Google's Gemini CLI GitHub Action offers flexible deployment with native Google Cloud observability, but application-level telemetry leaves critical security gaps. A real-world analysis using Harden-Runner on a simple code review task revealed 51 HTTPS events across 9 destinations, including dynamic downloads from npm, nodejs.org, GitHub releases, and container registries. The post argues that Gemini's built-in observability covers API usage and performance but misses runtime-level activity like process spawning, file system changes, and the full network call chain. The recommended approach combines Gemini's native features (Workload Identity Federation, Google Cloud audit logs) with runtime monitoring via Harden-Runner for complete CI/CD security visibility.
Table of contents
Gemini's Hybrid Approach: Flexibility with ObservabilityConfiguration Flexibility: Powerful but Not ComprehensiveThe Observability Illusion: Metrics Without Security ContextReal-World Example: Unveiling Gemini's Runtime BehaviorKey Security ObservationsThe Complete Security Picture: Combining Native and Runtime ControlsConclusion: Bridging the Gap Between Observability and SecuritySort: