Google Artifact Registry

Integrate Sysdig Secure with Google Artifact Registry to add a layer of defense between Pipeline and Runtime.

Prerequisites

  • A Service Account within one of the projects is created.

  • The required Artifact Registry Reader role is assigned to that service account.

  • A Custom Role with the resourcemanager.projects.get permission.

    This permission allows the Service Account to list repositories on the Docker v2 _catalog endpoint.

Install Registry Scanner

You can set up the Registry Scanner either at the project level or the organization level.

$ helm repo add sysdig https://charts.sysdig.com
$ helm repo update
$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \
--set config.secureBaseURL=<SYSDIG_SECURE_URL> \
--set config.secureAPIToken=<SYSDIG_SECURE_API_TOKEN> \
--set config.registryType=gar \
--set config.registryURL=<GAR_REGISTRY_URL> \
--set config.registryPassword=<GAR_REGISTRY_PASSWORD>
  • <GAR_REGISTRY_PASSWORD>: Base64 encoded Service Account JSON access key.

    To encode JSON key file to base64, use the following command:

    --set config.registryPassword="$(cat <GAR_SA_FILE_NAME>.json | base64)"

  • <GAR_REGISTRY_URL>: Google Artifact Registry URL.

    For example, us-docker.pkg.dev

Create a Custom Role

Create a Custom Role with the resourcemanager.projects.get permission. This permission allows the Service Account to list repositories on the Docker v2 _catalog endpoint.

Create a Custom Role at Project Level

gcloud iam roles create sysdig.repositorylist --project=<YOUR_PROJECT_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_PROJECT_ID> \
  --member='serviceAccount:<SERVICE_ACCOUNT_NAME>@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='projects/<YOUR_PROJECT_ID>/roles/sysdig.repositorylist'

Create a Custom Role at Organization Level


gcloud iam roles create sysdig.repositorylist --organization=<YOUR_ORGANIZATION_ID> \
    --title="Sysdig - Artifact Registry - List Repositories" \
    --description="Sysdig - Artifact Registry - List Repositories on dockerv2 _catalog API endpoint" \
    --permissions="resourcemanager.projects.get" --stage=GA
gcloud projects add-iam-policy-binding <YOUR_ORGANIZATION_ID> \
  --member='serviceAccount:<SERVICE_ACCOUNT_NAME>@<YOUR_PROJECT_ID>.iam.gserviceaccount.com' \
  --role='organizations/<YOUR_ORGANIZATION_ID>/roles/sysdig.repositorylist'