feat: Support Chokepoint and external exposure in findings Proto

Google APIs · copybara-github · commit 5f6048b0222d · 2026-03-16T16:18:25.000-07:00
PiperOrigin-RevId: 884685891
diff --git a/google/cloud/securitycenter/v1/BUILD.bazel b/google/cloud/securitycenter/v1/BUILD.bazel
@@ -31,6 +31,7 @@ proto_library(
         "attack_path.proto",
         "backup_disaster_recovery.proto",
         "bigquery_export.proto",
+        "chokepoint.proto",
         "cloud_armor.proto",
         "cloud_dlp_data_profile.proto",
         "cloud_dlp_inspection.proto",
@@ -44,6 +45,7 @@ proto_library(
         "event_threat_detection_custom_module.proto",
         "event_threat_detection_custom_module_validation_errors.proto",
         "exfiltration.proto",
+        "external_exposure.proto",
         "external_system.proto",
         "file.proto",
         "finding.proto",
@@ -82,6 +84,7 @@ proto_library(
         "//google/api:annotations_proto",
         "//google/api:client_proto",
         "//google/api:field_behavior_proto",
+        "//google/api:field_info_proto",
         "//google/api:resource_proto",
         "//google/iam/v1:iam_policy_proto",
         "//google/iam/v1:policy_proto",
@@ -405,6 +408,7 @@ load(
 
 csharp_proto_library(
     name = "securitycenter_csharp_proto",
+    extra_opts = [],
     deps = [":securitycenter_proto"],
 )
 
diff --git a/google/cloud/securitycenter/v1/chokepoint.proto b/google/cloud/securitycenter/v1/chokepoint.proto
@@ -0,0 +1,35 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
+option java_multiple_files = true;
+option java_outer_classname = "ChokepointProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Contains details about a chokepoint, which is a resource or resource group
+// where high-risk attack paths converge, based on [attack path simulations]
+// (https://cloud.google.com/security-command-center/docs/attack-exposure-learn#attack_path_simulations).
+message Chokepoint {
+  // List of resource names of findings associated with this chokepoint.
+  // For example, organizations/123/sources/456/findings/789.
+  // This list will have at most 100 findings.
+  repeated string related_findings = 1;
+}
diff --git a/google/cloud/securitycenter/v1/cloud_dlp_data_profile.proto b/google/cloud/securitycenter/v1/cloud_dlp_data_profile.proto
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -54,4 +54,60 @@ message CloudDlpDataProfile {
 
   // The resource hierarchy level at which the data profile was generated.
   ParentType parent_type = 2;
+
+  // Type of information detected by SDP.
+  // Info type includes name, version and sensitivity of the detected
+  // information type.
+  repeated InfoType info_types = 3;
+}
+
+// Type of information detected by the API.
+message InfoType {
+  // Name of the information type. Either a name of your choosing when
+  // creating a CustomInfoType, or one of the names listed
+  // at
+  // https://cloud.google.com/sensitive-data-protection/docs/infotypes-reference
+  // when specifying a built-in type.  When sending Cloud DLP results to Data
+  // Catalog, infoType names should conform to the pattern
+  // `[A-Za-z0-9$_-]{1,64}`.
+  string name = 1;
+
+  // Optional version name for this InfoType.
+  string version = 2;
+
+  // Optional custom sensitivity for this InfoType.
+  // This only applies to data profiling.
+  SensitivityScore sensitivity_score = 3;
+}
+
+// Score is calculated from of all elements in the data profile.
+// A higher level means the data is more sensitive.
+message SensitivityScore {
+  // Various sensitivity score levels for resources.
+  enum SensitivityScoreLevel {
+    // Unused.
+    SENSITIVITY_SCORE_LEVEL_UNSPECIFIED = 0;
+
+    // No sensitive information detected. The resource isn't publicly
+    // accessible.
+    SENSITIVITY_LOW = 10;
+
+    // Unable to determine sensitivity.
+    SENSITIVITY_UNKNOWN = 12;
+
+    // Medium risk. Contains personally identifiable information (PII),
+    // potentially sensitive data, or fields with free-text data that are at a
+    // higher risk of having intermittent sensitive data. Consider limiting
+    // access.
+    SENSITIVITY_MODERATE = 20;
+
+    // High risk. Sensitive personally identifiable information (SPII) can be
+    // present. Exfiltration of data can lead to user data loss.
+    // Re-identification of users might be possible. Consider limiting usage and
+    // or removing SPII.
+    SENSITIVITY_HIGH = 30;
+  }
+
+  // The sensitivity score applied to the resource.
+  SensitivityScoreLevel score = 1;
 }
diff --git a/google/cloud/securitycenter/v1/external_exposure.proto b/google/cloud/securitycenter/v1/external_exposure.proto
@@ -0,0 +1,75 @@
+// Copyright 2026 Google LLC
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+syntax = "proto3";
+
+package google.cloud.securitycenter.v1;
+
+import "google/api/field_info.proto";
+
+option csharp_namespace = "Google.Cloud.SecurityCenter.V1";
+option go_package = "cloud.google.com/go/securitycenter/apiv1/securitycenterpb;securitycenterpb";
+option java_multiple_files = true;
+option java_outer_classname = "ExternalExposureProto";
+option java_package = "com.google.cloud.securitycenter.v1";
+option php_namespace = "Google\\Cloud\\SecurityCenter\\V1";
+option ruby_package = "Google::Cloud::SecurityCenter::V1";
+
+// Details about the externally exposed resource associated with the finding.
+message ExternalExposure {
+  // Private IP address of the exposed endpoint.
+  string private_ip_address = 1 [(google.api.field_info).format = IPV4_OR_IPV6];
+
+  // Port number associated with private IP address.
+  string private_port = 2;
+
+  // The name and version of the service, for example, "Jupyter
+  // Notebook 6.14.0".
+  string exposed_service = 3;
+
+  // Public IP address of the exposed endpoint.
+  string public_ip_address = 4 [(google.api.field_info).format = IPV4_OR_IPV6];
+
+  // Public port number of the exposed endpoint.
+  string public_port = 5;
+
+  // The resource which is running the exposed service, for example,
+  // "//compute.googleapis.com/projects/{project-id}/zones/{zone}/instances/{instance}.”
+  string exposed_endpoint = 6;
+
+  // The full resource name of the load balancer firewall policy, for example,
+  // "//compute.googleapis.com/projects/{project-id}/global/firewallPolicies/{policy-name}".
+  string load_balancer_firewall_policy = 7;
+
+  // The full resource name of the firewall policy of the exposed service, for
+  // example,
+  // "//compute.googleapis.com/projects/{project-id}/global/firewallPolicies/{policy-name}".
+  string service_firewall_policy = 8;
+
+  // The full resource name of the forwarding rule, for example,
+  // "//compute.googleapis.com/projects/{project-id}/global/forwardingRules/{forwarding-rule-name}".
+  string forwarding_rule = 9;
+
+  // The full resource name of load balancer backend service, for example,
+  // "//compute.googleapis.com/projects/{project-id}/global/backendServices/{name}".
+  string backend_service = 10;
+
+  // The full resource name of the instance group, for example,
+  // "//compute.googleapis.com/projects/{project-id}/global/instanceGroups/{name}".
+  string instance_group = 11;
+
+  // The full resource name of the network endpoint group, for example,
+  // "//compute.googleapis.com/projects/{project-id}/global/networkEndpointGroups/{name}".
+  string network_endpoint_group = 12;
+}
diff --git a/google/cloud/securitycenter/v1/finding.proto b/google/cloud/securitycenter/v1/finding.proto
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -22,6 +22,7 @@ import "google/cloud/securitycenter/v1/access.proto";
 import "google/cloud/securitycenter/v1/application.proto";
 import "google/cloud/securitycenter/v1/attack_exposure.proto";
 import "google/cloud/securitycenter/v1/backup_disaster_recovery.proto";
+import "google/cloud/securitycenter/v1/chokepoint.proto";
 import "google/cloud/securitycenter/v1/cloud_armor.proto";
 import "google/cloud/securitycenter/v1/cloud_dlp_data_profile.proto";
 import "google/cloud/securitycenter/v1/cloud_dlp_inspection.proto";
@@ -31,6 +32,7 @@ import "google/cloud/securitycenter/v1/contact_details.proto";
 import "google/cloud/securitycenter/v1/container.proto";
 import "google/cloud/securitycenter/v1/database.proto";
 import "google/cloud/securitycenter/v1/exfiltration.proto";
+import "google/cloud/securitycenter/v1/external_exposure.proto";
 import "google/cloud/securitycenter/v1/external_system.proto";
 import "google/cloud/securitycenter/v1/file.proto";
 import "google/cloud/securitycenter/v1/group_membership.proto";
@@ -194,6 +196,18 @@ message Finding {
     // independently. A group of such issues is referred to as a toxic
     // combination.
     TOXIC_COMBINATION = 7;
+
+    // Describes a potential security risk to data assets that contain sensitive
+    // data.
+    SENSITIVE_DATA_RISK = 8;
+
+    // Describes a resource or resource group where high risk attack paths
+    // converge, based on attack path simulations (APS).
+    CHOKEPOINT = 9;
+
+    // Describes a potential security risk due to the resource being exposed to
+    // the internet.
+    EXTERNAL_EXPOSURE = 10;
   }
 
   // Mute information about the finding, including whether the finding has a
@@ -459,4 +473,13 @@ message Finding {
   // a collection of findings that are related in some way.
   // This field cannot be updated. Its value is ignored in all update requests.
   repeated GroupMembership group_memberships = 65;
+
+  // Contains details about a chokepoint, which is a resource or resource group
+  // where high-risk attack paths converge, based on [attack path simulations]
+  // (https://cloud.google.com/security-command-center/docs/attack-exposure-learn#attack_path_simulations).
+  // This field cannot be updated. Its value is ignored in all update requests.
+  Chokepoint chokepoint = 77;
+
+  // External exposure associated with the finding.
+  ExternalExposure external_exposure = 84;
 }
diff --git a/google/cloud/securitycenter/v1/group_membership.proto b/google/cloud/securitycenter/v1/group_membership.proto
@@ -1,4 +1,4 @@
-// Copyright 2025 Google LLC
+// Copyright 2026 Google LLC
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -34,6 +34,9 @@ message GroupMembership {
 
     // Group represents a toxic combination.
     GROUP_TYPE_TOXIC_COMBINATION = 1;
+
+    // Group represents a chokepoint.
+    GROUP_TYPE_CHOKEPOINT = 3;
   }
 
   // Type of group.
