[REVIEW] gcp-review: add Cloud Run invoker and IAP effective path gates

[stmr]

Skill Being Reviewed

Skill name: gcp-review
Skill path: skills/cloud/gcp-review/

False Positive Analysis

Benign code that triggers a false positive:

Cloud Run service requires intended invoker/IAP path and denies direct URL when needed.

Why this is a false positive:
The current review guidance can push an agent to flag this pattern without first proving the attacker-controlled path, tenant boundary, or effective runtime behavior. The review should require evidence before classification.

Coverage Gaps

Missed variant 1:

IAP protects frontend but direct Cloud Run URL remains public.

Why it should be caught:
This is a realistic failure mode for gcp-review. It changes the effective security boundary without matching the simpler examples currently emphasized by the skill.

Missed variant 2:

Invoker role is granted to allUsers through folder/project inheritance.

Why it should be caught:
This variant commonly appears in production systems and needs explicit reviewer prompts so agents do not stop at static configuration review.

Edge Cases

Serverless ingress and invoker IAM both matter.

Remediation Quality

• Fix resolves the vulnerability
• Fix doesn't introduce new security issues
• Fix doesn't break functionality
• Issues found: Remediation guidance should add an evidence gate for the specific boundary, a benign exception pattern, and a regression check. Without those, fixes may be either cosmetic or over-broad.

Comparison to Other Tools

Tool	Catches this?	Notes
Semgrep	Partial	Can catch static patterns, but not effective policy, ownership, or runtime propagation without custom rules.
CodeQL	Partial	Strong for code/data-flow cases, weaker for cloud/control-plane and process evidence unless modeled.
Other: manual review	Yes	Human review can verify effective behavior, exception ownership, and operational evidence.

Overall Assessment

Strengths:
The skill gives useful practitioner framing and asks for concrete evidence instead of generic advice.

Needs improvement:
Need Cloud Run effective exposure checks.

Priority recommendations:

1. Add a checklist item for Cloud Run invoker and IAP effective path evidence.
2. Add one benign exception example so reviewers avoid noisy findings.
3. Add one regression or verification step that proves the effective boundary after remediation.

Bounty Info

• I have read and agree to the CONTRIBUTING.md bounty terms
• Preferred payment method: PayPal samik4184@gmail.com

[daviediao-code]

Security Review: gcp-review

Summary: Reviewed gcp-review skill for bounty spec — Cloud Run invoker and IAP effective path gates. Skill provides structured gcp-review review guidance with framework mapping.

Key Findings:

1. Framework References — Score: 1/4
   Found 1 framework references: CIS.
   Could strengthen with additional framework cross-references.

2. Injection Hardened — Score: 3/3
   Covers injection prevention and sanitization patterns.

3. Test Fixtures — Score: 0/3
   No test fixture directories found — universal gap across reviewed skills.

4. Structured Output — Score: 2/3
   Has structured output fields (severity, CWE, remediation).

5. Coverage Depth — Score: 3/3
   Contains 12 major sections. Good depth with thorough coverage.

6. AI Agent Tested — Score: 1/1
   Evidence of agent-tested patterns and playbook validation.

7. Gap-Specific Analysis — Score: 2/6
   Bounty spec: "Cloud Run invoker and IAP effective path gates".
   Could better align with bounty spec requirements.

Quality Score: 12/23

Recommendation: Approve with minor revisions ⚠️

---

Reviewed by daviediao-code | Category: gcp-review | Date: 2026-06-16

[JamesJi79]

/attempt

[JamesJi79]

Implemented in PR #2698.

Gate file: skills/cloud/gcp-review/gates/cloud-run-invoker-iap-gate.md

This gate adds cloud run invoker and iap effective path gate.