Web Security Scanner identifies security vulnerabilities in web applications on Google Cloud through automated OWASP testing.
What is Web Security Scanner?
Web Security Scanner is Google’s integrated tool for detecting security vulnerabilities in web applications. The scanner crawls your application like an attacker: it follows links, fills out forms, and tests for known vulnerabilities like XSS, SQL Injection, and insecure configurations.
The scanner is part of Security Command Center and automatically detects web applications on App Engine, GKE, and Compute Engine. Managed scans run regularly without manual configuration. Discovered vulnerabilities appear as findings in the Security Command Center dashboard.
For specific requirements, you can configure custom scans. These allow scanning authenticated areas, specific URL paths, or applications outside automatic detection.
Common Use Cases
Continuous Security Testing
A SaaS provider enables managed scans for all production applications. The scanner runs weekly and automatically reports new vulnerabilities in Security Command Center. The security team receives alerts for critical findings.
Pre-Release Security Checks
A development team integrates custom scans into the CI/CD pipeline. Before each production deployment, the staging environment is scanned. The build fails if critical vulnerabilities are found.
Compliance Documentation
A financial services company must demonstrate regular security testing. Web Security Scanner reports serve as evidence for audits. Automatic scans fulfill compliance requirements without manual effort.
Authenticated Application Scans
An e-commerce platform also scans the admin area. Custom scans with stored credentials test login-protected functions. This uncovers vulnerabilities that anonymous scans cannot find.
Third-Party Applications on GCP
A company runs WordPress on Compute Engine. Web Security Scanner finds outdated plugins with known vulnerabilities. The IT team receives prioritized updates based on severity.
Integration with innFactory
As a Google Cloud Partner, innFactory supports you in integrating Web Security Scanner into your DevSecOps processes: from configuration through pipeline integration to findings management.
Contact us for a security consultation.
Available Tiers & Options
Managed Scans
- Automatic detection
- No configuration needed
- Part of Security Command Center
- Only GCP resources
Custom Scans
- Manual scan configuration
- Specific URLs
- Authenticated scans
- Requires manual setup
Typical Use Cases
Technical Specifications
Frequently Asked Questions
What is Web Security Scanner?
Web Security Scanner is an automated tool for detecting security vulnerabilities in web applications. It crawls your application like an attacker and tests for OWASP Top 10 vulnerabilities like XSS, SQL Injection, and more.
What vulnerabilities does Web Security Scanner detect?
The scanner detects XSS (Cross-Site Scripting), SQL Injection, mixed content, outdated libraries, cleartext passwords, insecure JavaScript libraries, and other OWASP Top 10 vulnerabilities.
How does Web Security Scanner differ from Cloud Armor?
Web Security Scanner finds vulnerabilities in your application. Cloud Armor protects against attacks through WAF rules. Scanner is for development and testing, Cloud Armor for runtime protection.
How much does Web Security Scanner cost?
Web Security Scanner is part of Security Command Center. In the Standard Tier, managed scans are free. Custom scans and advanced features require Security Command Center Premium.
Can I scan authenticated areas?
Yes, you can configure credentials so the scanner also tests protected areas of your application. Credentials are securely stored in Secret Manager.
