Skip to main content

Scaling Collective Defense: Introducing GitHub Support for Google SecOps Parsers

  • July 13, 2026
  • 0 replies
  • 16 views

idanpatelsky
Staff
Forum|alt.badge.img+1

Author:

Idan Patelsky, GCP Cloud Security Steward

 

The Challenge

Historically, managing parsers in Google Security Operations was a highly centralized and manual process. All parser development and maintenance was handled by an internal Google team, and sharing custom or partner-created parsers required direct, manual file sharing with individual customers. This closed parser ecosystem limited the community's ability to collaborate on data ingestion content.
 

The Solution

To eliminate these barriers, we are excited to announce the launch of SecOps GitHub Support for Parsers. We are expanding our open-source content to log ingestion as well. By hosting partner-created and community-contributed parsers in our public Google SecOps Content Hub repository on GitHub, we are transitioning to a collaborative, transparent, and scalable model.

This launch introduces several core capabilities:

  • Centralized Parser Catalog: A public, version-controlled repository containing partner-created and community-contributed parsers.

  • Partner Empowerment: Certified partners (vendors, service providers) now have dedicated directories to directly upload, update, and maintain their product parsers, significantly reducing release cycles.

  • Community Contributions: Customers, security practitioners, and community members can submit parser enhancements, bug fixes, or entirely new parsers via standard GitHub Pull Requests (PRs).

  • Automated Quality Vetting: Every contribution triggers an automated CI/CD pipeline that runs extensive syntax checks, directory compliance, and unit tests.

We have already uploaded 240 parsers to the SecOps GitHub Parsers folder, and this number is constantly increasing with new content contributions
 

Reviewing the parser folder content in the community parsers GitHub repository

 

How does it work?

There are two main workflows: parser contribution and parser deployment

Workflow A: How to Contribute or Enhance a GitHub Parser

Initial setup is simple and requires signing a Contributor License Agreement (CLA) and setting your SecOps tenant as explained here.

If you are creating a new parser, set-up your folder based on the parser convention as explained here.   

Follow these steps to create and validate your Pull Request.
 

Example of the validation tests process when contributing parsers content

 

Workflow B: How to Deploy a Community Parser

Once you’ve located the required parser, Open the ‘metadata.json’ file to confirm supported log formats, references, and the associated Google SecOps Log Type identifier, and verify this parser meets your requirements.

Then, follow these steps to deploy the parser in your SecOps tenant.
 

Wrapping up

SecOps is a team sport, and log normalization is the gatekeeper. Transitioning to a community-driven model on GitHub enables the collective security community to scale ingestion capabilities, roll out parser bug fixes rapidly, and keep pace with a changing threat landscape.

We invite you to explore the repository, deploy community parsers to expand your coverage, and submit your first parser contribution today!