Skip to content

feat(gcp): add check to detect persistent disks on suspended VM instances #9747

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
danibarranqueroo merged 5 commits into from
Jan 22, 2026
Merged

feat(gcp): add check to detect persistent disks on suspended VM instances #9747

danibarranqueroo merged 5 commits into from
Jan 22, 2026

Conversation

@lydiavilchez
Copy link
Contributor

@lydiavilchez lydiavilchez commented Jan 9, 2026

Context

New security check for GCP Compute Engine to detect persistent disks attached to suspended VMs. Suspended VMs with attached disks incur unnecessary storage costs and may pose security risks from forgotten data. This check helps identify these resources for cleanup or review.

Description

This PR adds a new GCP check that verifies whether suspended VMs have persistent disks still attached. The check evaluates all VM instances and reports:

  • PASS: VM is not suspended, or VM is suspended with no attached disks
  • FAIL: VM is in SUSPENDED state with persistent disks attached

Steps to review

  1. Review the status field added to the Instance model in compute_service.py
  2. Review how status is captured in _get_instances()
  3. Review the check logic in compute_instance_suspended_with_persistent_disks.py
  4. Review the metadata.json for accuracy

Checklist

UI

  • All issue/task requirements work as expected on the UI
  • Screenshots/Video of the functionality flow (if applicable) - Mobile (X < 640px)
  • Screenshots/Video of the functionality flow (if applicable) - Table (640px > X < 1024px)
  • Screenshots/Video of the functionality flow (if applicable) - Desktop (X > 1024px)
  • Ensure new entries are added to CHANGELOG.md, if applicable.

API

  • Verify if API specs need to be regenerated.
  • Check if version updates are required (e.g., specs, Poetry, etc.).
  • Ensure new entries are added to CHANGELOG.md, if applicable.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

@lydiavilchez lydiavilchez requested review from a team as code owners January 9, 2026 12:29
@github-actions github-actions bot added provider/gcp Issues/PRs related with the Google Cloud Platform provider metadata-review labels Jan 9, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2026
edited
Loading

Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2026
edited
Loading

✅ All necessary CHANGELOG.md files have been updated.

@codecov
Copy link

codecov bot commented Jan 9, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.85%. Comparing base (3bb3261) to head (d4e3a8f).
⚠️ Report is 2 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #9747      +/-   ##
==========================================
+ Coverage   86.60%   92.85%   +6.24%     
==========================================
  Files         222      137      -85     
  Lines        5645     3387    -2258     
==========================================
- Hits         4889     3145    -1744     
+ Misses        756      242     -514
Flag Coverage Δ
prowler-py3.10-azure ?
prowler-py3.10-gcp 92.85% <100.00%> (?)
prowler-py3.11-azure ?
prowler-py3.11-gcp 92.85% <100.00%> (?)
prowler-py3.12-azure ?
prowler-py3.12-gcp 92.85% <100.00%> (?)
prowler-py3.9-azure ?
prowler-py3.9-gcp 92.85% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
prowler 92.85% <100.00%> (+6.24%) ⬆️
api ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2026
edited
Loading

🔒 Container Security Scan

Image: prowler:40e07f6
Last scan: 2026-01-22 12:44:56 UTC

📊 Vulnerability Summary

Severity Count
🔴 Critical 3
Total 3

3 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

  • Review the detailed scan results
  • Update affected packages to patched versions
  • Consider using a different base image if updates are unavailable

📋 Resources:

@danibarranqueroo
Copy link
Member

danibarranqueroo commented Jan 12, 2026

This check is not security related, it's cost-effective related so we should discuss with the team if we want to add it or not.

@danibarranqueroo
Copy link
Member

danibarranqueroo commented Jan 19, 2026

This check is not security related, it's cost-effective related so we should discuss with the team if we want to add it or not.

After discussing, we can include it since having permanent disks on suspended VM instances can lead also to security issues and not just costs. Please, modify the metadata to ensure it's more focused on security risks.

danibarranqueroo
danibarranqueroo approved these changes Jan 22, 2026
View reviewed changes
Copy link
Member

@danibarranqueroo danibarranqueroo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great improvement! 🚀

@danibarranqueroo danibarranqueroo merged commit 963ece9 into master Jan 22, 2026
36 checks passed
@danibarranqueroo danibarranqueroo deleted the PROWLER-371-gcp-compute-new-check-detect-persistent-disks-on-suspended-v-ms branch January 22, 2026 12:38
andoniaf pushed a commit that referenced this pull request Jan 23, 2026
@lydiavilchez @danibarranqueroo @andoniaf
feat(gcp): add check to detect persistent disks on suspended VM insta…
40309c4 
…nces (#9747)

Co-authored-by: Daniel Barranquero <danielbo2001@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danibarranqueroo danibarranqueroo danibarranqueroo approved these changes

Assignees

No one assigned

Labels

metadata-review provider/gcp Issues/PRs related with the Google Cloud Platform provider

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lydiavilchez @danibarranqueroo