Google Registries Scanning with Container Inspection

Purpose

This document describes how to create access for Google Cloud Platform portal from a HIAB.

Introduction

The Google Cloud Platform portal can be configured in HIAB to discover and scan container images that resides in a Google Container Registry.

Requirements

To use Google API, you need to ensure that the Cloud API are enabled.

1. Login to your Google Cloud Account open the left menu and select APIS & Services > Library entry.

   
   

   

   
   
   
2. Enter Cloud Resource Manager API in the search bar.
   
   

   

   
   
   
3. Select the Cloud Resource Manager API to ensure it is enabled.
   
   

   

Configuring Google Container Registry

To run Container Inspection on an Google container registry, the Google registry must be configured to provide access that later can be configured on the Outpost24 HIAB.

1. Enter Google Cloud Platform console and open IAM & Admin > Service Accounts console by clicking on the entry on the top left menu.
   
   

   

   
   
   
2. Create a service account with access to the Google Container Registry by clicking on the CREATE SERVICE ACCOUNT button on the top.
   
   

   

   
   
   
3. Fill the different settings for the service account and then click on CREATE button.
   
   

   

   
   
   
4. Grant access Container Registry access and then click DONE button.
   
   

   

   
   
   
5. Once the Service Account is created, create a Key as follow.
   
   

   

   
   
   
6. Choose JSON format to generate the credentials and save them locally (they will be needed later on while configuring GCP credentials in OUTPOST24 software).
   
   

   

   
   
   
7. Once you have created the service account with JSON key type, you need to then create an authentication token as described in Google documentation here: https://cloud.google.com/container-registry/docs/advanced-authentication#token
8. You need to install gcloud client and then run the following command line by replacing:

• the <ACCOUNT> with your account name with following format [USERNAME]@[PROJECT-ID].iam.gserviceaccount.com (this is the email parameter in the JSON key file)
• the <KEY_FILE> with the JSON key file you created in previous step

gcloud auth activate-service-account <ACCOUNT> --key-file=<KEY_FILE>
gcloud auth print-access-token

NB

Later on you will need to use the following parameter in OUTPOST24 software to configure Google Container Registry:

• oauth2accesstoken as Username
  
• https://eu.gcr.io as Docker Registry
• the access token as Password

Examples

Example of the gcloud command output:

Example of the OUTPOST24 software configuration.

Example of a Docker Discovery scan.

Reference

• https://cloud.google.com/container-registry/docs/pushing-and-pulling
• https://cloud.google.com/container-registry/docs/advanced-authentication#console
• https://cloud.google.com/container-registry/docs/advanced-authentication#token

_Copyright

_{© 2024 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.}

_Trademark

_{Outpost24® and OUTSCAN™ are trademarks of Outpost24® and its affiliated companies. All other brand names, product names or trademarks belong to their respective owners.}