deploying-on-gcp
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- **Category 2
- Data Exposure & Exfiltration (SAFE):** No sensitive data or hardcoded credentials were found. Examples use industry-standard placeholders (e.g., project-id, example.com) or reference Terraform resource attributes (e.g., google_iap_client.default.secret).
- **Category 4
- Unverifiable Dependencies & Remote Code Execution (SAFE):** The ML service examples reference trusted Google-managed container images (gcr.io/cloud-aiplatform) and standard Python libraries (pandas, scikit-learn). There are no attempts to download or execute code from untrusted sources.
- **Category 5
- Privilege Escalation (SAFE):** The IAM reference documentation (security-iam.md) correctly demonstrates the principle of least privilege, specifically showing how to grant limited roles like 'roles/storage.objectViewer' and 'roles/secretmanager.secretAccessor' to service accounts.
- **Category 8
- Indirect Prompt Injection (SAFE):** While the AI service references include capabilities to process external data (OCR, Sentiment Analysis), these are provided as documentation for the underlying cloud services. The snippets do not suggest unsafe interpolation of untrusted data into an agent's own control logic.
- Security Enhancements Detected: The networking and security references explicitly demonstrate how to implement security controls, including Cloud Armor (WAF) for SQLi/XSS protection, Customer-Managed Encryption Keys (KMS), and VPC Service Controls.
Audit Metadata