This document describes how to enable APIs for products and features that help to protect your software supply chain.
To collect and view software supply chain insights, you must enable the following APIs:
- Artifact Analysis API to store metadata that other Google Cloud services generate and use.
- Container Scanning API to scan container images stored in Artifact Registry for vulnerabilities and other metadata. Enabling this API automatically enables the Artifact Analysis API.
- Artifact Registry to store your build artifacts.
- Cloud Build to generate build provenance metadata.
- (GKE only) Container Security API to scan running workloads for OS vulnerabilities.
You must run the Container Scanning API in the same Google Cloud project as Artifact Registry. You can run other Google Cloud services that use the registry in separate projects.
Enable APIs required for insights
To enable APIs required to generate and view insights:
Console
Use all services in the same project
Enable the required APIs together.
Use separate projects
Enable Container Scanning and Artifact Registry in the project where you want to run Artifact Registry.
Enable the Cloud Build API in projects where you are running Cloud Build.
Enable the Container Security API in projects where you are running GKE.
Google Cloud CLI
Use all services in the same project
Enable the required APIs together.
gcloud services enable containerscanning.googleapis.com \
cloudbuild.googleapis.com \
artifactregistry.googleapis.com \
containersecurity.googleapis.com
Use separate projects
Enable Container Scanning and Artifact Registry in the project where you want to run Artifact Registry. Replace
AR_PROJECT
with the appropriate Google Cloud project ID.gcloud services enable containerscanning.googleapis.com \ artifactregistry.googleapis.com \ --project=AR_PROJECT
Enable the Cloud Build API in projects where you are running Cloud Build. Replace
BUILD_PROJECT
with the appropriate Google Cloud project ID.gcloud services enable cloudbuild.googleapis.com \ --project=BUILD_PROJECT
Enable the Container Security API in projects where you are running GKE. Replace
GKE_PROJECT
with the appropriate Google Cloud project ID.gcloud services enable containersecurity.googleapis.com \ --project=GKE_PROJECT
You have enabled the minimum required APIs to generate and view insights in Google Cloud console panels and in the GKE security posture dashboard.
You can enable APIs for other services from the API library or with the gcloud services enable command.
What's next
- Learn about the IAM permissions that are required to view security insights.
- Learn more about Software Delivery Shield services in the overview
- Learn about software supply chain security practices and how Software Delivery Shield can help you to implement them.