Skip to content

Add GCP rule: Firewall Open Ingress#2182

Open
developutm wants to merge 1 commit into
release/v11.2.9from
feature/google-rule-gcp_firewall_open_ingress
Open

Add GCP rule: Firewall Open Ingress#2182
developutm wants to merge 1 commit into
release/v11.2.9from
feature/google-rule-gcp_firewall_open_ingress

Conversation

@developutm

@developutm developutm commented Jun 9, 2026

Copy link
Copy Markdown
  • A detailed explanation of the changes: Adds detection for GCP VPC firewall rules that allow ingress traffic from 0.0.0.0/0 on sensitive ports (RDP 3389, SSH 22, SQL 1433, 3306, 5432, etc.).
  • The reasoning behind these changes: Overly permissive ingress firewall rules expose attack surface for lateral movement or direct exploitation (Initial Access - T1190).
  • Reference:

@developutm developutm requested a review from a team June 9, 2026 14:06
@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

❌ Go dependencies check failed

There are outdated Go dependencies, or modules that could not be inspected.
Run bash .github/scripts/go-deps.sh --update --discover locally and
commit the updated go.mod / go.sum files.

Script output 
🔍 Discovered 25 Go projects

📦 Dependencies with updates available:

  📁 ./as400:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./as400/updater:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/stats:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/inputs:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/azure:
     - github.com/Azure/azure-sdk-for-go/sdk/azcore: v1.21.1 → v1.22.0
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/modules-config:
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/aws/aws-sdk-go-v2/service/sts: v1.42.1 → v1.43.3
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/geolocation:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/alerts:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/o365:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/soc-ai:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/config:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/events:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/aws:
     - github.com/aws/aws-sdk-go-v2: v1.41.7 → v1.42.0
     - github.com/aws/aws-sdk-go-v2/config: v1.32.18 → v1.32.24
     - github.com/aws/aws-sdk-go-v2/credentials: v1.19.17 → v1.19.23
     - github.com/aws/aws-sdk-go-v2/service/cloudwatchlogs: v1.74.0 → v1.75.2
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/gcp:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - google.golang.org/api: v0.282.0 → v0.283.0

  📁 ./plugins/bitdefender:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/feeds:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sync: v0.20.0 → v0.21.0

  📁 ./plugins/sophos:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./plugins/crowdstrike:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent-manager:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

  📁 ./agent:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25
     - golang.org/x/sys: v0.45.0 → v0.46.0

  📁 ./utmstack-collector:
     - github.com/threatwinds/go-sdk: v1.1.21 → v1.1.25

�[0;31m❌ Please update dependencies before merging.�[0m

@github-actions

github-actions Bot commented Jun 9, 2026

Copy link
Copy Markdown

⚠️ AI review — Changes requested

One or more prompts found issues the author should fix before merging. Details below.

architecture (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: Addition of a new detection rule in YAML format; no architectural impact or code changes detected.

No findings.

⚠️ bugs (gemini-3-flash-lite) — Tier 2 — changes requested

Summary: Detected a typo in the documentation reference URL and a missing newline at the end of the file.

  • medium rules/cloud/google/gcp_firewall_open_ingress.yml:11 — Typo in reference URL: 'cal-categories' → 'audit-categories'. The URL https://cloud.google.com/logging/docs/audit/cal-categories#compute_engine is broken.
  • low rules/cloud/google/gcp_firewall_open_ingress.yml:30 — Missing newline at the end of the file. This can cause issues with some git tools and parsers.

security (gemini-3-flash-lite) — Tier 1 — looks clean

Summary: The PR introduces a new detection rule for GCP firewall configurations; no vulnerabilities or information disclosure identified.

No findings.

utmstackprapprover[bot]
utmstackprapprover Bot suggested changes Jun 9, 2026
View reviewed changes

@utmstackprapprover utmstackprapprover Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes requested — see approver comments above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@utmstackprapprover utmstackprapprover[bot] utmstackprapprover[bot] requested changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@developutm