Skip to main content
Configure Endor Labs to integrate with Google Artifact Registry (GAR) to resolve private npm, Maven, Gradle, and PyPI packages during agentless scans. GAR uses short-lived OAuth2 access tokens instead of static credentials. Endor Labs creates these tokens automatically at scan time from a service account key that you store securely in the platform. When you configure a GAR integration, Endor Labs stores your encrypted service account key. At scan start, Endor Labs creates a short-lived OAuth2 access token from the stored key, and injects the registry URL and token into the package manager resolver.
The token is valid for approximately one hour.

Supported ecosystems

NuGet, Cargo, RubyGems, CocoaPods, and Swift are not supported because Google Artifact Registry does not offer these formats.

Set up a GCP service account

To create a GCP service account with read access to your Artifact Registry repositories:
  1. In Google Cloud Console, go to IAM & Admin > Service Accounts.
  2. Select Create Service Account and enter a name such as endor-gar-reader.
  3. Grant the service account the roles/artifactregistry.reader role on the target project or repository.
  4. Open the service account and select Keys.
  5. Select Add Key > Create new key.
  6. Choose JSON as the key type and select Create.
  7. Save the downloaded JSON key file and use it when you add the integration.

Configure a GAR package manager integration

To connect Endor Labs to your Artifact Registry repositories:
  1. Select User menu > Integrations from the left sidebar.
  2. Select Add next to the package manager type you want to configure.
  3. Select Add Package Manager.
  4. Enter a Name for the integration.
  5. Choose Google Artifact Registry as the authentication type.
  6. Enter your GCP Project ID, the ID of the GCP project that hosts the Artifact Registry repository.
  7. Enter the Location, the GCP region where your repository is hosted, for example us-central1.
  8. Enter the Repository, the name of your GAR repository.
  9. Enter the full contents of the downloaded JSON key file in Service Account Key.
  10. Optionally, under Advanced, select Propagate this package manager to all child namespaces to share this integration with child namespaces.
  11. Optionally, under Advanced, select Use this package manager as a plugin repository if this registry hosts build plugins rather than library dependencies.
  12. Click Add Package Manager.
Endor Labs tests the connection immediately. If the status indicates a failure, verify that the service account key is valid and that the service account has the roles/artifactregistry.reader role on the target repository.
After the integration is saved, the service account key is redacted from all API responses. Store a copy of the JSON key file in a secure location before submitting it.

Configure a GAR package manager integration using the API

Use endorctl to create a GAR package manager resource through the API. The following table lists the parameters required to create the integration.

Known limitations

  • Token lifetime: GAR access tokens expire approximately one hour after they are minted. A token is minted at the start of the scan and used for package resolution. If package resolution begins more than one hour after the scan starts, authentication fails with a 401 Unauthorized error. Re-run the scan to generate a new access token and start a fresh one-hour window.
  • Long-lived service account key: The JSON key you provide remains valid until you revoke it in GCP. Rotate the key periodically following your organization’s credential management practices and update the integration in Endor Labs after rotation.
  • Workload Identity Federation: Keyless authentication through Workload Identity Federation is not supported in this release.