Enable services

This document describes how to enable APIs for products and features that help to protect your software supply chain.

To collect and view software supply chain insights, you must enable the following APIs:

  • Artifact Analysis API to store metadata that other Google Cloud services generate and use.
  • Container Scanning API to scan container images stored in Artifact Registry for vulnerabilities and other metadata. Enabling this API automatically enables the Artifact Analysis API.
  • Artifact Registry to store your build artifacts.
  • Cloud Build to generate build provenance metadata.
  • (GKE only) Container Security API to scan running workloads for OS vulnerabilities.

You must run the Container Scanning API in the same Google Cloud project as Artifact Registry. You can run other Google Cloud services that use the registry in separate projects.

Enable APIs required for insights

To enable APIs required to generate and view insights:

Console

Use all services in the same project

Enable the required APIs together.

Enable the APIs

Use separate projects

  1. Enable Container Scanning and Artifact Registry in the project where you want to run Artifact Registry.

    Enable the APIs

  2. Enable the Cloud Build API in projects where you are running Cloud Build.

    Enable Cloud Build

  3. Enable the Container Security API in projects where you are running GKE.

    Enable Container Security

Google Cloud CLI

Use all services in the same project

Enable the required APIs together.

gcloud services enable containerscanning.googleapis.com \
    cloudbuild.googleapis.com \
    artifactregistry.googleapis.com \
    containersecurity.googleapis.com

Use separate projects

  1. Enable Container Scanning and Artifact Registry in the project where you want to run Artifact Registry. Replace AR_PROJECT with the appropriate Google Cloud project ID.

    gcloud services enable containerscanning.googleapis.com \
        artifactregistry.googleapis.com \
        --project=AR_PROJECT
    
  2. Enable the Cloud Build API in projects where you are running Cloud Build. Replace BUILD_PROJECT with the appropriate Google Cloud project ID.

    gcloud services enable cloudbuild.googleapis.com \
        --project=BUILD_PROJECT
    
  3. Enable the Container Security API in projects where you are running GKE. Replace GKE_PROJECT with the appropriate Google Cloud project ID.

    gcloud services enable containersecurity.googleapis.com \
         --project=GKE_PROJECT
    

You have enabled the minimum required APIs to generate and view insights in Google Cloud console panels and in the GKE security posture dashboard.

You can enable APIs for other services from the API library or with the gcloud services enable command.

What's next