Cyscale
Back to controls

Ensure Google Cloud Functions use a supported runtime

Google Cloud Functions runtimes follow a lifecycle with general availability, deprecation, and decommissioning phases. Deprecated runtimes lose runtime support, and decommissioned runtimes can block creation or updates and may eventually stop running.

Category

Controls

Medium

Applies to

Google Cloud

Coverage

1 queries

Asset types

1 covered

Overview

Google Cloud Functions runtimes follow a lifecycle with general availability, deprecation, and decommissioning phases. Deprecated runtimes lose runtime support, and decommissioned runtimes can block creation or updates and may eventually stop running.

Upgrade functions before runtime decommissioning so security fixes, base image updates, and platform support remain available.

Remediation guidance

Remediation

Upgrade the function to a currently supported runtime. Rebuild dependencies, test triggers, and redeploy with the same operational settings used by the existing function.

gcloud CLI

Replace {{manual.targetRuntime}} with the approved supported runtime, such as nodejs22, python313, go125, java21, ruby34, php84, or dotnet8 where applicable. Keep the trigger, ingress, service account, environment, and generation flags from the current deployment.

gcloud functions deploy {{asset.name}} \
  --region {{asset.region}} \
  --runtime {{manual.targetRuntime}}

Validate the deployed runtime:

gcloud functions describe {{asset.name}} \
  --region {{asset.region}} \
  --format='value(runtime)'

Rollout guidance

  1. Test the runtime change in a non-production project or with a duplicate function and the same trigger type.
  2. Rebuild native dependencies and confirm Functions Framework compatibility.
  3. Update Terraform, deployment manifests, or CI/CD templates so the old runtime cannot be redeployed.
  4. Prioritize functions with public HTTP endpoints, privileged service accounts, or sensitive data paths.

References

  • https://docs.cloud.google.com/functions/docs/runtime-support
  • https://docs.cloud.google.com/run/docs/runtimes/function-runtimes

Query logic

These are the stored checks tied to this control.

Google Cloud Functions using deprecated or decommissioned runtimes

Connectors

Google Cloud

Covered asset types

Function

Expected check: eq []

{
  functions(
    where: {
      cloudProvider: { eq: "gcp" }
      runtime_IN: [
        "nodejs18"
        "nodejs16"
        "nodejs14"
        "nodejs12"
        "nodejs10"
        "nodejs8"
        "nodejs6"
        "python39"
        "python38"
        "python37"
        "go123"
        "go122"
        "go121"
        "go120"
        "go119"
        "go118"
        "go116"
        "go113"
        "go111"
        "java11"
        "ruby32"
        "ruby30"
        "ruby27"
        "ruby26"
        "php81"
        "php74"
        "dotnet6"
        "dotnet3"
      ]
    }
  ) {
    ...AssetFragment
  }
}
Cyscale Logo
Cyscale is an agentless cloud-native application protection platform (CNAPP) that automates the contextual analysis of cloud misconfigurations, vulnerabilities, access, and data, to provide an accurate and actionable assessment of risk.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy

© 2026 Cyscale Limited

© 2026 Cyscale Limited

Terms of useSecurity PolicyPrivacy PolicyStatusSitemap
Terms of useSecurity PolicyPrivacy Policy
StatusSitemap
LinkedIn icon
Twitter icon
Facebook icon
crunch base icon
angel icon