Integrate with Assured OSS for code security

Assured Open Source Software (Assured OSS) lets you enhance your code security by using the OSS packages that Google uses for its own developer workflows. When you use Assured OSS, your developers can take advantage of the security expertise and experience that Google applies to securing its own open source dependencies.

When you integrate Assured OSS with Security Command Center, you can do the following:

Choose from over 3,700 curated and most popular Java and Python packages, including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn.
Configure a secure proxy to download all Java, Python, and JavaScript packages with attestations from Assured OSS, making Google a known and trusted supplier.
Use the SBOMs and VEX in Assured OSS that are provided in industry-standard formats like SPDX and CycloneDX to know more about your ingredients.
Increase confidence in the integrity of the packages that you are using through signed, tamper-evident provenance from Google.
Reduce security risk as Google is actively scanning, finding, and fixing new vulnerabilities in curated packages.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate Security Command Center Enterprise tier

Verify that the Security Command Center Enterprise tier is activated at the organization level and that you completed the first six steps in the setup guide.

Set up permissions at the organization level

You must set up permissions at the organization level and the project level.

Make sure that you have the following role or roles on the organization: Security Center Admin, Organization Admin
Check for the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the organization.
3. In the Principal column, find the row that has your email address.
  
  If your email address isn't in that column, then you do not have any roles.
4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.
Grant the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the organization.
3. Click Grant access.
4. In the New principals field, enter your email address.
5. In the Select a role list, select a role.
6. To grant additional roles, click Add another role and add each additional role.
7. Click Save.

Set up permissions at the project level

Make sure that you have the following role or roles on the project: Service Usage Admin, Service Account Admin, Project IAM Admin
Check for the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the project.
3. In the Principal column, find the row that has your email address.
  
  If your email address isn't in that column, then you do not have any roles.
4. In the Role column for the row with your email address, check whether the list of roles includes the required roles.
Grant the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the project.
3. Click Grant access.
4. In the New principals field, enter your email address.
5. In the Select a role list, select a role.
6. To grant additional roles, click Add another role and add each additional role.
7. Click Save.

Set up Google Cloud CLI

You can use the gcloud CLI samples on this page from either of the following development environments:

Cloud Shell: To use an online terminal with the gcloud CLI already set up, activate Cloud Shell.

At the bottom of this page, a Cloud Shell session starts and displays a command-line prompt. It can take a few seconds for the session to initialize.
Local shell: To use the gcloud CLI in a local development environment, install and initialize the gcloud CLI.

Set up Assured OSS

Console

In the Google Cloud console, go to the Security Command Center Risk Overview page.

Go to Risk Overview
Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.
Click View setup guide.
Click Set up code security.
Select a new service account or select the existing service accounts that you want to add the Assured Open Source Software permissions to.
Select the Google Cloud project where you want to locate the Assured OSS resources.
Click Set up Assured OSS.

The setup process automatically completes the following:
- If selected, creates the new service account assuredoss@PROJECT_ID.gservicesaccount.com.
- Assigns the Assured OSS User role to the designated service account to use with Assured OSS.
- Assigns the Assured OSS Admin role to the logged in user account so that the account can configure the service.
- Enables the Assured Open Source Software API and, if it isn't enabled already, the Artifact Registry API.
- Sets up the Assured OSS proxy service in an Artifact Registry instance in the project that you selected. A repository is provisioned for each language (Java, Python, and JavaScript). These repositories can automatically pull packages from the curated portfolio. If a package isn't available as part of the curated portfolio, the repositories redirect the request to the canonical repositories. The proxy service supports the US region only.
- Grants you and the service account permissions to access package metadata and notifications from Google owned projects.
Create a service account key for each designated Assured OSS service account and download the key in JSON format.

Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.
In the command line on your local machine, run the following command on the downloaded key file to get the base64-encoded string:
```
base64 KEY_FILENAME.json
```
Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

You need the base64-encoded string when you set up a remote repository for Assured OSS.
To download the packages, use the endpoints that Assured OSS provisions for each language. Make a note of these endpoints for later use.
- Java:
```
https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
```
- Python:
```
https://us-python.pkg.dev/PROJECT_ID/assuredoss-python
```
- JavaScript:
```
https://us-npm.pkg.dev/PROJECT_ID/assuredoss-javascript
```
Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.
Click Next. Configure Assured OSS with your organization's artifact repository manager such as JFrog Artifactory or Sonatype Nexus.

gcloud

Authenticate to Google Cloud with a user account that you want to use to enable Assured OSS:
```
gcloud auth revoke
gcloud auth application-default revoke
gcloud auth login
```
Search for the project where you want to locate the Assured OSS resources:
```
gcloud alpha projects search --query="displayName=PROJECT_NAME"
```
Replace PROJECT_NAME with the project name.
Set the project where you want to locate the Assured OSS resources:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with the project identifier.

Grant roles to the user account to set up Assured OSS:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:email@domain.com \
  --role=roles/assuredoss.admin

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:email@domain.com \
  --role=roles/serviceusage.serviceUsageAdmin

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:email@domain.com \
  --role=roles/iam.serviceAccountAdmin

Where email@domain.com is the email address for your user account.

Enable Assured OSS in the project. Enabling Assured OSS also enables the Artifact Registry API.
```
gcloud services enable assuredoss.googleapis.com
```
To create a new service account for Assured OSS instead of using existing service accounts, complete the following:
```
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
  --description="Service account for using Assured OSS"
  --display-name="Assured OSS service account"
```
Replace SERVICE_ACCOUNT_NAME with the name of the service account (for example, assuredoss).
Configure the service accounts for Assured OSS:
```
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
  --role roles/assuredoss.user
```
Replace the following:
- SERVICE_ACCOUNT_NAME: the name of the service account (for example, assuredoss).
- PROJECT_ID: the project identifier.

Set up the Assured OSS proxy service in an Artifact Registry instance by creating Assured OSS repositories. You must create repositories for all languages. The Assured OSS proxy service that provisions the repositories supports the US region only.

alias gcurlj='curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -X'

gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-java   -d '{"format": "MAVEN", "mode": "AOSS_REPOSITORY"}'

gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-javascript   -d '{"format": "NPM", "mode": "AOSS_REPOSITORY"}'

gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-python   -d '{"format": "PYTHON", "mode": "AOSS_REPOSITORY"}'

Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.

These repositories can automatically pull packages from the curated portfolio. If a package isn't available as part of the curated portfolio, the repositories redirect the request to the canonical repositories.

Create a service account key for each Assured OSS service account and download the key in JSON format.

Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources.
In the command line, run the following command on the downloaded key file to get the base64-encoded string:
```
base64 KEY_FILENAME.json
```
Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

You need the base64-encoded string when you set up a remote repository for Assured OSS.
To download the packages, use the endpoints provisioned by Assured OSS for each language. Make a note of these endpoints:
- Java:
```
https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
```
- Python:
```
https://us-python.pkg.dev/PROJECT_ID/assuredoss-python
```
- JavaScript:
```
https://us-npm.pkg.dev/PROJECT_ID/assuredoss-javascript
```
Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.
Configure Assured OSS to download packages with your organization's artifact repository manager such as JFrog Artifactory or Sonatype Nexus.

Optionally, view the available Java, Python, and JavaScript packages:

gcloud auth revoke
gcloud auth application-default revoke
gcloud auth login --cred-file=KEY_FILENAME.json

Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

export GOOGLE_APPLICATION_CREDENTIALS=KEY_FILENAME.json