Enable Software Delivery Shield

This document describes how to enable APIs for Software Delivery Shield. Software Delivery Shield is a fully-managed software supply chain security solution on Google Cloud.

To collect and view software supply chain insights, you must enable the following APIs:

Artifact Analysis API to store metadata that other Google Cloud services generate and use.
Container Scanning API to scan container images stored in Artifact Registry for vulnerabilities and other metadata. Enabling this API automatically enables the Artifact Analysis API.
Artifact Registry to store your build artifacts. ¹
Cloud Build to generate build provenance metadata.
(GKE only) Container Security API to scan running workloads for OS vulnerabilities.

You must run the Container Scanning API in the same Google Cloud project as Artifact Registry. You can run other Google Cloud services that use the registry in separate projects.

¹ Container Registry is enabled automatically by the Container Scanning API. Software Delivery Shield provides limited data for existing features and does not support some features in private preview. If you are currently using Container Registry, consider transitioning to Artifact Registry.

Enable APIs required for insights

To enable APIs required to generate and view insights:

Console

Use all services in the same project

Enable the required APIs together.

Enable the APIs

Use separate projects

Enable Container Scanning and Artifact Registry in the project where you want to run Artifact Registry.

Enable the APIs
Enable the Cloud Build API in projects where you are running Cloud Build.

Enable Cloud Build
Enable the Container Security API in projects where you are running GKE.

Enable Container Security

Google Cloud CLI

Use all services in the same project

Enable the required APIs together.

gcloud services enable containerscanning.googleapis.com \
    cloudbuild.googleapis.com \
    artifactregistry.googleapis.com \
    containersecurity.googleapis.com

Use separate projects

Enable Container Scanning and Artifact Registry in the project where you want to run Artifact Registry. Replace AR_PROJECT with the appropriate Google Cloud project ID.
```
gcloud services enable containerscanning.googleapis.com \
    artifactregistry.googleapis.com \
    --project=AR_PROJECT
```
Enable the Cloud Build API in projects where you are running Cloud Build. Replace BUILD_PROJECT with the appropriate Google Cloud project ID.
```
gcloud services enable cloudbuild.googleapis.com \
    --project=BUILD_PROJECT
```
Enable the Container Security API in projects where you are running GKE. Replace GKE_PROJECT with the appropriate Google Cloud project ID.
```
gcloud services enable containersecurity.googleapis.com \
     --project=GKE_PROJECT
```

You have enabled the minimum required APIs to generate and view insights in Software Delivery Shield panels and in the GKE security posture dashboard in Google Cloud console.

You can enable APIs for other services from the API library or with the gcloud services enable command.

What's next

Learn about the IAM permissions that are required to view Software Delivery Shield security insights.
Learn more about Software Delivery Shield services in the overview
Learn about software supply chain security practices and how Software Delivery Shield can help you to implement them.