Google Cloud Sprinternship | Break Through Tech, Summer 2025
Jasmine Tu, Ena Macahiya, Izabella Doser, Vaishnavi Panchal, Anusri Nagarajan, Aman Shrestha
Strawberry ScanCake (SSC) employs a microservice architecture and is a multi-agent AI system designed to streamline security analysis for Technical Account Managers (TAMs). Developed to answer Google Cloud Platform product queries and identify project vulnerabilities, SSC leverages LLMs and the Google Agent Development Kit (ADK) to improve the output readability and simplify the execution of a refactored version of the legacy CloudSploit security repository. This automates the manual work of deciphering long, convoluted reports, allowing TAMs to focus on customer needs and ask more detailed follow-up questions about specific vulnerabilities (e.g., severity, ease of fix, and steps to fix) in a specific GCP project.
$ git clone https://github.com/jasminetntu/multiagent-security-gcp.git
$ git clone https://github.com/amanshresthaatgoogle/cloudsploit.git
$ cd cloudsploit
$ npm install
pip show google-adk
If not, then install Google ADK:
pip install google-adk
cd ../multiagent-security-gcp/gcp_scanner
adk web
Strawberry ScanCake consists of two primary components:
-
Agentic AI System (
gcp_scanner/)- Built with Google’s Agent Development Kit (ADK).
- Hosts a web interface (
adk web) for testing and interacting with the system. - Responds to user queries (e.g., “scan my project for compute vulnerabilities”)
- Sends HTTP POST requests to the deployed Cloud Function with appropriate product and credentials.
- Processes the vulnerability response and converts it into a natural language explanation.
-
Refactored CloudSploit Scanner
- Hosted as a Google Cloud Function.
main.jsexports a function namedcloudsploitScanneras the entry point.- Accepts a POST request containing:
- A
serviceAccountobject with the GCP credentials - A
settingsobject with aproductkey (e.g., Compute)
- A
- Scans only the specified GCP product (e.g., Compute, IAM, etc.).
- Filters out all "OK" results and returns a clean JSON of only detected vulnerabilities.
This deployment allows CloudSploit to run independently in the cloud and respond to HTTP scan requests, which is necessary for this multiagent system. To see deployment steps, please visit the README file in the Refactored Cloudsploit Repository.
- Once deployed, the Cloud Function can be called from any client. In our case, we use the agents as the calling tool.
- This is designed to be modular, allowing for both agent side and cloudsploit side to be maintained, edited, and scaled as needed. Components are also replaceable (plugins, output filters, product mapping, etc.)
- Can be redeployed or modified as needs evolve.
- Cloud Function can be shut down to reduce costs post-internship and redeployed on demand.
This project is built on a refactored version of CloudSploit by Aqua Security, but has been adapted specifically for Google Cloud and multi-agent systems.