ExhibitWhat Snoka does snoka.app · runs on your machine · nothing installed in the tenant
01 · Scan

Ten checks, one pass

  • drive-sharesfiles open to links & outsiders
  • shared-drivesexternal members, public files
  • account-hygieneadmins without 2SV, stale users
  • third-party-appsover-permissioned OAuth grants
  • mail-forwardingmail quietly leaving the org
  • group-exposureexternal owners, open groups
  • admin-policyrisky tenant defaults
  • sign-in-activitysuspicious logins, hijack flags
  • admin-auditaccess-expanding admin changes
  • email-authSPF · DKIM · DMARC gaps

deduplicated · tracked scan-over-scan

02 · Score & report

Evidence, not a log file

  • Security score 0–100 with an A–F grade, severity-weighted
  • Findings mapped to the CIS Workspace benchmark — CLEAR / OPEN appendix
  • New vs. resolved since the last scan
  • PDF for people · CSV and JSON for machines
  • Methodology + audit appendix in every report
03 · Triage

Decide in bulk, once

  • Local findings database feeds a review queue
  • Slice by severity, check, or external domain
  • Queue for revoke — or accept as a known risk
  • Accepted risks are counted separately, never as “resolved”
Snoka logo

Snoka

Google Workspace security scanner

$ snoka all

no key files · no agent · no SaaS

04 · Remediate

Fix it — reversibly

  • Revokes external file shares, group members, OAuth grants and mail forwarding
  • Re-verifies live, asks for confirmation, logs every action
  • One-command revert restores what was removed
  • Off by default — write access is a separate, explicit opt-in

exception, stated up front: a revoked OAuth grant needs the user to re-authorize

05 · Automate

Runs while you don’t

  • Scheduled scans, daily or weekly
  • Report emailed by your own admin account via Gmail
  • “Only when there are new findings” mode
  • Failed runs are remembered — Snoka warns and offers repair next launch
06 · Trust model

There is no Snoka cloud

  • Keyless: no service-account key file is ever created
  • Short-lived tokens via domain-wide delegation
  • Read-only scopes by default; doctor proves what access exists
  • Findings, reports and history stay on your disk
Fig. 04 — the capability map free scan · score · triage  ·  pro report · automate · remediate