snoka-cli
v1.4.0
Published
Snoka — noses through your Google Workspace and finds security exposures. Keyless scanning, security score, CIS-mapped audit reports.
Maintainers
Readme
Snoka 🐭
Find what your Google Workspace is exposing. Snoka noses through every user, file, group and admin setting in your tenant, scores its security posture, and produces an audit-ready, CIS-mapped report — from a terminal on your machine, with nothing installed in the tenant and no key files to guard.
Why Snoka
- Keyless. No service-account JSON key is ever created — the classic leak-a-credential-to-audit-credentials problem doesn't exist here. You sign in with your Google account; Snoka mints short-lived tokens through domain-wide delegation. Works under Secure-by-Default org policy.
- There is no Snoka cloud. Scans run on your computer against Google's own APIs. Findings, reports and history are written to your disk and emailed by your own admin account. Nothing ever reaches us — there is no backend to breach.
- Audit-ready evidence. Every report carries a severity-weighted security score (0–100, A–F), findings cite CIS Google Workspace Foundations Benchmark controls, and an appendix documents methodology, accepted risks and every remediation action. PDF for people, CSV and JSON for machines.
Quick start
npm install -g snoka-cli
snokaOn first run a setup wizard in the terminal takes it from there: it asks
for your super-admin email, domain(s) and service account, writes
snoka.config.json for you, opens the browser once to sign you in, and ends
with a pre-filled Admin console link for the one step Google makes you do
yourself (authorizing domain-wide delegation — one click). It then offers to
verify every API and scope with one cheap probe each; re-run that any time
with snoka doctor.
One-time Google Cloud prerequisites (a project, a keyless service account, an
OAuth desktop client) are listed below — about
ten minutes, and repeat machines skip straight to npm install.
Scanning and triage are free. Reports, email delivery, scheduling and
remediation are Pro — after checkout your license
key arrives by email: snoka license activate <key>.
The ten checks
| Check | What it flags | CIS |
| --- | --- | --- |
| drive-shares | Files visible to anyone with the link, or shared to external people, groups and domains — across every user's Drive | 4.2–4.4 |
| shared-drives | External members and organizers on shared drives; files opened to anyone by link or public search | 4.2–4.4 |
| account-hygiene | Admins without 2-step verification, unenrolled users, stale and suspended accounts | 1.1, 1.2 |
| third-party-apps | OAuth grants holding full Gmail, full Drive or admin scopes, rated by reach — plus app passwords that skip 2SV | 2.1, 2.3 |
| mail-forwarding | Auto-forwards, forwarding filters and mailbox delegates pointing outside the organization | 5.1, 5.17 |
| group-exposure | External members and owners; groups anyone on the internet can join, read or post to | — |
| admin-policy | Tenant-wide settings left risky: 2SV enforcement, password rules, session length, sharing defaults, POP/IMAP and more | 1.1–5.17 |
| sign-in-activity | What Google itself flagged in the last 30 days: suspicious sign-ins, leaked-password and hijack suspensions, failed-sign-in bursts | — |
| admin-audit | Access-expanding actions from the last 90 days: new super admins, admin-role grants, new domain-wide delegation, 2SV rollbacks | — |
| email-auth | Missing or weak SPF, DKIM and DMARC records that let outsiders send mail as your domain | — |
Found in one pass, deduplicated, and tracked scan-over-scan. Run everything
with snoka all, one check with snoka <id>, or pick from the menu.
The report
- Security score, 0–100 with a grade — severity-weighted, so one critical exposure outweighs ten trivia; accepted risks are excluded.
- CIS benchmark mapping — findings cite controls; the appendix lists every assessed control as CLEAR or OPEN.
- Trends — each scan is remembered (
.snoka-state/history/), so reports show New / Resolved since last scan. - Audit appendix — methodology per check, the accepted-risk register, and the remediation action log; each report is self-contained evidence with a report ID and tool version.
Reports land in reports/ — a summary PDF, a CSV per check, and a JSON.
Running several checks together produces one combined Workspace Security
Report.
Email & scheduled scans
Under Options (menu or snoka options):
- Email reports — sends the finished PDF from your admin account via the
Gmail API (adds the
gmail.sendscope, pre-filled link provided). Choose every scan or only when there are new findings. - Scheduled scans — runs
snoka all --emaildaily or weekly unattended. On Windows, Snoka creates the Task Scheduler entry for you; on macOS/Linux it prints the exact cron line to add. If a scheduled run fails (most commonly an expired Google sign-in — email can't reach you then either, since it rides on the same credential), Snoka warns you the next time you open it and offers to repair the sign-in on the spot.
Review & revoke (opt-in remediation)
Every scan feeds a local findings database, so triage doesn't mean digging through report files:
snoka review— bulk-first triage: pick a slice (all / severity / check / external domain), then queue for revoke or accept as known risk (writes the allowlist for you). Acting on "everything shared to @gmail.com" is one action, not a thousand ticks.snoka revoke— executes the queue: re-verifies each exposure live, shows the plan, asks for confirmation, then removes the access — Drive file permissions, external group members, risky OAuth app grants, and external mail forwarding/delegation. Every action is logged.
Snoka is read-only by default. revoke refuses to run until you enable
remediation mode under Options, which hands you a pre-filled Admin console
link adding the required write scopes — and disabling it offers the reverse
link that shrinks the grant back.
Changes are reversible (with one honest exception). Each revoke records an
undo payload, and Options → Revert Snoka's changes (or snoka revert)
restores it all — re-shares the files, re-adds the members and delegates,
re-enables the forwarding — with the same gates: opt-in, confirmed, logged.
The exception: a revoked OAuth app grant can only be restored by the user
re-authorizing the app — Snoka says so before you confirm. Re-added forwarding
addresses trigger Gmail's verification email again.
Accepted risks
Accepted findings live in snoka.allowlist.json — the review screen writes it
for you (or copy a finding's _sig from the JSON report, see
snoka.allowlist.example.json). They're hidden from reports and counted
separately — never as "resolved".
Where your data lives
A global install keeps snoka.config.json, snoka.allowlist.json,
.snoka-state/ and reports/ in a per-user directory
(%LOCALAPPDATA%\snoka on Windows, ~/.config/snoka elsewhere), so upgrading
the package never touches your config, sign-in or license. A repo clone keeps
everything at the repo root. Set SNOKA_HOME to override either.
One-time Google Cloud setup
All of it lives in your GCP project and persists forever — repeat machines skip straight to Quick start.
A GCP project → enable APIs: Admin SDK, Google Drive, Gmail, Groups Settings, IAM Service Account Credentials, and IAM (the last one lets the wizard look up the service account's Unique ID and pre-fill the domain-wide-delegation link for you).
A service account (e.g.
snoka-scanner) — no key. Its email is what the wizard asks for.An OAuth client ID of type Desktop app (APIs & Services → Credentials → Create credentials → OAuth client ID). The wizard asks for its client ID and secret — this is what lets Snoka sign you in from the browser with no gcloud install.
Grant your super-admin account the Service Account Token Creator role on the service account.
After the wizard: Admin console → Security → API controls → Domain-wide delegation → add the service account's Unique ID with the scopes the wizard prints:
https://www.googleapis.com/auth/admin.directory.user.readonly, https://www.googleapis.com/auth/drive.metadata.readonly, https://www.googleapis.com/auth/drive.readonly, https://www.googleapis.com/auth/admin.directory.user.security, https://www.googleapis.com/auth/gmail.settings.basic, https://www.googleapis.com/auth/admin.directory.group.readonly, https://www.googleapis.com/auth/apps.groups.settings, https://www.googleapis.com/auth/cloud-identity.policies.readonly, https://www.googleapis.com/auth/admin.directory.orgunit.readonly, https://www.googleapis.com/auth/admin.reports.audit.readonly(A check whose scope you skipped is skipped with a message telling you which scope to add — the others still run.)
After you click Authorize, the wizard offers to verify every API and scope with one cheap probe each and tells you exactly what's missing and where to fix it. Re-run the verification any time with
snoka doctor— fresh grants can take a few minutes to propagate.
Prefer gcloud? The wizard also offers "gcloud ADC" as the sign-in method — if you already use
gcloud auth application-default login, pick that and skip the OAuth client entirely. Env vars (SNOKA_SA,SNOKA_ADMIN,SNOKA_DOMAINS,SNOKA_CONCURRENCY,SNOKA_OAUTH_CLIENT_ID,SNOKA_OAUTH_CLIENT_SECRET) override the config file for CI use.snoka.config.jsonand the cached sign-in token are git-ignored.
Requirements & pricing
Any machine with Node 18+ (Windows, macOS or Linux), a super-admin account, and any Workspace edition with API access — Business Starter and up.
| | Free | Pro €19/mo | MSP €99/mo | | --- | --- | --- | --- | | All ten checks, score, triage & review queue | ✓ | ✓ | ✓ | | Audit-ready PDF, CSV and JSON reports | | ✓ | ✓ | | CIS benchmark mapping & appendix | | ✓ | ✓ | | Email delivery & scheduled scans | | ✓ | ✓ | | Remediation with one-command revert | | ✓ | ✓ | | Domains covered | 1 | 1 | 10 |
14-day free trial on paid plans, prices ex-VAT, cancel any time — snoka.app.
Where this is going
The endgame is zero GCP setup: Snoka as a Google Workspace Marketplace app — an admin clicks Install, approves one consent screen, and that single action grants the delegation. No project, no service account, no manual scopes. The CLI's in-terminal OAuth sign-in is the first step down this road; the hosted edition replaces the remaining setup entirely.
Google Workspace is a trademark of Google LLC. Snoka is not affiliated with or endorsed by Google. · Terms · Privacy · [email protected]
