: Scan images in Google Artifact Registry

Scan images in Google Artifact Registry

Table of Contents
End-of-Life (EoL)

Scan images in Google Artifact Registry

Although Artifact Registry supports a number of content types (for example, Java, Node.js, and Python language packages), Prisma Cloud only supports discovering and scanning Docker images.
Prisma Cloud doesn’t support scanning Helm charts saved as OCI images and stored in Artifact Registry. Helm charts saved as OCI images have a single layer that contains the Helm package. It is only a way to store a Helm chart, but it has no meaning in terms of a container. Therefore, Prisma Cloud can’t scan it.

Create a new registry scan

  • You’ve deployed a Defender somewhere in your environment.
  • You’ve created GCP credentials (service account) with, at minimum, the Artifact Registry Reader role (.
  • You’ve added the service account credentials to the Prisma Cloud Compute Console credentials store under
    Manage > Cloud accounts
  1. Open Console, then go to
    Defend > Vulnerabilities > Images > Registry settings
  2. Click
    Add registry
  3. In
    , select
    Google Artifact Registry
  4. In
    , enter the registry address.
    The format for the address is <GCP-region>-docker.pkg.dev.
    For example, europe-north1-docker.pkg.dev
    Multi-region registry addresses are also supported, <GCP-multi-region>-docker.pkg.dev. For example, us-docker.pkg.dev, europe-docker.pkg.dev, and asia-docker.pkg.dev.
  5. In the
    field, select the service account you created in
    Manage > Cloud accounts
    If the credentials haven’t been created already, click
    to create them now. If creating credentials:
    1. In the
      Cloud accounts onboarding
      dialog, select
      for the cloud provider.
    2. Enter a credential name.
    3. Select the credential level.
    4. Paste the JSON token blob from your service account into the
      Service Account
      field. Leave the
      API Token
      field blank.
    5. Click
    6. Disable agentless scanning, then click
    7. Disable cloud discovery, then click
      Add account
  6. (Optional) Refine which images Prisma Cloud should scan with the
    Repositories to exclude
    , and
    Tags to exclude
    Pattern matching is supported.
  7. In
    OS type
    , specify whether the repo holds
  8. In
    Scanners scope
    , select the Defenders to use for the scan.
    Console selects the available Defenders from this scope to execute the scan job. For more information, see deployment patterns.
  9. In
    Number of scanners
    , enter the number of Defenders across which scan jobs can be distributed.
  10. Set
    to the number of most recent images to scan.
    set to
    will scan the 5 most recent images. Setting this field to
    will scan all images.
  11. Click
  12. Click
    Save and scan


Verify that the images in the repository are being scanned.
  1. Go to
    Monitor > Vulnerabilities > Images > Registries
    A progress indicator at the top right of the window shows the status of the current scan. As the scan of each image is completed, the findings are added to the results table.
  2. To get details about the vulnerabilities in an image, click on it.
    To force a specific repository to be scanned again, click
    at the top right of the results table, and then click on the specific repository to rescan.

Recommended For You