: Scan images in Google Artifact Registry

Scan images in Google Artifact Registry

Table of Contents

Scan images in Google Artifact Registry

Although Artifact Registry supports a number of content types (for example, Java, Node.js, and Python language packages), Prisma Cloud only supports discovering and scanning Docker images.
Prisma Cloud doesn’t support scanning Helm charts saved as OCI images and stored in Artifact Registry. Helm charts saved as OCI images have a single layer that contains the Helm package. It is only a way to store a Helm chart, but it has no meaning in terms of a container. Therefore, Prisma Cloud can’t scan it.

Create a new registry scan

  • Deploy a Defender somewhere in your environment.
  • Create GCP credentials (service account) with, at minimum, the Artifact Registry Reader role(.
  • Add the service account credentials to the Prisma Cloud Compute Console credentials store under
    Manage > Cloud accounts
  1. Open Console, then go to
    Defend > Vulnerabilities > Images > Registry settings
  2. Select
    Add registry
  3. In
    , select
    Google Artifact Registry
  4. In
    , enter the registry address.
    The format for the address is <GCP-region>-docker.pkg.dev.
    For example, europe-north1-docker.pkg.dev
    Multi-region registry addresses are also supported, <GCP-multi-region>-docker.pkg.dev. For example, us-docker.pkg.dev, europe-docker.pkg.dev, and asia-docker.pkg.dev.
  5. In
    , select the service account you created in
    Manage > Cloud accounts
    If the credentials haven’t been created already, click
    to create them now. If creating credentials:
    1. In
      Cloud accounts onboarding
      , select
      for the cloud provider.
    2. Enter a credential name.
    3. Select the credential level.
    4. Paste the JSON token blob from your service account into the
      Service Account
      field. Leave the
      API Token
      field blank.
    5. Select
    6. Disable agentless scanning, then select
    7. Disable cloud discovery, then select
      Add account
  6. (Optional) Refine which images Prisma Cloud should scan with the
    Repositories to exclude
    , and
    Tags to exclude
    Pattern matching is supported.
  7. In
    OS type
    , specify whether the repo holds
  8. In
    Scanners scope
    , select the Defenders to use for the scan.
    Console selects the available Defenders from this scope to execute the scan job. For more information, see deployment patterns.
  9. In
    Number of scanners
    , enter the number of Defenders across which scan jobs can be distributed.
  10. Set
    to the number of most recent images to scan.
    set to
    will scan the 5 most recent images. Setting this field to
    will scan all images.
  11. Select
    Add and scan
    Verify that the images in the repository are being scanned under
    Monitor > Vulnerabilities > Images > Registries

Recommended For You