Integrate with Assured OSS for code security

Enterpriseservice tier

TheAssured Open Source Software (Assured OSS) premiumtier lets you enhance your codesecurity by using the OSS packages that Google uses for its own developerworkflows. When you use Assured OSS, your developers can takeadvantage of the security expertise and experience that Google applies tosecuring its own open source dependencies.

When you integrate Assured OSS with Security Command Center, you can do thefollowing:

  • Choose from thousands ofcurated and most popular Java, Python, and Go packages,including common machine learning and artificial intelligenceprojects like TensorFlow, Pandas, and Scikit-learn.
  • Configure a secure proxy to download all Java, Python, Go, and JavaScriptpackages with attestations from Assured OSS, making Google aknown and trusted supplier.
  • Use the SBOMs and VEX in Assured OSS that are provided inindustry-standard formats like SPDX and CycloneDX to know more about youringredients.
  • Increase confidence in the integrity of the packages that you are usingthrough signed, tamper-evident provenance from Google.
  • Reduce security risk as Google is actively scanning, finding, and fixing newvulnerabilities in curated packages.

Before you begin

Complete these tasks before you complete the remaining tasks on this page.

Activate Security Command Center Enterprise tier

Verify that theSecurity Command Center Enterprisetier is activated at theorganization level.

Set up permissions at the organization level

You must set up permissions at the organization level and the project level.

  1. Make sure that you have the following role or roles on the organization: Security Center Admin, Organization Admin

    Check for the roles

    1. In the Google Cloud console, go to theIAM page.

      Go to IAM
    2. Select the organization.

    3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to theIAM page.

      Go to IAM
    2. Select the organization.
    3. ClickGrant access.

    4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In theSelect a role list, select a role.
    6. To grant additional roles, clickAdd another role and add each additional role.
    7. ClickSave.

Set up permissions at the project level

  1. Make sure that you have the following role or roles on the project: Service Usage Admin, Service Account Admin, Project IAM Admin

    Check for the roles

    1. In the Google Cloud console, go to theIAM page.

      Go to IAM
    2. Select the project.

    3. In thePrincipal column, find all rows that identify you or a group that you're included in. To learn which groups you're included in, contact your administrator.

    4. For all rows that specify or include you, check theRole column to see whether the list of roles includes the required roles.

    Grant the roles

    1. In the Google Cloud console, go to theIAM page.

      Go to IAM
    2. Select the project.
    3. ClickGrant access.

    4. In theNew principals field, enter your user identifier. This is typically the email address for a Google Account.

    5. In theSelect a role list, select a role.
    6. To grant additional roles, clickAdd another role and add each additional role.
    7. ClickSave.

Set up Google Cloud CLI

In the Google Cloud console, activate Cloud Shell.

Activate Cloud Shell

At the bottom of the Google Cloud console, aCloud Shell session starts and displays a command-line prompt. Cloud Shell is a shell environment with the Google Cloud CLI already installed and with values already set for your current project. It can take a few seconds for the session to initialize.

Set up Assured OSS

Console

  1. In the Google Cloud console, go to the Security Command CenterSetup guide.

    Go to Setup guide

  2. Verify that you are viewing the organization that you activated theSecurity Command Center Enterprise tier on.

  3. Expand theReview security capabilities summary panel.

  4. ClickCode security> Set up.

  5. In theSet up code security panel, clickAOSS Setup.

  6. Select a new service account or select the existing service accounts thatyou want to add the Assured Open Source Software permissions to.

  7. Select the Google Cloud project where you want to locate theAssured OSS resources.

  8. ClickSet up Assured OSS.

    The setup process automatically completes the following:

    • If selected, creates the new service accountassuredoss@PROJECT_ID.gservicesaccount.com.
    • Assigns the Assured OSS User role to the designated service account touse with Assured OSS.
    • Assigns the Assured OSS Admin role to the logged in user account sothat the account can configure the service.
    • Enables the Assured Open Source Software API and, if it isn't enabled already,theArtifact Registry API.
    • Sets up the Assured OSS proxy service in anArtifact Registry instance in the project that you selected. Arepository is provisioned for each language (Java, Python, Go, andJavaScript). These repositories can automatically pull packages fromthe curated portfolio. If a package isn't available as part of thecurated portfolio, the repositories redirect the request to thecanonical repositories. The proxy service supports the US region only.For more information, seeAssured OSS repository options.
    • Grants you and the service account permissions to access packagemetadata and notifications from Google owned projects.

  9. Create a service accountkeyfor each designated Assured OSS service account anddownload the key in JSON format.

    Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keyswhenever possible. If you must authenticate with a service account key, you are responsible for thesecurity of the private key and for other operations described by Best practices for managing service account keys.If you are prevented from creating a service account key, service account key creation mightbe disabled for your organization. For more information, see Managing secure-by-default organization resources.

    If you acquired the service account key from an external source, you must validate it before use.For more information, see Security requirements for externally sourced credentials.

  10. In the command line on your local machine,run the following command on the downloaded key file to get thebase64-encoded string:

    base64KEY_FILENAME.json

    ReplaceKEY_FILENAME.json with the name of theservice account key that you downloaded.

    You need the base64-encoded string when you set up a remote repository forAssured OSS.

  11. To download the packages, use the endpoints thatAssured OSS provisions for each language. Make a note ofthese endpoints for later use.

    • Java:
      https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
    • Python:
      https://us-python.pkg.dev/PROJECT_ID/assuredoss-python
    • #"no" dir="ltr" is-upgraded>https://us-npm.pkg.dev/PROJECT_ID/assuredoss-javascript
    • Go:
      https://us-go.pkg.dev/PROJECT_ID/assuredoss-go

    ReplacePROJECT_ID with the ID of the project thatyou selected when you set up Assured OSS.

  12. ClickNext.ConfigureAssured OSSwith your organization's artifact repository manager such as JFrogArtifactory or Sonatype Nexus.

gcloud

  1. Authenticate to Google Cloud with a user account that you want touse to enable Assured OSS:

    gcloud auth revokegcloud auth application-default revokegcloud auth login

  2. Search for the project where you want to locate theAssured OSS resources:

    gcloud alpha projects search --query="displayName=PROJECT_NAME"

    ReplacePROJECT_NAME with the project name.

  3. Set the project where you want to locate the Assured OSSresources:

    gcloud config set projectPROJECT_ID

    ReplacePROJECT_ID with the project identifier.

  4. Grant roles to the user account to set up Assured OSS:

    gcloud projects add-iam-policy-bindingPROJECT_ID \  --member=user:email@domain.com \  --role=roles/assuredoss.admingcloud projects add-iam-policy-bindingPROJECT_ID \  --member=user:email@domain.com \  --role=roles/serviceusage.serviceUsageAdmingcloud projects add-iam-policy-bindingPROJECT_ID \  --member=user:email@domain.com \  --role=roles/iam.serviceAccountAdmin

    Whereemail@domain.com is the email address foryour user account.

  5. Enable Assured OSS in the project. EnablingAssured OSS also enables the Artifact Registry API.

    gcloud services enable assuredoss.googleapis.com

  6. To create a new service account for Assured OSS instead ofusing existing service accounts, complete the following:

    gcloud iam service-accounts createSERVICE_ACCOUNT_NAME \  --description="Service account for using Assured OSS"  --display-name="Assured OSS service account"

    ReplaceSERVICE_ACCOUNT_NAME with the name of theservice account (for example,assuredoss).

  7. Configure the service accounts for Assured OSS:

    gcloud projects add-iam-policy-bindingPROJECT_ID \  --member=serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com \  --role roles/assuredoss.user

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of theservice account (for example,assuredoss).
    • PROJECT_ID: the project identifier.
  8. To access the security metadata repository after setting up Assured OSS premium usinggcloud, send an email tocustomer-support-aoss@google.comwith the service accounts that you enabled for Assured OSS.

  9. Set up the Assured OSS proxy service in an Artifact Registryinstance by creating Assured OSS repositories. You mustcreate repositories for all languages. The Assured OSSproxy service that provisions the repositories supports the US regiononly.

    alias gcurlj='curl -H "Authorization: Bearer $(gcloud auth print-access-token)" -H "Content-Type: application/json" -X'gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-java   -d '{"format": "MAVEN", "mode": "AOSS_REPOSITORY"}'gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-javascript   -d '{"format": "NPM", "mode": "AOSS_REPOSITORY"}'gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-python   -d '{"format": "PYTHON", "mode": "AOSS_REPOSITORY"}'gcurlj POST https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories\?repositoryId\=assuredoss-go   -d '{"format": "GO", "mode": "AOSS_REPOSITORY"}'

    ReplacePROJECT_ID with the ID of the project thatyou selected when you set up Assured OSS.

    These repositories can automatically pull packages from the curatedportfolio. If a package isn't available as part of the curated portfolio,the repositories redirect the request to the canonical repositories.

  10. Create a service account keyfor each Assured OSS service account and download the keyin JSON format.

    Note: Service account keys are a security risk if not managed correctly. You should choose a more secure alternative to service account keyswhenever possible. If you must authenticate with a service account key, you are responsible for thesecurity of the private key and for other operations described by Best practices for managing service account keys.If you are prevented from creating a service account key, service account key creation mightbe disabled for your organization. For more information, see Managing secure-by-default organization resources.

    If you acquired the service account key from an external source, you must validate it before use.For more information, see Security requirements for externally sourced credentials.

  11. In the command line,run the following command on the downloaded key file to get thebase64-encoded string:

    base64KEY_FILENAME.json

    ReplaceKEY_FILENAME.json with the name of theservice account key that you downloaded.

    You need the base64-encoded string when you set up a remote repository forAssured OSS.

  12. To download the packages, use the endpoints provisioned byAssured OSS for each language. Make a note of theseendpoints:

    • Java:
      https://us-maven.pkg.dev/PROJECT_ID/assuredoss-java
    • Python:
      https://us-python.pkg.dev/PROJECT_ID/assuredoss-python
    • #"no" dir="ltr" is-upgraded>https://us-npm.pkg.dev/PROJECT_ID/assuredoss-javascript
    • Go:
      https://us-go.pkg.dev/PROJECT_ID/assuredoss-go

    ReplacePROJECT_ID with the ID of the project thatyou selected when you set up Assured OSS.

  13. Configure Assured OSSto download packages with your organization's artifact repository managersuch as JFrog Artifactory or Sonatype Nexus.

  14. Optionally, view the available Java, Python, Go, and JavaScript packages:

    gcloud auth revokegcloud auth application-default revokegcloud auth login --cred-file=KEY_FILENAME.json

    ReplaceKEY_FILENAME.json with the name of theservice account key that you downloaded.

    export GOOGLE_APPLICATION_CREDENTIALS=KEY_FILENAME.json

    ReplaceKEY_FILENAME.json with the name of theservice account key that you downloaded.

    gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-java/packages"gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-python/packages"gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-javascript/packages"gcurlj GET "https://artifactregistry.googleapis.com/v1/projects/PROJECT_ID/locations/us/repositories/assuredoss-go/packages"

    ReplacePROJECT_ID with the ID of the project thatyou selected when you set up Assured OSS.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-17 UTC.