-	return res.(*mqlGcpProjectCloudRunService), nil
+
+	serviceEnabled, err := g.isServiceEnabled(service_cloudrun)
+	if err != nil {
+		return nil, err
+	}
+
+	svc := res.(*mqlGcpProjectCloudRunService)
+	svc.serviceEnabled = serviceEnabled
+	if !serviceEnabled {
+		log.Debug().Str("service", service_cloudrun).Msg("gcp service is not enabled, skipping")
+	}
+
+	return svc, nil
 }
 
 func (g *mqlGcpProjectCloudRunServiceOperation) id() (string, error) {
@@ -207,6 +223,10 @@ func (g *mqlGcpProjectCloudRunServiceJobExecutionTemplateTaskTemplate) id() (str
 }
 
 func (g *mqlGcpProjectCloudRunService) regions() ([]any, error) {
+	if !g.serviceEnabled {
+		return nil, nil
+	}
+
 	conn := g.MqlRuntime.Connection.(*connection.GcpConnection)
 
 	if g.ProjectId.Error != nil {
@@ -238,6 +258,10 @@ func (g *mqlGcpProjectCloudRunService) regions() ([]any, error) {
 }
 
 func (g *mqlGcpProjectCloudRunService) operations() ([]any, error) {
+	if !g.serviceEnabled {
+		return nil, nil
+	}
+
 	if g.ProjectId.Error != nil {
 		return nil, g.ProjectId.Error
 	}
@@ -298,6 +322,10 @@ func (g *mqlGcpProjectCloudRunService) operations() ([]any, error) {
 }
 
 func (g *mqlGcpProjectCloudRunService) services() ([]any, error) {
+	if !g.serviceEnabled {
+		return nil, nil
+	}
+
 	if g.ProjectId.Error != nil {
 		return nil, g.ProjectId.Error
 	}
@@ -523,6 +551,10 @@ func (g *mqlGcpProjectCloudRunServiceJobExecutionTemplateTaskTemplate) serviceAc
 }
 
 func (g *mqlGcpProjectCloudRunService) jobs() ([]any, error) {
+	if !g.serviceEnabled {
+		return nil, nil
+	}
+
 	if g.ProjectId.Error != nil {
 		return nil, g.ProjectId.Error
 	}