External project access scanner.

class ExternalProjectAccessScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]


Scanner for external project access.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>

Find violations in the policies.

Parameters:ancestries_by_user (dict) – The project ancestries collected from the scanner
Returns:A list of ExternalProjectAccess violations
Return type:list
static _flatten_violations(violations)[source]

Flatten RuleViolations into a dict for each RuleViolation member.

Parameters:violations (list) – The RuleViolations to flatten.
Yields:dict – Iterator of RuleViolations as a dict per member.

Get a user scoped CloudResourceManagerClient.

Parameters:user_email (str) – The e-mail address of the user.
Returns:crm client
Return type:CloudResourceManagerClient

Output results.

Parameters:all_violations (list) – A list of violations.

Retrieve the project ancestries for all users.

Returns:User project relationship. {“”: [[Project(“1234”), Organization(“1234567”)],
[Project(“12345”), Folder(“ABCDEFG”), Organization(“1234567”)]],”: [[Project(“1234”), Organization(“34567”)],
[Project(“12345”), Folder(“ABCDEFG”), Organization(“1234567”)]]}
Return type:dict

Entry point to run the scanner.


Extract a list of project ID’s

Parameters:crm_client (CloudResourceManagerClient) – An authenticated CRM client
Returns:Project ID’s as strings
Return type:list
get_project_ancestries(crm_client, project_id_list)[source]

Get the ancestries from a list of project ID’s


A list of lists ofResource objects

defining the ancestrychain from the Project to the Organization

Return type:


get_project_ancestry(crm_client, project_id)[source]
get_user_emails(service_config, member_types=None)[source]

Retrieves the list of user email addresses from inventory.

  • service_config (dict) – The service configuration
  • member_types (list) – Member types to query in storage. This defaults to ‘gsuite_user’.

List of list of user e-mail addresses.

Return type:



A decorator function to intelligently retrieve project ancestries, only if necessary.

Parameters:ancestry_function (function) – The ancestry retrieval function.
Returns:The helper
Return type:function