Google Artifact Registry
13 min
edition enterprise and open source you can scan google artifact registery (gar) using our docker integration the recommended setup is to run the enterprise scanner on a gcp host with an attached iam role for gar access keeping docker login and the scan on the same host is the simplest, most reliable configuration important note gcp access tokens expire after about 60 minutes for long scanperiod intervals, use docker keychain authentication or refresh the token before it expires via a cron job image references gar images use this format location docker pkg dev/project id/repository/image\ tag example us central1 docker pkg dev/my project/my repo/api server\ v1 2 0 walkthrough 1\ create the scanner in the dashboard and download the config yml to your host 2\ create a gcp service account and attach the pre defined policy artifactregistry reader 3\ authenticate to gar gcloud auth configure docker \<your region> docker pkg dev 4\ confirm you have the correct docker container repo address us central1 docker pkg dev/my project/my repo/api server\ v1 2 0 example gcloud auth configure docker us central1 docker pkg dev note this stores the credential in / docker/config json of the user who ran it (e g /root/ docker/config json or /home/ec2 user/ docker/config json), base64 encoded 5\ add the docker source to config yml configuration the docker integration is configured via a local configuration file web configuration in trufflehog is not available for this source local configuration local configuration supports four authentication methods unauthenticated — for public images that don't require authentication docker keychain — uses credentials from your local docker login (gcloud auth configure docker) basic authentication — uses oauth2accesstoken as the username and a gcp access token as the password bearer token — uses a gcp oauth access token images can be specified with or without a tag if no tag is provided, latest is assumed unauthenticated use this for public images that don't require registry authentication sources \ connection "@type" type googleapis com/sources docker images \ us docker pkg dev/public project/public repo/public image\ latest unauthenticated {} name google artifact registry scanperiod 12h type source type docker verify true docker keychain use this when you've already authenticated to artifact registry locally configure the gcloud credential helper, then trufflehog reads credentials from your docker keychain gcloud auth login gcloud auth configure docker us central1 docker pkg dev,us docker pkg dev sources \ connection "@type" type googleapis com/sources docker dockerkeychain true images \ us central1 docker pkg dev/my project/my repo/api server\ latest \ us central1 docker pkg dev/my project/my repo/worker\ v2 1 0 name google artifact registry scanperiod 12h type source type docker verify true basic authentication use this for registries where you supply username and password credentials for gar, the username is always oauth2accesstoken and the password is a gcp access token generate a token gcloud auth print access token sources \ connection "@type" type googleapis com/sources docker basicauth username oauth2accesstoken password ya29 xxxxxxxxxxxxxxxxxxxxxxxx images \ us central1 docker pkg dev/my project/my repo/api server\ latest name google artifact registry scanperiod 12h type source type docker verify true bearer token use this for registries that accept bearer tokens pass a gcp oauth access token from gcloud auth print access token sources \ connection "@type" type googleapis com/sources docker bearertoken ya29 xxxxxxxxxxxxxxxxxxxxxxxx images \ us central1 docker pkg dev/my project/my repo/api server\ latest name google artifact registry scanperiod 12h type source type docker verify true note gcp access tokens expire after about 60 minutes for long scanperiod intervals, use docker keychain authentication or refresh the token before it expires via a cron job configuration options field type required description images list yes explicit list of gar images to scan images without a tag default to latest unauthenticated object conditional empty object indicating no authentication required for unauthenticated mode dockerkeychain boolean conditional use credentials from the local docker keychain required for keychain mode basicauth username string conditional registry username use oauth2accesstoken for gar basicauth password string conditional gcp oauth access token required for basic auth mode bearertoken string conditional gcp oauth access token required for bearer token mode capabilities feature supported scan archive files ✅ scan base64 encoded data ✅ scan binaries ✅ notes images must be listed explicitly in the images field image enumeration (e g , scanning all images in a project or repository) is not supported only images built for the linux/amd64 platform are scanned images built for other architectures (such as linux/arm64 or windows/amd64) are not supported gar hostnames are region specific each image reference must include the correct location docker pkg dev prefix the scanning principal needs roles/artifactregistry reader (or equivalent repository level read access) to pull images legacy google container registry (gcr io) images can also be scanned with the same configuration authenticate with gcloud auth configure docker gcr io related docker configure authentication to artifact registry for docker repository and image names