Ghost-hunter/ Docs

Google Cloud (GCP)

BigQuery billing exports + gcloud read-only commands.

GCP is the original Ghost-hunter target. Investigations work against the FOCUS-1.0-aligned BigQuery billing export.

Export billing data

If you don't already have a BigQuery billing export configured:

  1. Console → Billing → Billing export → BigQuery export.
  2. Create a dataset (typically billing_export).
  3. Wait 24h for the first row to land.

For paranoid mode, dump a slice to CSV:

EXPORT DATA OPTIONS(
  uri='gs://your-bucket/ghosthunter/billing-*.csv',
  format='CSV',
  overwrite=true,
  header=true
) AS
SELECT *
FROM `your-project.billing_export.gcp_billing_export_v1_0123`
WHERE DATE(usage_start_time) BETWEEN '2026-04-01' AND '2026-04-29';

Then download and run:

ghosthunter investigate --csv billing-000000000000.csv --provider gcp

Active mode

# ~/.ghosthunter/config.toml
[provider.gcp]
project_id = "my-sandbox"
billing_export_table = "my-billing.gcp_billing_export_v1_0123"

gcloud auth application-default login
ghosthunter investigate --active --provider gcp

Allowlisted commands

The GCP allowlist covers gcloud compute, gcloud run, gcloud sql, gcloud storage, gcloud logging, and read-only bq query patterns. Full spec at docs/internal/gcp-allowlist-spec.md in the repo.

Previous
Audit mode
Next
Amazon Web Services (AWS)