Google Registry

Integrate Sysdig Secure with Google Artifact Registry to add a layer of defense between Pipeline and Runtime.

Google Container Registry

Google Container Registry (GCR) is undergoing deprecation:

After May 15, 2024, Google Artifact Registry (GAR) will host images for the gcr.io domain in Google Cloud projects without previous Container Registry usage
After March 18, 2025, Container registry will be shut down.

If you are a new user, see Google Artifact Registry.

To update an existing GCR integration, see Migrate from GCR to GAR.

Prerequisites

A Service Account created within one of the projects. See Create a service account.
The role of Project Viewer assigned to the service account. For details, see Grant or revoke multiple roles using the Google Cloud console.

Install Registry Scanner

Run the Registry Scanner as follows:

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gcr \
--set config.registryURL=<GCR_REGISTRY_URL> \
--set-file config.registryPassword=<GCR_SERVICE_ACCOUNT_KEY>

<GCR_SERVICE_ACCOUNT_KEY>: Enter the path to an unencoded Service Account JSON access key for your Google Artifact Registry. For example, sa-3b0c7dec5ea0.json.
<GCR_REGISTRY_URL>: Enter your Google Artifact Registry URL. For example, gcr.io or us.gcr.io

Migrate from GCR to GAR

If you have an existing integrations between GCR and Sysdig Registry Scanner, follow these steps to update it:

Migrate from GCR to Google Artifact Registry (GAR) with Google’s automation migration tool.
Once you have migrated, replace the old GCR values in your configuration with the new GAR values through Helm:

--set config.registryType=gcr \
--set config.registryURL=<GCR_REGISTRY_URL> \
--set-file config.registryPassword=<GCR_SERVICE_ACCOUNT_KEY>

<GCR_SERVICE_ACCOUNT_KEY>: The path to an unencoded Service Account JSON access key.
<GCR_REGISTRY_URL>: Your Google Artifact Registry URL. For example, gcr.io.

Google Artifact Registry

Prerequisites

A Service Account within one of the projects is created.
The required role Artifact Registry Reader is assigned to that service account.

Install Registry Scanner

You can set up the Registry Scanner either at the project level or the organization level.

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gar \
--set config.registryURL=<GAR_REGISTRY_URL> \
--set config.registryPassword=<GAR_REGISTRY_PASSWORD>

<GAR_REGISTRY_PASSWORD>: Base64 encoded Service Account JSON access key.
To encode JSON key file to base64, use the following command: --set config.registryPassword="$(cat <GAR_SA_FILE_NAME>.json | base64)"
<GAR_REGISTRY_URL>: Google Artifact Registry URL.
For example, us-docker.pkg.dev

Create a Custom Role

If you prefer not to assign the Project Viewer role to the Service Account, you can create a custom role with restricted permissions. The Custom Role should include only the necessary permission, such as resourcemanager.projects.get. This permission allows the Service Account to list repositories on the Docker v2 _catalog endpoint.

Create a Custom Role at Project Level

gcloud iam roles create sysdig.repositorylist --project==<YOUR_PROJECT_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
  --member='serviceAccount:my-iam-account@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='projects/<YOUR_PROJECT_ID>/roles/sysdig.repositorylist'

Create a Custom Role at Organization Level


gcloud iam roles create sysdig.repositorylist --organization=<YOUR_ORGANIZATION_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_ORGANIZATION_ID> \
  --member='serviceAccount:my-iam-account@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='organizations/<YOUR_ORGANIZATION_ID>/roles/sysdig.repositorylist'

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.