Cloud Guardian Documentation
Cloud Guardian is an automated cost optimization platform for Google Cloud Platform. It scans your infrastructure, detects waste, generates Terraform PR fixes, and verifies savings — a closed-loop scan → detect → fix → verify cycle.
What Cloud Guardian Does
- Scans Cloud Run, Compute Engine, Cloud SQL, Secret Manager, and Artifact Registry
- Detects cost violations using configurable checks and CEL-based guardian rules
- Fixes issues via direct GCP API calls or Terraform pull requests
- Verifies savings by re-scanning after remediation
Quick Links
| Guide | Description | |-------|-------------| | Quick Start | Connect your first GCP project in 5 minutes | | GCP Setup | Service account creation and IAM roles | | Architecture | System design and component overview | | API Explorer | Interactive API reference | | MCP Integration | Claude Code integration via MCP tools |
Supported Resource Types
| Resource | Checks | Cost Estimation |
|----------|--------|----------------|
| Cloud Run | cpu_idle, min_instances, preview cleanup | Per-service with metrics |
| Compute Engine | Idle instances, GPU unused, overprovisioned | Machine type pricing |
| Cloud SQL | No HA, overprovisioned, excessive storage | Tier + storage pricing |
| Secret Manager | Excessive versions | Per-version pricing |
| Artifact Registry | Excessive versions, large repos, stale images | Storage pricing |
How Scanning Works
- Build targets — Merge static projects + connected connectors
- Resolve credentials — Decrypt stored service account keys via KMS
- Parallel scan — Scan up to 5 projects concurrently (configurable)
- Evaluate checks — Run built-in checks + CEL guardian rules
- Record snapshots — Persist cost data for trend analysis
- Generate alerts — Evaluate cost alert rules per org
- Auto-remediate — Plan and execute fixes for configured scopes
- Verify savings — Re-scan affected resources after remediation