Notice of Archiving

Dear Forseti users,

We are writing to inform you that we plan to archive the Forseti-Security repository.

Over the past few years, GCP Security has introduced a host of new features and capabilities that have addressed many security challenges targeted by Forseti. With low community engagement and limited improvements in the last two years, we have decided to place Forseti Security in archive. Note that other repos such as Forseti Real-Time-Enforcer and Resource-Policy-Evaliation-Library have also been automatically archived in February 2023 following no activities.

We plan to complete the archiving process by the end of June 2023.

What does this mean for you?

The Forseti-Security repository will be read-only, meaning that users will not be able to modify or contribute additional code.

You will however be able to fork or clone the repository and continue to use it however bearing ownership of your instance.

There will be no additional support from Google on Forseti. We are moving the existing support teams to new projects.

We thank you for your active engagement over the last few years.

Config Validator

This page describes how Config Validator works.

Overview

The Config Validator Scanner allows you to scan for non-compliant resources in your GCP infrastructure.

How It Works

Cloud admins write security and governance constraints (as YAML files) once, and store them within their company’s dedicated Git repo as a central source of truth.
Forseti ingests constraints and uses them as a new scanner to monitor for violations.
Terraform Validator reads the same constraints to check for violations before provisioning, in order to help prevent misconfigurations from happening.

These constraints are a good way for you to translate your security policies into code, and can be configured to meet your granular requirements. And because policy constraints are based on Config Validator templates, it’s easy to reuse the same code base to implement similar, but distinct constraints.

With this scanner in place, users are now able to define customized policies easily without writing a new scanner.

Note: Forseti Security team does not plan to add any new custom scanners or expand the existing custom scanners.

What’s next

Read more about how to set up the Config Validator Scanner and sync policies with the Forseti Server here.
Read more about how to write your own constraint templates here.
Read more about Terraform Validator here.