Subscribe to notifications
Assured Open Source Software (Assured OSS) publishes two types of notifications:
Package availability: These notifications contain information about newpackages and package versions that are added to Assured OSS andupdates regarding the package onboarding status.
Vulnerability notifications: These notifications contain information aboutnew vulnerabilities detected in the packages that are curated byAssured OSS or updates to existing vulnerabilities.
Programmatic notifications about updates on security metadata and new packagesare published onPub/Sub topics. Thesenotifications are available in JSON format. You can create a pull subscriptionor push subscription to theAssured OSS topic to receive notifications.
To create these subscriptions, use the same service accountor workload identity credentials that you use to access artifacts or metadata.When your access to Assured OSS is enabled, the service accountsare granted permission to create subscriptions on these topics.
The following sections describe the Pub/Sub topics.
This document applies to both the premium tier and free tier.
Before you begin
For the Assured OSS premium tier, if you enabledVPC Service Controls,configure the egressrule.
Package onboarding topic
- Topic Name:
projects/cloud-aoss/topics/package_onboarding - Message: this topic contains information about new package versions thatare added to Assured OSS and updates regarding its onboarding status.
Message Data Schema:
{"package_name" string"package_version" string"language" string"onboarding_status" string"notification_status" string}Message Data Attributes:
"PackageName" string"PackageVersion" string"PackageLanguage" string"SchemaVersion" string"GenerateTime" string
Vulnerability information topic
- Topic Name:
projects/cloud-aoss/topics/vulnerability_information - Message: this topic contains information about new vulnerabilities detectedin the system or if the metadata of any vulnerability is updated.
Message Data Schema:
{"vulnerabilityId" string"notificationStatus" string}Message Data Attributes:
"PackageName" string"PackageVersion" string"PackageLanguage" string"SchemaVersion" string"GenerateTime" string
Consolidated package onboarding and vulnerability information topic for premium tier
You can access all Assured OSS notifications from the followingPub/Sub topic:
projects/assuredoss-blue/topics/assuredoss-notificationsNotification attributes
The following notificationattributesare part of the published Pub/Sub message. You can use theseattributes to filter the message.
{"Type":"string",// Indicates the type of notification, can be 'PackageVersion' or 'Vulnerability'"PackageName":"string",// Package ID"PackageVersion":"string",// Version of the package"Language":"string",// Language of the package"SchemaVersion":int,// Schema version of the data in message"GenerateTime":"string"// Time at which the event occurred}TheGenerateTime attribute is inRFC 3339format.
Package-related notifications
When theType attribute isPackageVersion, themessage datahas the following fields:
{"PackageName":"string",// Package ID"PackageVersion":"string",// Version of the package"Language":"string",// Language of the package"NotificationStatus":"string"// Status of package-version,'New' indicates available to download from Assured OSS}Vulnerability-related notifications
When theType attribute isVulnerability, themessage datahas the following fields:
{"ID":"string",// Vulnerability ID affecting the package"Severity":"string",// Severity of the vulnerability"Sources":[{"Name":"string",// Source of vulnerability information"Link":"string"// URL of vulnerability details}],"Summary":"string",// Summary of vulnerability"Description":"string",// Detailed description of vulnerability"PackageName":"string",// Package ID"PackageVersion":"string",// Version of the package"Language":"string",// Language of the package"NotificationStatus":"string"// Status of package-version}The value of theNotificationStatus field indicates the status of thevulnerability. If the vulnerability is new for a package, the valueisNew. If there is an update to an existing vulnerability, thevalue isUpdate.
Create a pull subscription
To create a pull subscription, complete the following:
Create apull subscription. You can use theGoogle Cloud console, Google Cloud CLI, or Pub/Sub API.
Note: If using the Pub/Sub API, enable the API first for the parentproject of the service account you are using for Assured OSS.After you have created the pull subscription, start polling for messagesby usingclient libraries or theGoogle Cloud CLI.
Create a push subscription
Note: Push subscriptions cannot be created by premium tier customers.To create a push subscription, set up an HTTPS server with a certificate thatisn't self-signed and that is accessible on the internet. Use the pushsubscription model in one of the following ways:
If you have a Google Cloud project and service account (for example, youintegrated Assured OSS with Security Command Center):
Because Assured OSS provides permission to create subscriptions,you can create your own push subscriptions and associate them with theendpoint of your choice. For more information, seePush subscriptions.
If you are using the free tier and you don't have a Google Cloud project andservice account, enter the HTTPS endpoint in theEnable Access or UpdateNotification Preferences form. The Assured OSSteam will create a push subscription and attach the endpoint with thatsubscription.
What's next
- Artifact signature overview
- Verify signatures
- Verify the build provenance
- Learn about protecting your software supply chain
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-15 UTC.