gcsspectre — GCS bucket auditor for drift and misconfigurations. Part of SpectreHub.
- Scan mode cross-references GCS bucket refs in code against live GCP state
- Discover mode inspects all buckets in a project for lifecycle, public access, and versioning issues
- Detects missing buckets, stale prefixes, and compliance gaps
- Produces deterministic output for CI/CD gating
- Outputs text, JSON, SARIF, and SpectreHub formats
- Not a replacement for Security Command Center — not real-time
- Not a data scanner — never reads object contents, only metadata
- Not a remediation tool — reports only, never modifies buckets
- Not a cost calculator — identifies waste, does not estimate dollars
brew tap ppiankov/tap
brew install gcsspectregit clone https://github.com/ppiankov/gcsspectre.git
cd gcsspectre
make buildgcsspectre discover --project my-project --format json| Command | Description |
|---|---|
gcsspectre scan |
Cross-reference code bucket refs against live GCS state |
gcsspectre discover |
Inspect all GCS buckets in a project |
gcsspectre version |
Print version |
gcsspectre feeds GCS bucket findings into SpectreHub for unified visibility across your infrastructure.
spectrehub collect --tool gcsspectregcsspectre operates in read-only mode. It inspects and reports — never modifies, deletes, or alters your buckets.
| Document | Contents |
|---|---|
| CLI Reference | Full command reference, flags, and configuration |
MIT — see LICENSE.
Built by Obsta Labs