RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://cloud.google.com/security-command-center/docs/integrate-aoss-with-scc below:

Integrate with Assured OSS for code security | Security Command Center

Skip to main content Integrate with Assured OSS for code security

Stay organized with collections Save and categorize content based on your preferences.

The Assured Open Source Software (Assured OSS) premium tier lets you enhance your code security by using the OSS packages that Google uses for its own developer workflows. When you use Assured OSS, your developers can take advantage of the security expertise and experience that Google applies to securing its own open source dependencies.

When you integrate Assured OSS with Security Command Center, you can do the following:

Choose from thousands of curated and most popular Java and Python packages, including common machine learning and artificial intelligence projects like TensorFlow, Pandas, and Scikit-learn.
Configure a secure proxy to download all Java, Python, and JavaScript packages with attestations from Assured OSS, making Google a known and trusted supplier.
Use the SBOMs and VEX in Assured OSS that are provided in industry-standard formats like SPDX and CycloneDX to know more about your ingredients.
Increase confidence in the integrity of the packages that you are using through signed, tamper-evident provenance from Google.
Reduce security risk as Google is actively scanning, finding, and fixing new vulnerabilities in curated packages.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate Security Command Center Enterprise tier

Verify that the Security Command Center Enterprise tier is activated at the organization level and that you completed the first six steps in the setup guide.

Set up permissions at the organization level

You must set up permissions at the organization level and the project level.

Make sure that you have the following role or roles on the organization: Security Center Admin, Organization Admin
Check for the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the organization.
3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.
Grant the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the organization.
3. Click person_add Grant access.
4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
5. In the Select a role list, select a role.
6. To grant additional roles, click add Add another role and add each additional role.
7. Click Save.

Set up permissions at the project level

Make sure that you have the following role or roles on the project: Service Usage Admin, Service Account Admin, Project IAM Admin
Check for the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the project.
3. In the Principal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.
4. For all rows that specify or include you, check the Role column to see whether the list of roles includes the required roles.
Grant the roles
1. In the Google Cloud console, go to the IAM page.
  Go to IAM
2. Select the project.
3. Click person_add Grant access.
4. In the New principals field, enter your user identifier. This is typically the email address for a Google Account.
5. In the Select a role list, select a role.
6. To grant additional roles, click add Add another role and add each additional role.
7. Click Save.

Set up Google Cloud CLI

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, a Cloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

Set up Assured OSS Console

In the Google Cloud console, go to the Security Command Center Setup guide.

Go to Setup guide
Verify that you are viewing the organization that you activated the Security Command Center Enterprise tier on.
Expand the Review security capabilities summary panel.
Click Code security > Set up.
In the Set up code security panel, click AOSS Set up.
Select a new service account or select the existing service accounts that you want to add the Assured Open Source Software permissions to.
Select the Google Cloud project where you want to locate the Assured OSS resources.
Click Set up Assured OSS.

The setup process automatically completes the following:
- If selected, creates the new service account assuredoss@PROJECT_ID.gservicesaccount.com.
- Assigns the Assured OSS User role to the designated service account to use with Assured OSS.
- Assigns the Assured OSS Admin role to the logged in user account so that the account can configure the service.
- Enables the Assured Open Source Software API and, if it isn't enabled already, the Artifact Registry API.
- Sets up the Assured OSS proxy service in an Artifact Registry instance in the project that you selected. A repository is provisioned for each language (Java, Python, and JavaScript). These repositories can automatically pull packages from the curated portfolio. If a package isn't available as part of the curated portfolio, the repositories redirect the request to the canonical repositories. The proxy service supports the US region only.
- Grants you and the service account permissions to access package metadata and notifications from Google owned projects.
Create a service account key for each designated Assured OSS service account and download the key in JSON format.
Note:Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources. If you acquired the service account key from an external source, you must validate it before use. For more information, see Security requirements for externally sourced credentials.
In the command line on your local machine, run the following command on the downloaded key file to get the base64-encoded string:
```
base64 KEY_FILENAME.json
```
Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

You need the base64-encoded string when you set up a remote repository for Assured OSS.
To download the packages, use the endpoints that Assured OSS provisions for each language. Make a note of these endpoints for later use.
- Java:
```
https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
```
- Python:
```
https://us-python.pkg.dev/PROJECT_ID/assuredoss-python
```
- JavaScript:
```
https://us-npm.pkg.dev/PROJECT_ID/assuredoss-javascript
```
Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.
Click Next. Configure Assured OSS with your organization's artifact repository manager such as JFrog Artifactory or Sonatype Nexus.

gcloud

Authenticate to Google Cloud with a user account that you want to use to enable Assured OSS:
```
gcloud auth revoke
gcloud auth application-default revoke
gcloud auth login
```
Search for the project where you want to locate the Assured OSS resources:
```
gcloud alpha projects search --query="displayName=PROJECT_NAME"
```
Replace PROJECT_NAME with the project name.
Set the project where you want to locate the Assured OSS resources:
```
gcloud config set project PROJECT_ID
```
Replace PROJECT_ID with the project identifier.

Grant roles to the user account to set up Assured OSS:

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:email@domain.com \
  --role=roles/assuredoss.admin

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:email@domain.com \
  --role=roles/serviceusage.serviceUsageAdmin

gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=user:email@domain.com \
  --role=roles/iam.serviceAccountAdmin

Where email@domain.com is the email address for your user account.

Enable Assured OSS in the project. Enabling Assured OSS also enables the Artifact Registry API.
```
gcloud services enable assuredoss.googleapis.com
```
To create a new service account for Assured OSS instead of using existing service accounts, complete the following:
```
gcloud iam service-accounts create SERVICE_ACCOUNT_NAME \
  --description="Service account for using Assured OSS"
  --display-name="Assured OSS service account"
```
Replace SERVICE_ACCOUNT_NAME with the name of the service account (for example, assuredoss).
Configure the service accounts for Assured OSS:
```
gcloud projects add-iam-policy-binding PROJECT_ID \
  --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \
  --role roles/assuredoss.user
```
Replace the following:
- SERVICE_ACCOUNT_NAME: the name of the service account (for example, assuredoss).
- PROJECT_ID: the project identifier.

Set up the Assured OSS proxy service in an Artifact Registry instance by creating Assured OSS repositories. You must create repositories for all languages. The Assured OSS proxy service that provisions the repositories supports the US region only.

alias gcurlj='curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -X'

gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-java   -d '{"format": "MAVEN", "mode": "AOSS_REPOSITORY"}'

gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-javascript   -d '{"format": "NPM", "mode": "AOSS_REPOSITORY"}'

gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-python   -d '{"format": "PYTHON", "mode": "AOSS_REPOSITORY"}'

Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.

These repositories can automatically pull packages from the curated portfolio. If a package isn't available as part of the curated portfolio, the repositories redirect the request to the canonical repositories.

Create a service account key for each Assured OSS service account and download the key in JSON format.
Note:Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keys whenever possible. If you must authenticate with a service account key, you are responsible for the security of the private key and for other operations described by Best practices for managing service account keys. If you are prevented from creating a service account key, service account key creation might be disabled for your organization. For more information, see Managing secure-by-default organization resources. If you acquired the service account key from an external source, you must validate it before use. For more information, see Security requirements for externally sourced credentials.
In the command line, run the following command on the downloaded key file to get the base64-encoded string:
```
base64 KEY_FILENAME.json
```
Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

You need the base64-encoded string when you set up a remote repository for Assured OSS.
To download the packages, use the endpoints provisioned by Assured OSS for each language. Make a note of these endpoints:
- Java:
```
https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
```
- Python:
```
https://us-python.pkg.dev/PROJECT_ID/assuredoss-python
```
- JavaScript:
```
https://us-npm.pkg.dev/PROJECT_ID/assuredoss-javascript
```
Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.
Configure Assured OSS to download packages with your organization's artifact repository manager such as JFrog Artifactory or Sonatype Nexus.

Optionally, view the available Java, Python, and JavaScript packages:

gcloud auth revoke
gcloud auth application-default revoke
gcloud auth login --cred-file=KEY_FILENAME.json

Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

export GOOGLE_APPLICATION_CREDENTIALS=KEY_FILENAME.json

Replace KEY_FILENAME.json with the name of the service account key that you downloaded.

gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-java/packages"
gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-python/packages"
gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-javascript/packages"

Replace PROJECT_ID with the ID of the project that you selected when you set up Assured OSS.

What's next

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-14 UTC.

[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-14 UTC."],[],[]]

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4