Google Artifact Registry

Integrate Sysdig Secure with Google Artifact Registry to add a layer of defense between Pipeline and Runtime.

Prerequisites

  • A Service Account within one of the projects is created.

  • The required Artifact Registry Reader role is assigned to that service account.

  • A Custom Role with the resourcemanager.projects.get permission.

    This permission allows the Service Account to list repositories on the Docker v2 _catalog endpoint.

Install Registry Scanner

You can set up the Registry Scanner either at the project level or the organization level.

Ensure you update the Sysdig Helm chart before installation. This lets you access the latest features and fixes.

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gar \
--set config.registryURL=<GAR_REGISTRY_URL> \
--set config.registryPassword=<GAR_REGISTRY_PASSWORD>
  • <GAR_REGISTRY_PASSWORD>: Base64 encoded Service Account JSON access key.

    To encode JSON key file to base64, use the following command:

    --set config.registryPassword="$(cat <GAR_SA_FILE_NAME>.json | base64)"

  • <GAR_REGISTRY_URL>: Google Artifact Registry URL.

    For example, us-docker.pkg.dev

Create a Custom Role

Create a Custom Role with the resourcemanager.projects.get permission. This permission allows the Service Account to list repositories on the Docker v2 _catalog endpoint.

Create a Custom Role at Project Level

gcloud iam roles create sysdig.repositorylist --project=<YOUR_PROJECT_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
  --member='serviceAccount:<SERVICE_ACCOUNT_NAME>@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='projects/<YOUR_PROJECT_ID>/roles/sysdig.repositorylist'

Create a Custom Role at Organization Level


gcloud iam roles create sysdig.repositorylist --organization=<YOUR_ORGANIZATION_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_ORGANIZATION_ID> \
  --member='serviceAccount:<SERVICE_ACCOUNT_NAME>@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='organizations/<YOUR_ORGANIZATION_ID>/roles/sysdig.repositorylist'