This topic contains the following sections.
Transition from Google Container Registry (GCR) to Google Artifact Registry (GAR)
Google Artifact Registry (GAR) is the evolution of Google Container Registry (GCR). As a fully managed service with support for both container images and non-container artifacts, GAR extends the capabilities of GCR.
For details on how to transition from GCR to GAR within Google Cloud Platform, see Transitioning from Container Registry.
Artifact Registry Support
GAR integrations support:
- Auto polling - polling occurs every 15 minutes
- On-demand scans via the API
Integrate GAR with Lacework
To integrate GAR with Lacework, follow these steps:
- Log in to the Lacework Console with an account with admin permissions.
- Navigate to Settings > Integrations > Container Registries.
- Click + Create New.
- From the Registry Type drop-down, select the appropriate registry type and click Next.
- Complete the required settings and click Next.
- Complete any optional settings and click Save. The integration status displays Integration Successful only after its first assessment completes.
Verify that assessments have started by viewing the table in Vulnerabilities > Containers.
After an image is assessed, Lacework reports its results in the table. Select the Last 24 hours option above the table to view the assessment results.
|Registry Type||Specify the registry type selected from the drop-down; in this case, select Google Artifact Registry (GAR)|
|Name||Specify a unique name for the container registry in the Lacework Console.|
|Upload GCP Credential||Upload a JSON-formatted Service Account Key to use for the integration; This will auto-populate the Private Key ID, Client Email, and Private Key fields|
|Client ID||Specify a Client ID for the service account that has been granted the
IMPORTANT NOTE: The Service Account must currently reside within the Project that contains the GAR repositories being integrated
|Private Key ID||Specify the Private Key ID for the private key that should be used to authenticate the service account that was specified in the Client ID setting|
|Client Email||Specify the Client email associated with the service account that was specified in the Client ID setting|
|Private Key||Specify the Private Key that should be used to authenticate the service account that was specified in the Client ID setting
IMPORTANT NOTE: You cannot just copy the private key from the editor because of an issue copying the new line characters. You must copy a raw version of the key using the “jq” utility as described in the next steps:
1) To view the private key raw text, enter the following command, where
2) Copy all text displayed in the output including the BEGIN and END lines.
|Registry Domain||From the drop-down, select one of the supported GCP regions. For details, see Repository and Image Names
IMPORTANT NOTE: Do not prefix the URL with https://.
|Limit Number of Images per Repo||Select the maximum number of newest container images to discover/assess per repository.|
|Scan only these repositories||If you do not want to discover/assess all repositories in this registry, specify a comma-separated list of repositories to discover/assess (without spaces recommended). To change which repositories you want to assess, update this field so the change is captured during the next polling period.|
|Scan only these image tags||If you do not want to assess all images in this registry, specify text from an image tag so that only images with matching tag text will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. You can input multiple tags. If you specify tag and label limits, they function as an AND.|
|Scan only images with these labels||If you do not want to assess all images in this registry, specify key:value pairs so that only images with matching label key:value pairs will be assessed. To change which images you want to assess, update this field so the change is captured during the next polling period. Supported field input: