Safeguard Documentation Center
Enterprise Software Supply Chain Manager (ESSCM)IntegrationsContainer Images

GCP Cloud Source

Connect Google Cloud container sources to generate SBOMs

GCP Cloud Source Integration

Connect your Google Cloud Container Registry (GCR) or Artifact Registry to Safeguard for container image SBOM generation and vulnerability scanning.

Prerequisites

  • A Google Cloud account with container images
  • Service Account with appropriate permissions

Public Images

Google Cloud public images can be scanned without authentication.

Step 1: Navigate to Integrations

Go to Integrations from the sidebar and click Connect on the GCP Cloud Source card.

Step 2: Enter Image Reference

  1. Select the Public tab
  2. Enter a Name for this configuration
  3. Optionally add a Description
  4. Enter the GCR/Artifact Registry image URI:
    • GCR: gcr.io/project-id/image:tag
    • Artifact Registry: us-docker.pkg.dev/project-id/repo/image:tag
  5. Click Add

Step 3: Review & Connect

  1. Configure Project Name and Version
  2. Click Connect to complete

Private Images

Step 1: Navigate to Integrations

Go to Integrations from the sidebar and click Connect on the GCP Cloud Source card.

Step 2: Enter Service Account Credentials

  1. Select the Private tab
  2. Enter a Name for this configuration
  3. Optionally add a Description
  4. Upload or paste your Service Account JSON Key
  5. Click Verify Credentials

Step 3: Select Images

  1. Once verified, select the GCP project
  2. Browse available repositories and images
  3. Select the images you want to scan

Step 4: Configure & Connect

  1. Set Project Name and Version for each image
  2. Click Connect to complete

Creating a Service Account

Step 1: Create Service Account

  1. Go to Google Cloud Console then IAM & Admin then Service Accounts
  2. Click Create Service Account
  3. Enter a name (e.g., "safeguard-gcr-reader")
  4. Click Create and Continue

Step 2: Assign Roles

Add the following roles:

  • Artifact Registry Reader (for Artifact Registry)
  • Storage Object Viewer (for Container Registry)

Step 3: Create Key

  1. Click on the service account
  2. Go to Keys tab
  3. Click Add Key then Create new key
  4. Select JSON format
  5. Click Create
  6. Save the downloaded JSON file securely

Required IAM Roles

For Container Registry (GCR)

RoleDescription
roles/storage.objectViewerRead access to container images

For Artifact Registry

RoleDescription
roles/artifactregistry.readerRead access to artifacts

Image Reference Formats

RegistryFormat
Container Registrygcr.io/PROJECT_ID/IMAGE:TAG
Container Registry (regional)us.gcr.io/PROJECT_ID/IMAGE:TAG
Artifact RegistryREGION-docker.pkg.dev/PROJECT_ID/REPO/IMAGE:TAG

Troubleshooting

"Credentials verification failed"

  • Verify the JSON key is valid and complete
  • Check that the service account exists and is active
  • Ensure the key hasn't been deleted or revoked

"Permission denied"

  • Verify the service account has the required roles
  • Check that the roles are assigned at the correct level (project/repository)
  • Ensure the project ID is correct

"Image not found"

  • Verify the image URI format is correct
  • Check that the image exists in the specified registry
  • Ensure the tag or digest is valid

Docker Hub

Connect Docker Hub repositories to generate SBOMs

OCI Registry

Connect Open Container Initiative compatible registries to generate SBOMs

On this page

GCP Cloud Source IntegrationPrerequisitesPublic ImagesStep 1: Navigate to IntegrationsStep 2: Enter Image ReferenceStep 3: Review & ConnectPrivate ImagesStep 1: Navigate to IntegrationsStep 2: Enter Service Account CredentialsStep 3: Select ImagesStep 4: Configure & ConnectCreating a Service AccountStep 1: Create Service AccountStep 2: Assign RolesStep 3: Create KeyRequired IAM RolesFor Container Registry (GCR)For Artifact RegistryImage Reference FormatsTroubleshooting"Credentials verification failed""Permission denied""Image not found"