Initial commit

Author: mark-adams

.dockerignore

@@ -0,0 +1 @@
+Dockerfile

.github/workflows/lint.yml

@@ -0,0 +1,41 @@
+name: Linting
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  lint-code:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version: '^1.24'
+
+    - name: Lint
+      uses: golangci/golangci-lint-action@v7
+      with:
+        version: v2.0.2
+
+  lint-terraform:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: opentofu/setup-opentofu@v1
+      with:
+        tofu_version: 1.9
+
+    - name: Format
+      run: tofu fmt -check
+      working-directory: ./terraform
+      
+    - name: Init
+      run: tofu init
+      working-directory: ./terraform
+
+    - name: Validate
+      run: tofu validate
+      working-directory: ./terraform

.github/workflows/release.yml

@@ -0,0 +1,52 @@
+name: Releasing
+
+on:
+  push:
+    tags:
+      - '*'
+
+permissions:
+  contents: write
+  id-token: write
+  attestations: write
+
+jobs:
+  goreleaser:
+    runs-on: ubuntu-latest
+    steps:
+      -
+        name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      -
+        name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '^1.24'
+
+      -
+        name: Set up cosign
+        uses: sigstore/cosign-installer@v3.8.1
+      
+      - 
+        name: Set up homebrew deploy key
+        shell: bash
+        env:
+          HOMEBREW_GH_DEPLOY_KEY: ${{ secrets.HOMEBREW_GH_DEPLOY_KEY }}
+        run: |
+          echo $HOMEBREW_GH_DEPLOY_KEY | base64 -d > /tmp/HOMEBREW_GH_DEPLOY_KEY
+          chmod 700 /tmp/HOMEBREW_GH_DEPLOY_KEY
+  
+      -
+        name: Run GoReleaser
+        uses: goreleaser/goreleaser-action@v6
+        with:
+          distribution: goreleaser
+          version: '~> v2'
+          args: release --clean
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: "dist/*.tar.gz,dist/*.zip"

.github/workflows/test.yml

@@ -0,0 +1,22 @@
+name: Tests
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  run-tests:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-go@v5
+      with:
+        go-version: '^1.24'
+
+    - name: Build
+      run: go build -v github.com/mark-adams/gcp-ip-list/cmd/gcp-ip-list
+
+    - name: Test
+      run: go test -v ./...

.gitignore

@@ -0,0 +1,4 @@
+terraform/.terraform*
+terraform/*.tfstate*
+.vscode# Added by goreleaser init:
+dist/

.goreleaser.yaml

@@ -0,0 +1,70 @@
+version: 2
+
+before:
+  hooks:
+    # You may remove this if you don't use go modules.
+    - go mod tidy
+    # you may remove this if you don't need go generate
+    - go generate ./...
+
+builds:
+  - main: ./cmd/gcp-ip-list
+    ldflags:
+      - "-X main.version={{.Version}}"
+    env:
+      - CGO_ENABLED=0
+    goos:
+      - linux
+      - windows
+      - darwin
+
+archives:
+  - formats: [tar.gz]
+    # this name template makes the OS and Arch compatible with the results of `uname`.
+    name_template: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}
+    # use zip for windows archives
+    format_overrides:
+      - goos: windows
+        formats: [zip]
+
+changelog:
+  sort: asc
+  filters:
+    exclude:
+      - "^docs:"
+      - "^test:"
+      - "^chore:"
+      - "^ci:"
+
+binary_signs:
+  - cmd: cosign
+    # copied from archives.name_template above
+    signature: >-
+      {{ .ProjectName }}_
+      {{- title .Os }}_
+      {{- if eq .Arch "amd64" }}x86_64
+      {{- else if eq .Arch "386" }}i386
+      {{- else }}{{ .Arch }}{{ end }}
+      {{- if .Arm }}v{{ .Arm }}{{ end }}.cosign.bundle'
+    args:
+      - "sign-blob"
+      - "--bundle=${signature}"
+      - "${artifact}"
+      - "--yes" # needed on cosign 2.0.0+
+
+brews:
+  -
+    repository:
+      owner: mark-adams
+      name: homebrew-gcp-ip-list
+      branch: main
+
+      git:
+        url: 'ssh://git@github.com/mark-adams/homebrew-gcp-ip-list.git'
+        private_key: '/tmp/HOMEBREW_GH_DEPLOY_KEY'

CONTRIBUTING.md

@@ -0,0 +1,12 @@
+Contributions are welcome! Before submitting a PR, please [file an issue](https://github.com/mark-adams/gcp-ip-list/issues) if one does not already exist to discuss your ideas! This can help avoid wasted effort and speed up the review process quite a bit!
+
+Once you've got your change ready, you can [submit a pull request](https://github.com/mark-adams/gcp-ip-list/compare). Please make sure your change has all of the following:
+- A good description of the change
+- Includes tests covering the new feature or fixed logic
+
+This project tries to follow [conventional commits](https://www.conventionalcommits.org/en/v1.0.0/) so please make sure your commit messages contain the proper prefixes. Some common examples are listed below.
+
+- `feat:` for a new feature or new functionality
+- `fix:` for bugfixes
+- `docs:` for changes to the documentation
+- `ci:` for changes to the build process

Dockerfile

@@ -0,0 +1,13 @@
+FROM golang:1.24 as builder
+
+WORKDIR $GOPATH/src/github.com/mark-adams/gcp-ip-list
+COPY . .
+
+RUN go get -v ./...
+RUN GOOS=linux CGO_ENABLED=0 go build -o /go/bin/gcp-ip-list github.com/mark-adams/gcp-ip-list/cmd/gcp-ip-list
+
+FROM cgr.dev/chainguard/static
+
+COPY --from=builder /go/bin/gcp-ip-list /bin/gcp-ip-list
+
+ENTRYPOINT ["/bin/gcp-ip-list"]

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Mark Adams
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,135 @@
+# GCP IP List
+
+[![godoc](http://img.shields.io/badge/godoc-reference-blue.svg?style=flat)](https://godoc.org/github.com/mark-adams/gcp-ip-list) [![license](http://img.shields.io/badge/license-MIT-red.svg?style=flat)](https://raw.githubusercontent.com/mark-adams/gcp-ip-list/main/LICENSE) [![Build Status](https://github.com/mark-adams/gcp-ip-list/actions/workflows/test.yml/badge.svg)](https://github.com/mark-adams/gcp-ip-list/actions/workflows/test.yml) 
+
+
+`gcp-ip-list` is a CLI tool (and library) written in Go to simplify the process of retrieving IP addresses from infrastructure hosted on Google Cloud Platform (GCP).
+
+Most enumeration tooling today uses the normal CRUD REST APIs provided by Google to retrieve GCP assets and their IP address information. This is less than ideal because it typically involves interacting with several different Google APIs and puts additional load on the very same APIs that are used as the control plane for GCP customers. In addition, it is quite slow especially if you have a large number of projects.
+
+This tool takes a different approach and queries information about assets from Google's [Cloud Asset Inventory API](https://cloud.google.com/asset-inventory/docs/overview) instead. This allows us to use a single API to pull down all the data about assets that could potentially have public IP addresses assigned to them which allows us to download data for organizations of any size much more efficiently.
+
+# Installation
+
+<table>
+    <tr>
+        <td>Homebrew (macOS or Linux)</td>
+        <td>
+            <code>brew tap mark-adams/gcp-ip-list && brew install gcp-ip-list</code>
+        </td>
+    </tr>
+</table>
+
+Pre-built binaries are also avalable from the [Releases page](https://github.com/mark-adams/gcp-ip-list/releases)
+
+If your system has a [supported version of Go](https://go.dev/dl/), you can build from source.
+
+```
+go install github.com/mark-adams/gcp-ip-list/cmd/gcp-ip-list@latest
+```
+
+# Running the tool
+
+Since this tool uses the [Google Cloud Client Libraries for Go](https://github.com/googleapis/google-cloud-go), the application will authenticate with Google using [Application Default Credentials](https://cloud.google.com/docs/authentication/application-default-credentials).
+
+## Usage
+```
+$ gcp-ip-list -h       
+Usage of gcp-ip-list:
+  -format string
+        The output format (csv, json, table, list) (default "table")
+  -private
+        Include private IPs only
+  -public
+        Include public IPs only
+  -scope string
+        The scope (organization, folder, or project) to search (i.e. projects/abc-123 or organizations/123456)
+  -version
+        Display the current version
+```
+
+### Use as a library
+Core functionality of the CLI is exposed via Go APIs as well in the `github.com/mark-adams/gcp-ip-list/pkg/go` package via the `GetAllAddressesFromAssetInventory()` and `GetAddressesFromAssetInventory()` functions in case you want to incoporate this functionality into your own application.
+
+## Examples
+
+### Table output
+```
+$ gcp-ip-list --scope=projects/sample-project -public
++----------------+--------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
+|    ADDRESS     | ADDRESS TYPE |             RESOURCE TYPE             |                                                      RESOURCE NAME                                                      |
++----------------+--------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
+| 35.244.150.176 | public       | compute.googleapis.com/ForwardingRule | //compute.googleapis.com/projects/sample-project/global/forwardingRules/ip-list-test-forwarding-rule-external        |
+| 34.54.75.78    | public       | compute.googleapis.com/ForwardingRule | //compute.googleapis.com/projects/sample-project/global/forwardingRules/ip-list-test-forwarding-rule-external-static |
+| 34.83.163.216  | public       | compute.googleapis.com/Instance       | //compute.googleapis.com/projects/sample-project/zones/us-west1-a/instances/ip-list-test-vm                          |
+| 34.105.8.244   | public       | compute.googleapis.com/Router         | //compute.googleapis.com/projects/sample-project/regions/us-west1/routers/ip-list-test-router                        |
+| 34.19.43.198   | public       | container.googleapis.com/Cluster      | //container.googleapis.com/projects/sample-project/locations/us-west1/clusters/ip-list-test-cluster                  |
+| 34.127.47.18   | public       | sqladmin.googleapis.com/Instance      | //cloudsql.googleapis.com/projects/sample-project/instances/ip-list-test-db                                          |
++----------------+--------------+---------------------------------------+-------------------------------------------------------------------------------------------------------------------------+
+```
+
+### List output
+
+```
+$ gcp-ip-list --scope=projects/sample-project -public -format=list
+35.244.150.176
+34.54.75.78
+34.83.163.216
+34.105.8.244
+34.19.43.198
+34.127.47.18
+```
+
+This mode is handy for piping to your favorite port scanning tool like `nmap` or `naabu`:
+```
+gcp-ip-list --scope=projects/sample-project -public -format=list | nmap -iL -
+```
+
+### CSV & JSON output
+
+You can get the same output as the default table format but in CSV or JSON as well:
+
+```
+gcp-ip-list --scope=projects/sample-project -public -format=csv
+```
+
+```
+gcp-ip-list --scope=projects/sample-project -public -format=json
+```
+
+# Contributing
+See our [Contribution guidelines](CONTRIBUTING.md)
+
+## Terraform resources
+The `terraform` directory contains sample resources that are handy when doing local development on `gcp-ip-list`.
+If you add support for a new resource type, please add the appropriate Terraform resources in the same PR.
+
+# Releases
+New releases can be found on the [Releases](page).
+
+## Verifying signatures
+Binaries built by this project are signed using Sigstore.
+
+To verify the signature for a given binary, you can use [cosign](https://github.com/sigstore/cosign):
+
+```
+$ cosign verify-blob gcp-ip-list_Darwin_x86_64/gcp-ip-list \                                                 
+       --bundle gcp-ip-list_Darwin_x86_64.cosign.bundle \
+       --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
+       --certificate-identity=https://github.com/mark-adams/gcp-ip-list/.github/workflows/release.yml@refs/tags/<version>
+Verified OK
+```
+
+# Troubleshooting
+
+## Could not find default credentials
+
+```
+error getting public addresses: error setting up client: credentials: could not find default credentials. See https://cloud.google.com/docs/authentication/external/set-up-adc for more information
+```
+
+This means that you're likely running the tool locally from your workstation without having application default credentials set up. You can follow the link in the message or run `gcloud auth application-default login` to authenticate with GCP and obtain the proper credentials.
+
+## Cloud Asset API has not been used in project X before
+
+This tool depends on the Cloud Asset Inventory API being enabled. Luckily, the error message points you in the right direction. Look for "Enable it by visiting https://..." in the error message and visit that page to enable the API.