Skip to main content

Integrate Google Artifact Registry

Transition from Google Container Registry (GCR) to Google Artifact Registry (GAR)

Google Artifact Registry (GAR) is the evolution of Google Container Registry (GCR). As a fully managed service with support for both container images and non-container artifacts, GAR extends the capabilities of GCR.

For details on how to transition from GCR to GAR within Google Cloud Platform, see Transitioning from Container Registry.

Artifact Registry Support

GAR integrations support:

  • Auto polling - polling occurs every 15 minutes.
  • On-demand scans via the API.

Prerequisite

Before you configure Lacework, create a Google service account. For details, see Service accounts.

  1. Log in to the Lacework Console with an account with admin permissions.
  2. Navigate to Settings > Integrations > Container registries.
  3. Click + Add New.
  4. Click Google Artifact Registry (GAR).
  5. Click Next.
  6. Follow the steps in the next section.

Integrate with GAR

info

GAR integrations can be done at the organization, folder, project, or repository level.

Each integration will only support one region.

To integrate GAR with Lacework, follow these steps:

  1. Configure the registry and complete any optional settings.
  2. Click Save. The integration status displays Integration Successful only after its first assessment completes.
  3. Verify that assessments have started by viewing the table in Vulnerabilities > Containers.

After an image is assessed, Lacework reports its results in the table. Select Last 24 hours above the table to view the assessment results.

Configure Registry

Setting NameDescription
NameSpecify a unique name for the container registry in the Lacework Console.
Upload GCP CredentialsUpload a JSON-formatted Service Account Key to use for the integration; this auto-populates the Private Key ID, Client Email, and Private Key fields.
Client IDSpecify a Client ID for the service account that has been granted access to the organization, folder, or project that contains the registry (or registries).

If integrating at the organization level, assign the roles/artifactregistry.reader and roles/storage.objectViewer roles to the service account for the organization that contains the registries.

If integrating at the folder level, assign the roles/artifactregistry.reader and roles/storage.objectViewer roles to the service account for the folder that contains the registries.

If integrating at the project level, assign the roles/artifactregistry.reader and roles/storage.objectViewer roles to the service account for the project that contains the registry (or registries).

If integrating at the repository level, assign the roles/artifactregistry.reader role to the service account for the repository that resides within the registry. Also, assign the roles/storage.objectViewer role to the service account for the project where the repository is located.
Private Key IDSpecify the private key ID for the private key that should be used to authenticate the service account that was specified in the Client ID setting.
Client EmailSpecify the client email associated with the service account that was specified in the Client ID setting.
Private KeySpecify the private key that should be used to authenticate the service account that was specified in the Client ID setting

IMPORTANT: You cannot just copy the private key from the editor because of an issue copying the new line characters. You must copy a raw version of the key using the “jq” utility as described in the next steps:
1) To view the private key raw text, enter the following command, where YourFileName.json is the name of the file downloaded when you created the GCP Service Account:
cat YourFileName.json \| jq -r '.private_key'
2) Copy all text displayed in the output including the BEGIN and END lines.
Registry DomainFrom the drop-down, select one of the supported GCP regions. For details, see Repository and Image Names

IMPORTANT: Do not prefix the URL with https://.

Optional Settings

Setting NameDescription
Limit Image TagsIf you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.

Single wildcards are also supported and can be used to match multiple image tags (for example: abc* or *xyz).
Limit Image LabelsIf you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: key:value. If you specify tag and label limits, they function as an AND.
Limit RepositoriesIf you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.
Images per RepoSelect the maximum number of newest container images to discover/assess per repository.

NOTE: Do not include the registry in the repository name(s).
Non-OS Package SupportThis feature is enabled by default. Select No if you want to disable scanning of language libraries.

Integrate with Google Artifact Registry Using Terraform

The following example creates a new least-privilege service account to access the Google Artifact Registry of the project configured by automation and integrates it with Lacework.

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}

provider "lacework" {}

provider "google" {}

module "lacework_gar" {
source = "lacework/gar/gcp"
version = "~> 0.1"
}

For more information about the Lacework Google Artifact Registry module, see the lacework gar module on the Terraform Registry.

See also the lacework_integration_gar resource in the Terraform Registry for additional context.