Google Artifact Registery

google artifact registry edition enterprise + open source the google artifact registry integration scans container images in google artifact registry (gar) for credentials and other sensitive data it uses the docker integration under the hood gar is a docker compatible registry, so images are referenced and scanned the same way as any other private registry image references gar images use this format location docker pkg dev/project id/repository/image\ tag segment description location regional or multi regional location (for example us central1, or us) project id your google cloud project id repository artifact registry repository name image image name within the repository tag optional tag; defaults to latest if omitted example us central1 docker pkg dev/my project/my repo/api server\ v1 2 0 \ hint{type="info"} for domain scoped projects where the project id contains a colon ( ), replace the colon with a forward slash in the image reference see google's image naming documentation configuration the docker integration is configured via a local configuration file web configuration in trufflehog is not available for this source local configuration local configuration supports four authentication methods unauthenticated — for public images that don't require authentication docker keychain — uses credentials from your local docker login (gcloud auth configure docker) basic authentication — uses oauth2accesstoken as the username and a gcp access token as the password bearer token — uses a gcp oauth access token images can be specified with or without a tag if no tag is provided, latest is assumed unauthenticated use this for public images that don't require registry authentication sources \ connection "@type" type googleapis com/sources docker images \ us docker pkg dev/public project/public repo/public image\ latest unauthenticated {} name google artifact registry scanperiod 12h type source type docker verify true docker keychain use this when you've already authenticated to artifact registry locally configure the gcloud credential helper, then trufflehog reads credentials from your docker keychain gcloud auth login gcloud auth configure docker us central1 docker pkg dev,us docker pkg dev sources \ connection "@type" type googleapis com/sources docker dockerkeychain true images \ us central1 docker pkg dev/my project/my repo/api server\ latest \ us central1 docker pkg dev/my project/my repo/worker\ v2 1 0 name google artifact registry scanperiod 12h type source type docker verify true basic authentication use this for registries where you supply username and password credentials for gar, the username is always oauth2accesstoken and the password is a gcp access token generate a token gcloud auth print access token sources \ connection "@type" type googleapis com/sources docker basicauth username oauth2accesstoken password ya29 xxxxxxxxxxxxxxxxxxxxxxxx images \ us central1 docker pkg dev/my project/my repo/api server\ latest name google artifact registry scanperiod 12h type source type docker verify true bearer token use this for registries that accept bearer tokens pass a gcp oauth access token from gcloud auth print access token sources \ connection "@type" type googleapis com/sources docker bearertoken ya29 xxxxxxxxxxxxxxxxxxxxxxxx images \ us central1 docker pkg dev/my project/my repo/api server\ latest name google artifact registry scanperiod 12h type source type docker verify true \ hint{type="warning"} gcp access tokens expire after about 60 minutes for long scanperiod intervals, use docker keychain authentication or refresh the token before it expires configuration options field type required description images list yes explicit list of gar images to scan images without a tag default to latest unauthenticated object conditional empty object indicating no authentication required for unauthenticated mode dockerkeychain boolean conditional use credentials from the local docker keychain required for keychain mode basicauth username string conditional registry username use oauth2accesstoken for gar basicauth password string conditional gcp oauth access token required for basic auth mode bearertoken string conditional gcp oauth access token required for bearer token mode capabilities feature supported scan archive files ✅ scan base64 encoded data ✅ scan binaries ✅ notes images must be listed explicitly in the images field image enumeration (e g , scanning all images in a project or repository) is not supported only images built for the linux/amd64 platform are scanned images built for other architectures (such as linux/arm64 or windows/amd64) are not supported gar hostnames are region specific each image reference must include the correct location docker pkg dev prefix the scanning principal needs roles/artifactregistry reader (or equivalent repository level read access) to pull images legacy google container registry (gcr io) images can also be scanned with the same configuration authenticate with gcloud auth configure docker gcr io related docker configure authentication to artifact registry for docker repository and image names