This quickstart describes how to get started with Forseti Scanner. Forseti Scanner uses a JSON or YAML rules definition file to audit your Google Cloud Platform (GCP) resources, such as organizations or projects. After running the audit, Forseti Scanner outputs rule violations to Cloud SQL and optionally writes it to a bucket in Google Cloud Storage.

Forseti Scanner is different from the Cloud Security Scanner, which does App Engine vulnerability scanning. Learn more about Cloud Security Scanner.


Forseti Scanner can run multiple scanners at a time. To configure which scanners to run, see Configuring Forseti: Configuring Scanner.

Running Forseti Scanner

To run Forseti Scanner, follow the process below:

  1. Activate any virtualenv you’re using for your Forseti installation, if applicable (e.g. if you’re running in a dev environment).

  2. Run the inventory data import first, to make sure the data for scanning is available and up-to-date.

  3. Run the scanners:

  $ forseti_scanner --forseti_config <path to forseti_conf.yaml>

If you’re developing a new feature or bug fix, you can run Forseti Scanner using ./ By doing so, you won’t have to set the PYTHONPATH or other commandline flags manually.

What’s next