The Assured Open Source Software (Assured OSS) premium tier lets you enhance your code security by using the OSS packages that Google uses for its own developer workflows. When you use Assured OSS, your developers can take advantage of the security expertise and experience that Google applies to securing its own open source dependencies.
When you integrate Assured OSS with Security Command Center, you can do the following:
- Choose from thousands of curated and most popular Java and Python packages, including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn.
- Configure a secure proxy to download all Java, Python, and JavaScript packages with attestations from Assured OSS, making Google a known and trusted supplier.
- Use the SBOMs and VEX in Assured OSS that are provided in industry-standard formats like SPDX and CycloneDX to know more about your ingredients.
- Increase confidence in the integrity of the packages that you are using through signed, tamper-evident provenance from Google.
- Reduce security risk as Google is actively scanning, finding, and fixing new vulnerabilities in curated packages.
Before you begin
Complete these tasks before you complete the remaining tasks on this page.
Activate Security Command Center Enterprise tier
Verify that the Security Command Center Enterprise tier is activated at the organization level and that you completed the first six steps in the setup guide.
Set up permissions at the organization level
You must set up permissions at the organization level and the project level.
-
Make sure that you have the following role or roles on the organization: Security Center Admin, Organization Admin
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the organization.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
Set up permissions at the project level
-
Make sure that you have the following role or roles on the project: Service Usage Admin, Service Account Admin, Project IAM Admin
Check for the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
-
In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
- For all rows that specify or include you, check the Role colunn to see whether the list of roles includes the required roles.
Grant the roles
-
In the Google Cloud console, go to the IAM page.
Go to IAM - Select the project.
- Click Grant access.
-
In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
- In the Select a role list, select a role.
- To grant additional roles, click Add another role and add each additional role.
- Click Save.
-
Set up Google Cloud CLI
In the Google Cloud console, activate Cloud Shell.
At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.
Set up Assured OSS
Console
In the Google Cloud console, go to the Security Command Center Risk Overview page.
Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.
Click View setup guide.
Click Set up code security.
Select a new service account or select the existing service accounts that you want to add the Assured Open Source Software permissions to.
Select the Google Cloud project where you want to locate the Assured OSS resources.
Click Set up Assured OSS.
The setup process automatically completes the following:
- If selected, creates the new service account
assuredoss@PROJECT_ID.gservicesaccount.com
. - Assigns the Assured OSS User role to the designated service account to use with Assured OSS.
- Assigns the Assured OSS Admin role to the logged in user account so that the account can configure the service.
- Enables the Assured Open Source Software API and, if it isn't enabled already, the Artifact Registry API.
- Sets up the Assured OSS proxy service in an Artifact Registry instance in the project that you selected. A repository is provisioned for each language (Java, Python, and JavaScript). These repositories can automatically pull packages from the curated portfolio. If a package isn't available as part of the curated portfolio, the repositories redirect the request to the canonical repositories. The proxy service supports the US region only.
- Grants you and the service account permissions to access package metadata and notifications from Google owned projects.
- If selected, creates the new service account
Create a service account key for each designated Assured OSS service account and download the key in JSON format.
In the command line on your local machine, run the following command on the downloaded key file to get the base64-encoded string:
base64 KEY_FILENAME.json
Replace
KEY_FILENAME.json
with the name of the service account key that you downloaded.You need the base64-encoded string when you set up a remote repository for Assured OSS.
To download the packages, use the endpoints that Assured OSS provisions for each language. Make a note of these endpoints for later use.
- Java:
https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
- Python:
https://us-python.pkg.dev/
PROJECT_ID
/assuredoss-python - JavaScript:
https://us-npm.pkg.dev/
PROJECT_ID
/assuredoss-javascript
Replace
PROJECT_ID
with the ID of the project that you selected when you set up Assured OSS.- Java:
Click Next. Configure Assured OSS with your organization's artifact repository manager such as JFrog Artifactory or Sonatype Nexus.
gcloud
Authenticate to Google Cloud with a user account that you want to use to enable Assured OSS:
gcloud auth revoke gcloud auth application-default revoke gcloud auth login
Search for the project where you want to locate the Assured OSS resources:
gcloud alpha projects search --query="displayName=PROJECT_NAME"
Replace
PROJECT_NAME
with the project name.Set the project where you want to locate the Assured OSS resources:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with the project identifier.Grant roles to the user account to set up Assured OSS:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:email@domain.com \ --role=roles/assuredoss.admin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:email@domain.com \ --role=roles/serviceusage.serviceUsageAdmin gcloud projects add-iam-policy-binding PROJECT_ID \ --member=user:email@domain.com \ --role=roles/iam.serviceAccountAdmin
Where
email@domain.com
is the email address for your user account.Enable Assured OSS in the project. Enabling Assured OSS also enables the Artifact Registry API.
gcloud services enable assuredoss.googleapis.com
To create a new service account for Assured OSS instead of using existing service accounts, complete the following:
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \ --description="Service account for using Assured OSS" --display-name="Assured OSS service account"
Replace
SERVICE_ACCOUNT_NAME
with the name of the service account (for example,assuredoss
).Configure the service accounts for Assured OSS:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \ --role roles/assuredoss.user
Replace the following:
SERVICE_ACCOUNT_NAME
: the name of the service account (for example,assuredoss
).PROJECT_ID
: the project identifier.
Set up the Assured OSS proxy service in an Artifact Registry instance by creating Assured OSS repositories. You must create repositories for all languages. The Assured OSS proxy service that provisions the repositories supports the US region only.
alias gcurlj='curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -X' gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-java -d '{"format": "MAVEN", "mode": "AOSS_REPOSITORY"}' gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-javascript -d '{"format": "NPM", "mode": "AOSS_REPOSITORY"}' gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-python -d '{"format": "PYTHON", "mode": "AOSS_REPOSITORY"}'
Replace
PROJECT_ID
with the ID of the project that you selected when you set up Assured OSS.These repositories can automatically pull packages from the curated portfolio. If a package isn't available as part of the curated portfolio, the repositories redirect the request to the canonical repositories.
Create a service account key for each Assured OSS service account and download the key in JSON format.
In the command line, run the following command on the downloaded key file to get the base64-encoded string:
base64 KEY_FILENAME.json
Replace
KEY_FILENAME.json
with the name of the service account key that you downloaded.You need the base64-encoded string when you set up a remote repository for Assured OSS.
To download the packages, use the endpoints provisioned by Assured OSS for each language. Make a note of these endpoints:
- Java:
https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
- Python:
https://us-python.pkg.dev/
PROJECT_ID
/assuredoss-python - JavaScript:
https://us-npm.pkg.dev/
PROJECT_ID
/assuredoss-javascript
Replace
PROJECT_ID
with the ID of the project that you selected when you set up Assured OSS.- Java:
Configure Assured OSS to download packages with your organization's artifact repository manager such as JFrog Artifactory or Sonatype Nexus.
Optionally, view the available Java, Python, and JavaScript packages:
gcloud auth revoke gcloud auth application-default revoke gcloud auth login --cred-file=KEY_FILENAME.json
Replace
KEY_FILENAME.json
with the name of the service account key that you downloaded.export GOOGLE_APPLICATION_CREDENTIALS=KEY_FILENAME.json
Replace
KEY_FILENAME.json
with the name of the service account key that you downloaded.gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-java/packages" gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-python/packages" gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-javascript/packages"
Replace
PROJECT_ID
with the ID of the project that you selected when you set up Assured OSS.
What's next
- Validate your connection
- Download Java packages
- Download Python packages
- Configure a remote repository
- Verify security metadata
- Configure notifications for package updates