{"id":792,"date":"2026-04-16T04:23:07","date_gmt":"2026-04-16T04:23:07","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-assured-open-source-software-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/"},"modified":"2026-04-16T04:23:07","modified_gmt":"2026-04-16T04:23:07","slug":"google-cloud-assured-open-source-software-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-assured-open-source-software-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-security\/","title":{"rendered":"Google Cloud Assured Open Source Software Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Security"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Security<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

Assured Open Source Software is a Google Cloud Security service that helps you consume open source packages with stronger supply-chain assurances than \u201cdownload from the internet and hope for the best.\u201d It focuses on providing vetted, monitored, and verifiable open source artifacts that can be used in your build and deployment pipelines.<\/p>\n\n\n\n

In simple terms: Assured Open Source Software gives you a trusted source of common open source dependencies<\/strong> (such as container base images and\/or language packages, depending on what Google currently offers), so your teams can reduce exposure to malicious or compromised upstreams, typosquatting, and unpatched vulnerabilities.<\/p>\n\n\n\n

Technically, Assured Open Source Software is best understood as a curated, Google-managed distribution channel for selected open source artifacts<\/strong> paired with supply-chain security metadata and practices (for example, vulnerability monitoring and provenance-related signals). It is designed to integrate with Google Cloud\u2019s artifact and deployment ecosystem (most commonly Artifact Registry<\/strong>, and then build\/deploy services like Cloud Build<\/strong>, Cloud Run<\/strong>, and GKE<\/strong>).<\/p>\n\n\n\n

The problem it solves is the modern software supply-chain risk: most applications are mostly dependencies, and dependency compromise (malicious packages, poisoned upstreams, dependency confusion, and slow vulnerability patch adoption) is now a primary Security concern. Assured Open Source Software helps you standardize where dependencies come from<\/strong> and raise the assurance level<\/strong> of what enters your SDLC.<\/p>\n\n\n\n

\n

Naming note (important): Google\u2019s current documentation and console UI may shorten the name to \u201cAssured OSS\u201d<\/strong>. This tutorial uses Assured Open Source Software<\/strong> as the primary name, and treats \u201cAssured OSS\u201d as a common shorthand. Verify the latest naming and scope in the official docs.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is Assured Open Source Software?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

Assured Open Source Software is intended to provide more secure consumption of open source software<\/strong> by offering a trusted channel<\/strong> for selected open source packages\/artifacts, backed by Google\u2019s security and supply-chain practices.<\/p>\n\n\n\n

Because the exact artifact types and coverage can evolve, you should confirm the currently supported ecosystems (containers, language packages, OS packages, etc.) in the official documentation:\n– https:\/\/cloud.google.com\/assured-open-source-software (product page)\n– https:\/\/cloud.google.com\/assured-open-source-software\/docs (documentation hub)<\/p>\n\n\n\n

Core capabilities (conceptual)<\/h3>\n\n\n\n

Commonly documented capabilities and outcomes include:<\/p>\n\n\n\n

    \n
  • Curated availability<\/strong> of popular open source artifacts (not \u201ceverything on the internet\u201d).<\/li>\n
  • Security monitoring<\/strong> for vulnerabilities and updates in the supported artifact set.<\/li>\n
  • Supply-chain signals<\/strong> (for example provenance-related information), depending on artifact type and what Google publishes for that artifact.<\/li>\n
  • Integration with Google Cloud artifact and deployment tooling<\/strong>, so developers can adopt it without reinventing tooling.<\/li>\n<\/ul>\n\n\n\n

    Major components (typical in Google Cloud usage)<\/h3>\n\n\n\n

    Assured Open Source Software is usually consumed together with:<\/p>\n\n\n\n

      \n
    • Assured Open Source Software catalog\/repositories<\/strong> (Google-managed)<\/li>\n
    • Artifact Registry<\/strong> for artifact consumption and governance (repositories, IAM, audit logs)<\/li>\n
    • Optional but common:<\/li>\n
    • Cloud Build<\/strong> (build pipelines)<\/li>\n
    • Cloud Run<\/strong> \/ GKE<\/strong> (runtime)<\/li>\n
    • Binary Authorization<\/strong> (admission control for container images in GKE; applicability depends on your architecture)<\/li>\n
    • Container Analysis \/ vulnerability scanning<\/strong> capabilities (how results appear depends on artifact type and whether the artifact is stored in your project)<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n
        \n
      • Primarily a software supply chain Security service<\/strong> and artifact source<\/strong> (distribution channel).<\/li>\n
      • Not a general-purpose vulnerability scanner by itself (although it may interoperate with scanning features elsewhere in Google Cloud).<\/li>\n<\/ul>\n\n\n\n

        Scope: regional\/global and tenancy model<\/h3>\n\n\n\n

        The service is consumed within the Google Cloud resource model:<\/p>\n\n\n\n

          \n
        • Project-scoped access control<\/strong>: You typically control who can access artifacts via IAM at the project\/repository level (often via Artifact Registry permissions).<\/li>\n
        • Location-dependent endpoints<\/strong>: Artifact repositories in Google Cloud are created in specific locations (regions or multi-regions), so consumption endpoints may be tied to a location.<\/li>\n
        • Organization policy and network controls<\/strong>: In enterprises, you can use organization policies and restricted endpoints (for example, restricted Google APIs) to enforce dependency sourcing rules.<\/li>\n<\/ul>\n\n\n\n

          Because exact availability (locations, artifact formats) can change, verify current supported locations and formats in the official docs<\/strong>.<\/p>\n\n\n\n

          How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n

          Assured Open Source Software fits as an upstream dependency source in a broader Google Cloud Security posture:<\/p>\n\n\n\n

            \n
          • Developer workstation \/ CI<\/strong> pulls dependencies from Assured Open Source Software.<\/li>\n
          • Dependencies are assembled into artifacts and stored in Artifact Registry<\/strong>.<\/li>\n
          • Builds run in Cloud Build<\/strong> (or external CI) and deployments go to Cloud Run<\/strong> or GKE<\/strong>.<\/li>\n
          • Operations teams use Cloud Logging<\/strong>, Cloud Monitoring<\/strong>, and Cloud Audit Logs<\/strong> for governance and visibility.<\/li>\n
          • Security teams enforce policies using IAM, organization policies, and (where applicable) admission controls.<\/li>\n<\/ul>\n\n\n\n
            \n\n\n\n

            3. Why use Assured Open Source Software?<\/h2>\n\n\n\n

            Business reasons<\/h3>\n\n\n\n
              \n
            • Reduce breach risk<\/strong> from compromised dependencies (a high-cost class of incidents).<\/li>\n
            • Improve audit readiness<\/strong> by standardizing and documenting dependency sourcing.<\/li>\n
            • Lower vendor and operational risk<\/strong> by making dependency sourcing repeatable across teams.<\/li>\n<\/ul>\n\n\n\n

              Technical reasons<\/h3>\n\n\n\n
                \n
              • Safer dependency ingestion<\/strong> than directly pulling from public upstreams.<\/li>\n
              • More consistent builds<\/strong> when teams use standardized repositories and artifacts.<\/li>\n
              • Easier pipeline integration<\/strong> in Google Cloud when paired with Artifact Registry and Cloud Build.<\/li>\n<\/ul>\n\n\n\n

                Operational reasons<\/h3>\n\n\n\n
                  \n
                • Central governance<\/strong>: one approach for multiple teams and projects.<\/li>\n
                • Fewer \u201csnowflake\u201d build setups<\/strong>: reduces operational load and troubleshooting complexity.<\/li>\n
                • Better visibility<\/strong>: central access control and audit logging for dependency pulls (depending on how you configure it).<\/li>\n<\/ul>\n\n\n\n

                  Security and compliance reasons<\/h3>\n\n\n\n
                    \n
                  • Helps address supply-chain risks such as:<\/li>\n
                  • typosquatting and dependency confusion<\/li>\n
                  • compromised upstream distributions<\/li>\n
                  • lag between vulnerability disclosure and patch adoption<\/li>\n
                  • Can support compliance programs by strengthening controls around third-party software sourcing.<\/li>\n
                  • Do not assume it automatically makes you compliant<\/strong>. Compliance depends on your overall controls and evidence. Verify compliance mapping in official docs and your GRC program.<\/li>\n<\/ul>\n\n\n\n

                    Scalability and performance reasons<\/h3>\n\n\n\n
                      \n
                    • Centralized dependency sources can improve reliability versus ad-hoc upstream fetching.<\/li>\n
                    • Teams can optimize caching and artifact access patterns (especially when combined with Artifact Registry strategies and CI design).<\/li>\n<\/ul>\n\n\n\n

                      When teams should choose it<\/h3>\n\n\n\n

                      Choose Assured Open Source Software when:<\/p>\n\n\n\n

                        \n
                      • You want a stronger trust model<\/strong> for OSS consumption.<\/li>\n
                      • You are standardizing an SDLC on Google Cloud and want to tighten supply-chain controls<\/strong>.<\/li>\n
                      • You support regulated workloads and need more controlled third-party dependency sourcing.<\/li>\n
                      • You have multiple teams and need consistent dependency policies.<\/li>\n<\/ul>\n\n\n\n

                        When teams should not choose it<\/h3>\n\n\n\n

                        Assured Open Source Software may not be the right fit when:<\/p>\n\n\n\n

                          \n
                        • You need full coverage of all OSS ecosystems<\/strong> or niche packages (Assured Open Source Software is curated, not exhaustive).<\/li>\n
                        • You run fully air-gapped environments without a plan for importing artifacts.<\/li>\n
                        • Your platform is not Google Cloud-centric and you cannot adopt the required integration points.<\/li>\n
                        • You require guarantees that are not documented (for example, \u201call packages are supported for 10 years\u201d). Only rely on what Google explicitly documents.<\/strong><\/li>\n<\/ul>\n\n\n\n
                          \n\n\n\n

                          4. Where is Assured Open Source Software used?<\/h2>\n\n\n\n

                          Industries<\/h3>\n\n\n\n

                          Common adoption patterns include:<\/p>\n\n\n\n

                            \n
                          • Financial services and fintech (high Security scrutiny)<\/li>\n
                          • Healthcare and life sciences (regulated environments)<\/li>\n
                          • Public sector and defense contractors (strict supply-chain controls)<\/li>\n
                          • SaaS and B2B platforms (multi-tenant Security requirements)<\/li>\n
                          • E-commerce and retail (large dependency graphs, frequent releases)<\/li>\n<\/ul>\n\n\n\n

                            Team types<\/h3>\n\n\n\n
                              \n
                            • Platform engineering teams building golden paths<\/li>\n
                            • Security engineering and AppSec teams setting standards<\/li>\n
                            • DevOps\/SRE teams operating CI\/CD and deployment guardrails<\/li>\n
                            • Developers working in polyglot stacks (containers + language deps)<\/li>\n<\/ul>\n\n\n\n

                              Workloads and architectures<\/h3>\n\n\n\n
                                \n
                              • Microservices using containers (Cloud Run, GKE)<\/li>\n
                              • CI\/CD pipelines with Cloud Build or third-party CI connected to Google Cloud<\/li>\n
                              • Artifact-centric governance architectures (Artifact Registry as the \u201csource of truth\u201d)<\/li>\n<\/ul>\n\n\n\n

                                Real-world deployment contexts<\/h3>\n\n\n\n
                                  \n
                                • Organizations that want to prevent direct internet dependency downloads<\/strong> from CI<\/li>\n
                                • Enterprises using VPC Service Controls, org policies<\/strong>, and central networking controls<\/li>\n
                                • Teams adopting policy-as-code<\/strong> and admission policies<\/li>\n<\/ul>\n\n\n\n

                                  Production vs dev\/test usage<\/h3>\n\n\n\n
                                    \n
                                  • Production<\/strong>: Most valuable where Security controls and auditability matter.<\/li>\n
                                  • Dev\/test<\/strong>: Useful to prevent \u201cit works on my machine\u201d drift and to keep dev dependencies aligned with production policies.<\/li>\n<\/ul>\n\n\n\n
                                    \n\n\n\n

                                    5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                    Below are realistic use cases for Assured Open Source Software in Google Cloud Security programs. Coverage depends on what artifact types are supported at the time you implement\u2014verify supported ecosystems in official docs.<\/p>\n\n\n\n

                                    1) Standardize container base images for all teams<\/h3>\n\n\n\n
                                      \n
                                    • Problem:<\/strong> Teams pull arbitrary base images (unknown provenance, inconsistent patching).<\/li>\n
                                    • Why this service fits:<\/strong> Assured Open Source Software provides a more controlled source of base images (where supported) and reduces reliance on random upstreams.<\/li>\n
                                    • Example:<\/strong> A platform team mandates that all Dockerfiles use approved Assured Open Source Software base images.<\/li>\n<\/ul>\n\n\n\n

                                      2) Reduce dependency confusion risk in CI builds<\/h3>\n\n\n\n
                                        \n
                                      • Problem:<\/strong> CI pulls packages directly from public registries; namespace collisions can lead to dependency confusion.<\/li>\n
                                      • Why it fits:<\/strong> You can centralize dependency sources and constrain what CI can access.<\/li>\n
                                      • Example:<\/strong> Build jobs are locked down to fetch dependencies only from approved sources.<\/li>\n<\/ul>\n\n\n\n

                                        3) Create an \u201capproved OSS\u201d policy for regulated workloads<\/h3>\n\n\n\n
                                          \n
                                        • Problem:<\/strong> Regulated workloads require stronger third-party software controls and evidence.<\/li>\n
                                        • Why it fits:<\/strong> A curated, documented source supports governance and audit narratives.<\/li>\n
                                        • Example:<\/strong> A healthcare organization documents Assured Open Source Software as its approved dependency source for production builds.<\/li>\n<\/ul>\n\n\n\n

                                          4) Improve patch adoption for critical dependencies<\/h3>\n\n\n\n
                                            \n
                                          • Problem:<\/strong> Teams lag behind on upgrading vulnerable dependencies.<\/li>\n
                                          • Why it fits:<\/strong> Assured Open Source Software is designed around secure consumption and vulnerability awareness for supported artifacts.<\/li>\n
                                          • Example:<\/strong> A security team prefers vetted builds and uses vulnerability signals to prioritize upgrades.<\/li>\n<\/ul>\n\n\n\n

                                            5) Build \u201cgolden pipelines\u201d for Cloud Build + Artifact Registry<\/h3>\n\n\n\n
                                              \n
                                            • Problem:<\/strong> Every team invents its own build pipeline; controls are inconsistent.<\/li>\n
                                            • Why it fits:<\/strong> Assured Open Source Software aligns with centralized artifacts and supply-chain governance.<\/li>\n
                                            • Example:<\/strong> A shared Cloud Build template fetches dependencies from approved repositories and outputs to Artifact Registry.<\/li>\n<\/ul>\n\n\n\n

                                              6) Establish a controlled source for third-party runtime images in Cloud Run<\/h3>\n\n\n\n
                                                \n
                                              • Problem:<\/strong> Cloud Run services use images built on unknown upstream layers.<\/li>\n
                                              • Why it fits:<\/strong> A vetted upstream reduces surprises and supports Security baselines.<\/li>\n
                                              • Example:<\/strong> Cloud Run services are built from approved base images and stored in Artifact Registry.<\/li>\n<\/ul>\n\n\n\n

                                                7) Prepare for software supply-chain audits (SBOM\/provenance discussions)<\/h3>\n\n\n\n
                                                  \n
                                                • Problem:<\/strong> Auditors ask where dependencies come from and how you verify them.<\/li>\n
                                                • Why it fits:<\/strong> Assured Open Source Software supports a stronger sourcing story.<\/li>\n
                                                • Example:<\/strong> The organization demonstrates standardized dependency sourcing, repository permissions, and audit logs.<\/li>\n<\/ul>\n\n\n\n

                                                  8) Minimize direct internet access from build environments<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem:<\/strong> Builds require broad egress, increasing risk of exfiltration and supply-chain attacks.<\/li>\n
                                                  • Why it fits:<\/strong> Centralized repositories support egress restrictions and allowlisting.<\/li>\n
                                                  • Example:<\/strong> CI runs in a restricted network; only Google APIs and approved repositories are reachable.<\/li>\n<\/ul>\n\n\n\n

                                                    9) Support multi-team monorepos with consistent dependency policy<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem:<\/strong> Monorepos with many services drift across dependencies and build patterns.<\/li>\n
                                                    • Why it fits:<\/strong> A unified upstream reduces fragmentation.<\/li>\n
                                                    • Example:<\/strong> All services in a monorepo consume dependencies from the same approved sources.<\/li>\n<\/ul>\n\n\n\n

                                                      10) Enforce \u201conly approved artifacts deploy to production\u201d<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem:<\/strong> Teams can deploy images built from unknown dependencies.<\/li>\n
                                                      • Why it fits:<\/strong> Assured Open Source Software is one layer in an end-to-end chain of custody (source \u2192 build \u2192 registry \u2192 deploy).<\/li>\n
                                                      • Example:<\/strong> Production deployment policies require images to originate from approved registries and build processes.<\/li>\n<\/ul>\n\n\n\n

                                                        11) Build a secure internal developer platform (IDP)<\/h3>\n\n\n\n
                                                          \n
                                                        • Problem:<\/strong> Developer experience and Security often conflict.<\/li>\n
                                                        • Why it fits:<\/strong> Developers get a simple, stable way to pull dependencies that meets Security requirements.<\/li>\n
                                                        • Example:<\/strong> The IDP provides starter templates that reference approved artifact sources.<\/li>\n<\/ul>\n\n\n\n

                                                          12) Reduce exposure to compromised upstream registries<\/h3>\n\n\n\n
                                                            \n
                                                          • Problem:<\/strong> Public registries can have outages or malicious content.<\/li>\n
                                                          • Why it fits:<\/strong> A curated alternative reduces blast radius for supply-chain events.<\/li>\n
                                                          • Example:<\/strong> A company shifts critical dependencies to a controlled source.<\/li>\n<\/ul>\n\n\n\n
                                                            \n\n\n\n

                                                            6. Core Features<\/h2>\n\n\n\n

                                                            Because Google may evolve the feature set and supported ecosystems, treat the items below as core patterns<\/strong> and confirm exact implementation details in the official docs.<\/p>\n\n\n\n

                                                            Feature 1: Curated set of open source artifacts<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does:<\/strong> Provides access to a selected set of popular OSS artifacts rather than the entire universe of packages.<\/li>\n
                                                            • Why it matters:<\/strong> Reduces the attack surface and makes security review and maintenance more feasible.<\/li>\n
                                                            • Practical benefit:<\/strong> Teams avoid random upstreams and focus on a vetted set.<\/li>\n
                                                            • Limitations\/caveats:<\/strong> Not all packages are included; you may still need a separate process for unsupported dependencies.<\/li>\n<\/ul>\n\n\n\n

                                                              Feature 2: Google-managed distribution channel<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does:<\/strong> Artifacts are distributed through Google-managed infrastructure and workflows.<\/li>\n
                                                              • Why it matters:<\/strong> Centralization and consistent controls improve trust compared to ad-hoc mirrors.<\/li>\n
                                                              • Practical benefit:<\/strong> Better operational stability and standardized access patterns.<\/li>\n
                                                              • Limitations\/caveats:<\/strong> You must follow Google\u2019s supported access methods and locations.<\/li>\n<\/ul>\n\n\n\n

                                                                Feature 3: Security monitoring signals (vulnerability awareness)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does:<\/strong> Assists with vulnerability awareness and update practices for the supported artifacts.<\/li>\n
                                                                • Why it matters:<\/strong> Vulnerability disclosure velocity is high; you need a managed way to keep up.<\/li>\n
                                                                • Practical benefit:<\/strong> Helps teams make faster, safer upgrade decisions.<\/li>\n
                                                                • Limitations\/caveats:<\/strong> How vulnerability data is surfaced depends on artifact type and how you store\/consume artifacts (for example, whether you mirror into your own Artifact Registry repositories).<\/li>\n<\/ul>\n\n\n\n

                                                                  Feature 4: Supply-chain assurance signals (provenance-related)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does:<\/strong> For supported artifacts, provides stronger supply-chain assurance than typical upstream consumption (for example, provenance or build-related verifiability).<\/li>\n
                                                                  • Why it matters:<\/strong> Provenance and integrity are central to modern Security (SLSA-style approaches).<\/li>\n
                                                                  • Practical benefit:<\/strong> You can build policies around \u201cwhere did this artifact come from?\u201d<\/li>\n
                                                                  • Limitations\/caveats:<\/strong> The exact form of provenance\/attestations varies by artifact and may require specific tooling to verify. Verify in official docs<\/strong> what is provided and how to validate it.<\/li>\n<\/ul>\n\n\n\n

                                                                    Feature 5: Designed to integrate with Artifact Registry and IAM<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does:<\/strong> Encourages dependency access patterns that use Google Cloud IAM and repository controls.<\/li>\n
                                                                    • Why it matters:<\/strong> Security and governance require least privilege and audit logs.<\/li>\n
                                                                    • Practical benefit:<\/strong> Central permission management, easier offboarding, and auditability.<\/li>\n
                                                                    • Limitations\/caveats:<\/strong> You must design repository structure and IAM carefully to avoid overbroad access.<\/li>\n<\/ul>\n\n\n\n

                                                                      Feature 6: Aligns with secure CI\/CD patterns<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does:<\/strong> Works well with Cloud Build and artifact-first pipelines.<\/li>\n
                                                                      • Why it matters:<\/strong> The strongest supply-chain control is end-to-end: source \u2192 build \u2192 artifact storage \u2192 deploy.<\/li>\n
                                                                      • Practical benefit:<\/strong> Better traceability and fewer \u201cunknown builds.\u201d<\/li>\n
                                                                      • Limitations\/caveats:<\/strong> If you use third-party CI, you must still implement equivalent controls and identity federation.<\/li>\n<\/ul>\n\n\n\n
                                                                        \n\n\n\n

                                                                        7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                        High-level architecture<\/h3>\n\n\n\n

                                                                        Assured Open Source Software typically sits at the \u201cdependency ingestion\u201d stage:<\/p>\n\n\n\n

                                                                          \n
                                                                        1. Developers\/CI pull dependencies from Assured Open Source Software.<\/li>\n
                                                                        2. Your build system (often Cloud Build) compiles\/builds your application.<\/li>\n
                                                                        3. Built artifacts are stored in Artifact Registry (your project).<\/li>\n
                                                                        4. Deployment systems (Cloud Run \/ GKE) deploy artifacts from Artifact Registry.<\/li>\n
                                                                        5. Security teams enforce controls with IAM, policies, and monitoring.<\/li>\n<\/ol>\n\n\n\n

                                                                          Request\/data\/control flow (conceptual)<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Control plane:<\/strong> IAM policies, repository settings, org policies, audit logs.<\/li>\n
                                                                          • Data plane:<\/strong> Artifact download (dependency pulls), artifact uploads (build outputs), runtime image pulls by Cloud Run\/GKE.<\/li>\n<\/ul>\n\n\n\n

                                                                            Integrations with related Google Cloud services<\/h3>\n\n\n\n

                                                                            Common integrations include:<\/p>\n\n\n\n

                                                                              \n
                                                                            • Artifact Registry<\/strong>: repository management and access control<\/li>\n
                                                                            • Cloud Build<\/strong>: building images\/binaries in a controlled environment<\/li>\n
                                                                            • Cloud Logging \/ Cloud Monitoring<\/strong>: observability for build and deploy<\/li>\n
                                                                            • Cloud Audit Logs<\/strong>: access trails for repository and admin actions<\/li>\n
                                                                            • Security Command Center (SCC)<\/strong>: organizational Security posture (how Assured Open Source Software signals show up depends on configuration; verify in docs)<\/li>\n
                                                                            • Binary Authorization<\/strong> (primarily for GKE): enforce admission policies based on attestation and trusted images (verify applicability for your environment)<\/li>\n<\/ul>\n\n\n\n

                                                                              Dependency services<\/h3>\n\n\n\n
                                                                                \n
                                                                              • Google Cloud APIs for Artifact Registry and builds<\/li>\n
                                                                              • Identity and Access Management (IAM)<\/li>\n
                                                                              • Networking: Google APIs access (public or restricted endpoints)<\/li>\n<\/ul>\n\n\n\n

                                                                                Security\/authentication model<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Identity:<\/strong> Google Cloud IAM identities (users, groups, service accounts)<\/li>\n
                                                                                • AuthN:<\/strong> OAuth2 tokens issued by Google; Docker credential helper via gcloud auth configure-docker<\/code><\/li>\n
                                                                                • AuthZ:<\/strong> IAM roles on projects and Artifact Registry repositories<\/li>\n
                                                                                • Auditability:<\/strong> Admin and data access logs (depending on your Cloud Audit Logs configuration)<\/li>\n<\/ul>\n\n\n\n

                                                                                  Networking model<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • Dependency pulls and artifact operations go through Google APIs.<\/li>\n
                                                                                  • Enterprises can:<\/li>\n
                                                                                  • restrict egress at the VPC layer<\/li>\n
                                                                                  • use private access patterns (for example, Private Google Access and\/or restricted.googleapis.com) depending on architecture<\/li>\n
                                                                                  • enforce \u201conly approved endpoints\u201d for builds<\/li>\n<\/ul>\n\n\n\n

                                                                                    Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Track:<\/li>\n
                                                                                    • repository access events (who pulled what and when)<\/li>\n
                                                                                    • build provenance (which pipeline produced what)<\/li>\n
                                                                                    • vulnerability management workflows for produced images<\/li>\n
                                                                                    • Use:<\/li>\n
                                                                                    • Cloud Audit Logs for repository and API actions<\/li>\n
                                                                                    • Cloud Logging for Cloud Build logs<\/li>\n
                                                                                    • Artifact Registry UI\/metadata for artifact inspection<\/li>\n<\/ul>\n\n\n\n

                                                                                      Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                                      flowchart LR\n  Dev[Developer \/ CI] -->|Pull vetted deps| AOSS[Assured Open Source Software]\n  Dev -->|Build app| CB[Cloud Build]\n  CB -->|Push image| AR[Artifact Registry (project repo)]\n  AR -->|Deploy image| CR[Cloud Run or GKE]\n  AR --> AL[Cloud Audit Logs]\n  CB --> CL[Cloud Logging]\n<\/code><\/pre>\n\n\n\n
                                                                                      Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n
                                                                                      flowchart TB\n  subgraph Org[Google Cloud Organization]\n    OP[Org Policies \/ Governance]\n    IAM[IAM: Groups, SAs, Least Privilege]\n    VPCSC[VPC Service Controls (optional)]\n  end\n\n  subgraph Build[CI\/CD]\n    Dev[Dev Workstations]\n    CI[CI System: Cloud Build or External CI]\n    WIF[Workload Identity Federation (optional)]\n  end\n\n  subgraph SupplyChain[Dependency & Artifact Layer]\n    AOSS[Assured Open Source Software]\n    AR[Artifact Registry]\n    CA[Container Analysis \/ Vulnerability Signals\\n(availability depends on artifact type)]\n  end\n\n  subgraph Runtime[Runtime]\n    CR[Cloud Run]\n    GKE[GKE]\n    BA[Binary Authorization (GKE)]\n  end\n\n  subgraph Observability[Operations & Security Ops]\n    LOG[Cloud Logging]\n    MON[Cloud Monitoring]\n    AUD[Cloud Audit Logs]\n    SCC[Security Command Center\\n(verify integrations)]\n  end\n\n  OP --> IAM\n  IAM --> CI\n  VPCSC -. restrict .-> CI\n\n  Dev --> CI\n  WIF -. identity .-> CI\n\n  CI -->|Pull approved deps| AOSS\n  CI -->|Publish build outputs| AR\n  AR --> CA\n\n  AR -->|Deploy| CR\n  AR -->|Deploy| GKE\n  BA -. enforce .-> GKE\n\n  CI --> LOG\n  AR --> AUD\n  CI --> AUD\n  CA --> SCC\n  LOG --> SCC\n<\/code><\/pre>\n\n\n\n
                                                                                      \n\n\n\n
                                                                                      8. Prerequisites<\/h2>\n\n\n\n
                                                                                      Because Assured Open Source Software access and supported artifact types can vary, confirm prerequisites in the official documentation before you begin.<\/p>\n\n\n\n
                                                                                      Google Cloud account and project<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • A Google Cloud account with a billing-enabled project.<\/li>\n
                                                                                      • Ability to enable required APIs.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                        You typically need:<\/p>\n\n\n\n
                                                                                          \n
                                                                                        • To manage APIs and project config:<\/li>\n
                                                                                        • roles\/serviceusage.serviceUsageAdmin<\/code> (or equivalent)<\/li>\n
                                                                                        • \n
                                                                                          roles\/resourcemanager.projectIamAdmin<\/code> (if you manage IAM)<\/p>\n<\/li>\n
                                                                                        • \n
                                                                                          For Artifact Registry:<\/p>\n<\/li>\n
                                                                                        • Admin tasks: roles\/artifactregistry.admin<\/code><\/li>\n
                                                                                        • Read-only tasks: roles\/artifactregistry.reader<\/code><\/li>\n
                                                                                        • \n
                                                                                          Writing\/pushing: roles\/artifactregistry.writer<\/code><\/p>\n<\/li>\n
                                                                                        • \n
                                                                                          For Cloud Build and Cloud Run (if you use them in the lab):<\/p>\n<\/li>\n
                                                                                        • roles\/cloudbuild.builds.editor<\/code> (or finer-grained)<\/li>\n
                                                                                        • roles\/run.admin<\/code> and roles\/iam.serviceAccountUser<\/code> (for deploying)<\/li>\n
                                                                                        • Service account permissions used by Cloud Build and Cloud Run<\/li>\n<\/ul>\n\n\n\n
                                                                                          Use least privilege in production and prefer group-based assignment.<\/p>\n\n\n\n
                                                                                          Billing requirements<\/h3>\n\n\n\n
                                                                                            \n
                                                                                          • Assured Open Source Software itself may not have a direct usage fee, but you will incur costs for:<\/li>\n
                                                                                          • Artifact Registry storage and egress<\/li>\n
                                                                                          • Cloud Build build minutes<\/li>\n
                                                                                          • Cloud Run\/GKE runtime<\/li>\n
                                                                                          • Logging and monitoring volumes\nVerify pricing in official docs and pricing pages.<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                            CLI\/SDK\/tools needed<\/h3>\n\n\n\n
                                                                                              \n
                                                                                            • Cloud Shell (recommended) or local installation:<\/li>\n
                                                                                            • gcloud<\/code> CLI<\/li>\n
                                                                                            • Docker (Cloud Shell includes Docker; local setups vary)<\/li>\n
                                                                                            • Optional:<\/li>\n
                                                                                            • cosign<\/code> or other tooling if you plan to verify signatures\/attestations (only if officially supported for your artifact type; verify in docs)<\/li>\n<\/ul>\n\n\n\n
                                                                                              Region availability<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Artifact Registry repositories are location-specific (region or multi-region).<\/li>\n
                                                                                              • Assured Open Source Software artifact endpoints may be available only in certain locations.<\/li>\n
                                                                                              • Verify current supported locations<\/strong> in official docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                Quotas\/limits<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Artifact Registry quotas (requests, storage)<\/li>\n
                                                                                                • Cloud Build quotas (concurrent builds, build minutes)<\/li>\n
                                                                                                • Cloud Run quotas (instances, requests)\nCheck quotas in the Google Cloud console and plan for scale.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  Prerequisite services (APIs)<\/h3>\n\n\n\n
                                                                                                  For the lab in this tutorial:<\/p>\n\n\n\n
                                                                                                    \n
                                                                                                  • Artifact Registry API<\/li>\n
                                                                                                  • Cloud Build API<\/li>\n
                                                                                                  • Cloud Run API (optional, if deploying)<\/li>\n
                                                                                                  • Container Scanning\/Analysis APIs may be involved depending on your use and current Google Cloud behavior; verify in docs.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                                    Assured Open Source Software should be analyzed from a cost perspective as part of an end-to-end supply-chain setup. The costs you pay are usually not for \u201cAssured Open Source Software\u201d directly<\/strong>, but for the services you use to store, build, scan, and run artifacts.<\/p>\n\n\n\n
                                                                                                    Pricing dimensions (typical)<\/h3>\n\n\n\n
                                                                                                    Verify current pricing and SKUs in official sources. Common pricing dimensions you\u2019ll encounter:<\/p>\n\n\n\n
                                                                                                      \n
                                                                                                    1. \n
                                                                                                      Artifact Registry<\/strong>\n   – Storage (GB-month)\n   – Data egress (network transfer out, if applicable)\n   – Requests\/operations (some services price by operations; verify Artifact Registry\u2019s current model)\n   – Official pricing: https:\/\/cloud.google.com\/artifact-registry\/pricing<\/p>\n<\/li>\n
                                                                                                    2. \n
                                                                                                      Cloud Build<\/strong>\n   – Build minutes\/compute used (with free tier and paid tiers depending on current pricing)\n   – Official pricing: https:\/\/cloud.google.com\/build\/pricing<\/p>\n<\/li>\n
                                                                                                    3. \n
                                                                                                      Cloud Run<\/strong> (if you deploy)\n   – vCPU, memory, requests, and networking\n   – Official pricing: https:\/\/cloud.google.com\/run\/pricing<\/p>\n<\/li>\n
                                                                                                    4. \n
                                                                                                      Logging\/Monitoring<\/strong>\n   – Log ingestion and retention beyond free allocations\n   – Official pricing: https:\/\/cloud.google.com\/stackdriver\/pricing (Cloud Operations pricing page; verify current URL if it changes)<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                                      Free tier<\/h3>\n\n\n\n
                                                                                                        \n
                                                                                                      • Many Google Cloud services include free tiers (Cloud Build, Cloud Run, Logging allocations).<\/li>\n
                                                                                                      • Assured Open Source Software may not have a \u201cfree tier\u201d concept if it is not billed directly.<\/li>\n
                                                                                                      • Always confirm current free tier limits and whether they apply to your region and account type.<\/strong><\/li>\n<\/ul>\n\n\n\n
                                                                                                        Cost drivers<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Number and size of images\/packages you pull and store<\/li>\n
                                                                                                        • Frequency of builds (CI volume)<\/li>\n
                                                                                                        • How many environments you deploy to (dev\/stage\/prod)<\/li>\n
                                                                                                        • Network egress to on-prem or other clouds<\/li>\n
                                                                                                        • Retention policies for artifacts and logs<\/li>\n<\/ul>\n\n\n\n
                                                                                                          Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Artifact sprawl<\/strong>: storing many image versions can quietly grow storage bills.<\/li>\n
                                                                                                          • Verbose build logs<\/strong>: high-volume logs can exceed free ingestion.<\/li>\n
                                                                                                          • Cross-region traffic<\/strong>: pulling artifacts across regions can incur network costs.<\/li>\n
                                                                                                          • Duplicated dependencies<\/strong>: if each project mirrors its own set, you may pay repeatedly.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Pulling artifacts into a runtime environment in a different region or outside Google Cloud can incur egress.<\/li>\n
                                                                                                            • Prefer colocating:<\/li>\n
                                                                                                            • Artifact Registry location<\/li>\n
                                                                                                            • Cloud Build region (where applicable)<\/li>\n
                                                                                                            • Cloud Run\/GKE region\n  to reduce latency and egress.<\/li>\n<\/ul>\n\n\n\n
                                                                                                              How to optimize cost<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Use lifecycle policies and retention limits for Artifact Registry (where supported) to delete old versions.<\/li>\n
                                                                                                              • Centralize common base images in shared projects (with careful IAM).<\/li>\n
                                                                                                              • Avoid rebuilding unchanged dependencies; use build caching where appropriate.<\/li>\n
                                                                                                              • Control log verbosity and set retention policies appropriately.<\/li>\n
                                                                                                              • Use the Google Cloud Pricing Calculator:<\/li>\n
                                                                                                              • https:\/\/cloud.google.com\/products\/calculator<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n
                                                                                                                A minimal learning setup might include:\n– 1 Artifact Registry Docker repository\n– A few pulled and pushed images totaling a few GB\n– A handful of Cloud Build runs\n– Optional: a single Cloud Run service with low traffic<\/p>\n\n\n\n
                                                                                                                You would typically see costs primarily from:\n– Artifact Registry storage (small)\n– Cloud Build minutes (often within free tier for light usage)\n– Cloud Run compute (often within free tier for light usage)\nDo not assume $0<\/strong>; use the calculator and confirm your account\u2019s free tier eligibility.<\/p>\n\n\n\n
                                                                                                                Example production cost considerations<\/h3>\n\n\n\n
                                                                                                                In production, consider:\n– Hundreds\/thousands of builds per day (Cloud Build compute cost)\n– Many image versions retained (Artifact Registry storage cost)\n– Multi-region deployments (replication, egress, operations overhead)\n– Logging volume from CI\/CD and runtime\n– Additional Security tooling (SCC tiers, third-party scanners) if used<\/p>\n\n\n\n
                                                                                                                \n\n\n\n
                                                                                                                10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                                This lab focuses on a practical and low-cost pattern: select an Assured Open Source Software container image, mirror it into your own Artifact Registry repository for governance, build a small app using it, and optionally deploy to Cloud Run<\/strong>.<\/p>\n\n\n\n
                                                                                                                Because the exact catalog entries and pull commands can change, the lab uses a safe approach:\n– You will copy the official pull reference<\/strong> from the Assured Open Source Software catalog\/documentation in your Google Cloud console.\n– You will not rely on hard-coded image paths that might become outdated.<\/p>\n\n\n\n
                                                                                                                Objective<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Locate an Assured Open Source Software container image reference.<\/li>\n
                                                                                                                • Pull it in Cloud Shell.<\/li>\n
                                                                                                                • Push (mirror) it into your own Artifact Registry repo for traceability and access control.<\/li>\n
                                                                                                                • Build a small container image using Cloud Build.<\/li>\n
                                                                                                                • (Optional) Deploy to Cloud Run.<\/li>\n
                                                                                                                • Validate outcomes and clean up.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Lab Overview<\/h3>\n\n\n\n
                                                                                                                  You will create:<\/p>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • One Artifact Registry Docker repository in your project<\/li>\n
                                                                                                                  • One app container image built in Cloud Build<\/li>\n
                                                                                                                  • Optionally one Cloud Run service<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    You will also:\n– Authenticate Docker to Artifact Registry\n– Use Cloud Audit Logs \/ console views for verification<\/p>\n\n\n\n
                                                                                                                    Expected cost<\/h4>\n\n\n\n
                                                                                                                    Low, but not guaranteed free. Main cost drivers: Artifact Registry storage, Cloud Build minutes, Cloud Run usage (if deployed).<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 1: Set up project, region, and APIs<\/h3>\n\n\n\n
                                                                                                                    1) Open Cloud Shell<\/strong> in the Google Cloud Console.<\/p>\n\n\n\n
                                                                                                                    2) Set variables:<\/p>\n\n\n\n
                                                                                                                    export PROJECT_ID=\"$(gcloud config get-value project)\"\nexport REGION=\"us-central1\"\nexport REPO=\"aoss-lab\"\nexport SERVICE_NAME=\"aoss-demo\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    If PROJECT_ID<\/code> is empty, set it:<\/p>\n\n\n\n
                                                                                                                    gcloud config set project YOUR_PROJECT_ID\nexport PROJECT_ID=\"YOUR_PROJECT_ID\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    3) Enable required APIs:<\/p>\n\n\n\n
                                                                                                                    gcloud services enable \\\n  artifactregistry.googleapis.com \\\n  cloudbuild.googleapis.com \\\n  run.googleapis.com\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> APIs enable successfully.\nVerification:<\/strong> In the console, go to APIs & Services \u2192 Enabled APIs & services<\/strong> and confirm.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 2: Identify an Assured Open Source Software image to use<\/h3>\n\n\n\n
                                                                                                                    You need a container image reference published via Assured Open Source Software.<\/p>\n\n\n\n
                                                                                                                    1) In the Google Cloud Console, search for \u201cAssured Open Source Software\u201d<\/strong> (sometimes shown as Assured OSS<\/strong>).<\/p>\n\n\n\n
                                                                                                                    2) Browse the catalog and select an image you want to use as a base (for example, a common OS\/base image or runtime image offered by Assured Open Source Software).<\/p>\n\n\n\n
                                                                                                                    3) Copy the exact pull reference<\/strong> (including registry host\/path and tag or digest).<\/p>\n\n\n\n
                                                                                                                    4) Set it as an environment variable in Cloud Shell:<\/p>\n\n\n\n
                                                                                                                    export AOSS_BASE_IMAGE=\"PASTE_THE_EXACT_ASSURED_OSS_IMAGE_REFERENCE_HERE\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Example format (do not copy this as-is; use the value from the console\/docs):\n– LOCATION-docker.pkg.dev\/...\/IMAGE:TAG<\/code>\n– or ...@sha256:DIGEST<\/code><\/p>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> You have a valid Assured Open Source Software image reference in AOSS_BASE_IMAGE<\/code>.\nVerification:<\/strong> Print it:<\/p>\n\n\n\n
                                                                                                                    echo \"$AOSS_BASE_IMAGE\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    If you cannot find the catalog or don\u2019t have access, stop here and review prerequisites. Access may depend on your organization setup. Verify in official docs<\/strong> how to enable the service for your org\/project.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 3: Create an Artifact Registry repository for mirroring<\/h3>\n\n\n\n
                                                                                                                    Create a Docker repository in Artifact Registry:<\/p>\n\n\n\n
                                                                                                                    gcloud artifacts repositories create \"$REPO\" \\\n  --repository-format=docker \\\n  --location=\"$REGION\" \\\n  --description=\"Lab repo for mirroring Assured Open Source Software images\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Repository is created.\nVerification:<\/strong><\/p>\n\n\n\n
                                                                                                                    gcloud artifacts repositories describe \"$REPO\" --location=\"$REGION\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 4: Authenticate Docker to Artifact Registry<\/h3>\n\n\n\n
                                                                                                                    Configure Docker credential helper for Artifact Registry:<\/p>\n\n\n\n
                                                                                                                    gcloud auth configure-docker \"${REGION}-docker.pkg.dev\" --quiet\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Docker is configured to authenticate to Artifact Registry in the selected region.\nVerification:<\/strong> You should see a message indicating Docker config has been updated.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 5: Pull the Assured Open Source Software image and mirror it into your repo<\/h3>\n\n\n\n
                                                                                                                    1) Pull the selected Assured Open Source Software image:<\/p>\n\n\n\n
                                                                                                                    docker pull \"$AOSS_BASE_IMAGE\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Image downloads successfully.\nVerification:<\/strong><\/p>\n\n\n\n
                                                                                                                    docker images | head\n<\/code><\/pre>\n\n\n\n
                                                                                                                    2) Tag it for your Artifact Registry repo:<\/p>\n\n\n\n
                                                                                                                    export MIRROR_IMAGE=\"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\/aoss-base:lab\"\ndocker tag \"$AOSS_BASE_IMAGE\" \"$MIRROR_IMAGE\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    3) Push to your repository:<\/p>\n\n\n\n
                                                                                                                    docker push \"$MIRROR_IMAGE\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> The mirrored image is stored in your project\u2019s Artifact Registry repository.\nVerification (CLI):<\/strong><\/p>\n\n\n\n
                                                                                                                    gcloud artifacts docker images list \"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Verification (Console):<\/strong>\n– Go to Artifact Registry \u2192 Repositories \u2192 aoss-lab \u2192 Images<\/strong> and confirm aoss-base<\/code> exists.<\/p>\n\n\n\n
                                                                                                                    \n\n\n\n
                                                                                                                    Step 6: Build a small demo image using Cloud Build<\/h3>\n\n\n\n
                                                                                                                    Create a simple web server using the mirrored base image.<\/p>\n\n\n\n
                                                                                                                    1) Create a working directory:<\/p>\n\n\n\n
                                                                                                                    mkdir -p ~\/aoss-demo && cd ~\/aoss-demo\n<\/code><\/pre>\n\n\n\n
                                                                                                                    2) Create a minimal app (using a tiny HTTP server in Python as an example).\nIf your selected base image does not include Python, adjust the example accordingly. The point of the lab is the workflow (consume Assured Open Source Software \u2192 mirror \u2192 build).<\/p>\n\n\n\n
                                                                                                                    Create app.py<\/code>:<\/p>\n\n\n\n
                                                                                                                    from http.server import BaseHTTPRequestHandler, HTTPServer\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        self.send_response(200)\n        self.send_header(\"Content-Type\", \"text\/plain; charset=utf-8\")\n        self.end_headers()\n        self.wfile.write(b\"Hello from a container built with an Assured Open Source Software base image.\\n\")\n\nif __name__ == \"__main__\":\n    HTTPServer((\"0.0.0.0\", 8080), Handler).serve_forever()\n<\/code><\/pre>\n\n\n\n
                                                                                                                    3) Create a Dockerfile<\/code> that uses your mirrored base image:<\/p>\n\n\n\n
                                                                                                                    FROM us-central1-docker.pkg.dev\/PROJECT\/REPO\/aoss-base:lab\nWORKDIR \/app\nCOPY app.py \/app\/app.py\nEXPOSE 8080\nCMD [\"python3\", \"\/app\/app.py\"]\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Now replace the FROM<\/code> line with your mirrored image reference:<\/p>\n\n\n\n
                                                                                                                    sed -i \"s|FROM .*|FROM ${MIRROR_IMAGE}|\" Dockerfile\n<\/code><\/pre>\n\n\n\n
                                                                                                                    4) Build and push with Cloud Build:<\/p>\n\n\n\n
                                                                                                                    export APP_IMAGE=\"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\/aoss-demo-app:v1\"\ngcloud builds submit --tag \"$APP_IMAGE\" .\n<\/code><\/pre>\n\n\n\n
                                                                                                                    Expected outcome:<\/strong> Cloud Build builds the container and pushes it to Artifact Registry.\nVerification:<\/strong>\n– In Cloud Shell:<\/p>\n\n\n\n
                                                                                                                    gcloud artifacts docker images list \"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • In the console:<\/li>\n
                                                                                                                    • Cloud Build \u2192 History<\/strong> shows a successful build.<\/li>\n
                                                                                                                    • Artifact Registry \u2192 aoss-lab<\/strong> shows aoss-demo-app<\/code>.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Step 7 (Optional): Deploy to Cloud Run<\/h3>\n\n\n\n
                                                                                                                      Deploy the image:<\/p>\n\n\n\n
                                                                                                                      gcloud run deploy \"$SERVICE_NAME\" \\\n  --image \"$APP_IMAGE\" \\\n  --region \"$REGION\" \\\n  --allow-unauthenticated\n<\/code><\/pre>\n\n\n\n
                                                                                                                      Expected outcome:<\/strong> Cloud Run deploys the service and prints a URL.\nVerification:<\/strong>\n– Visit the URL in your browser; you should see:<\/p>\n\n\n\n
                                                                                                                      Hello from a container built with an Assured Open Source Software base image.\n<\/code><\/pre>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Validation<\/h3>\n\n\n\n
                                                                                                                      Use this checklist:<\/p>\n\n\n\n
                                                                                                                      1) Artifact Registry contains mirrored base image<\/strong>\n– Repo list shows aoss-base:lab<\/code>:<\/p>\n\n\n\n
                                                                                                                      gcloud artifacts docker images list \"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\"\n<\/code><\/pre>\n\n\n\n
                                                                                                                      2) Cloud Build succeeded<\/strong>\n– Cloud Build History shows a successful run.<\/p>\n\n\n\n
                                                                                                                      3) Cloud Run (if deployed) serves traffic<\/strong>\n– The service URL returns expected text.<\/p>\n\n\n\n
                                                                                                                      4) Auditability<\/strong>\n– In the console:\n  – Logging \u2192 Logs Explorer<\/strong>\n  – Filter Cloud Build logs by build ID, or Artifact Registry access logs (availability depends on your Audit Logs configuration).<\/p>\n\n\n\n
                                                                                                                      If you want to explore vulnerability-related views:\n– In Artifact Registry, select your image and look for vulnerability\/metadata tabs.\nHow vulnerabilities are displayed depends on current Google Cloud scanning behavior and your configuration. Verify in official docs<\/strong> if you need a guaranteed scanning workflow for your artifact type.<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Troubleshooting<\/h3>\n\n\n\n
                                                                                                                      Issue: docker pull<\/code> fails with permission denied<\/strong>\n– Confirm you have access to the Assured Open Source Software artifact reference you copied.\n– If the artifact requires authentication, ensure you are logged in:\n  – gcloud auth login<\/code>\n  – gcloud auth application-default login<\/code> (sometimes needed for certain tools)\n– Re-run:\n  – gcloud auth configure-docker \"${REGION}-docker.pkg.dev\" --quiet<\/code><\/p>\n\n\n\n
                                                                                                                      Issue: Cannot find Assured Open Source Software in the console<\/strong>\n– It may require org enablement, allowlisting, or a specific entitlement.\n– Check:\n  – official docs: https:\/\/cloud.google.com\/assured-open-source-software\/docs\n  – your organization\u2019s Security\/admin team for enablement steps<\/p>\n\n\n\n
                                                                                                                      Issue: Cloud Build fails because python3<\/code> is missing<\/strong>\n– Your selected base image may not include Python.\n– Options:\n  – Pick an Assured Open Source Software base image that contains the runtime you need.\n  – Modify the lab to use a different runtime (e.g., Node, Java) based on what your base image supports.\n  – Use a multi-stage Docker build (advanced) to add only what you need.<\/p>\n\n\n\n
                                                                                                                      Issue: Cloud Run deploy fails due to permissions<\/strong>\n– Ensure your user has roles\/run.admin<\/code> and roles\/iam.serviceAccountUser<\/code>.\n– If using a custom service account, grant it permissions to pull from Artifact Registry:\n  – roles\/artifactregistry.reader<\/code> on the repo\/project.<\/p>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      Cleanup<\/h3>\n\n\n\n
                                                                                                                      To avoid ongoing costs, delete resources created in this lab.<\/p>\n\n\n\n
                                                                                                                      1) Delete Cloud Run service (if created):<\/p>\n\n\n\n
                                                                                                                      gcloud run services delete \"$SERVICE_NAME\" --region \"$REGION\" --quiet\n<\/code><\/pre>\n\n\n\n
                                                                                                                      2) Delete Artifact Registry repository (deletes images too):<\/p>\n\n\n\n
                                                                                                                      gcloud artifacts repositories delete \"$REPO\" --location=\"$REGION\" --quiet\n<\/code><\/pre>\n\n\n\n
                                                                                                                      3) (Optional) Disable APIs if this was a temporary project:<\/p>\n\n\n\n
                                                                                                                      gcloud services disable run.googleapis.com cloudbuild.googleapis.com artifactregistry.googleapis.com --quiet\n<\/code><\/pre>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      11. Best Practices<\/h2>\n\n\n\n
                                                                                                                      Architecture best practices<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Centralize dependency sourcing<\/strong>: define a standard way for all teams to consume approved OSS (Assured Open Source Software where supported).<\/li>\n
                                                                                                                      • Separate concerns by project<\/strong>:<\/li>\n
                                                                                                                      • shared \u201cplatform\u201d project for base images and shared artifacts (with strict IAM)<\/li>\n
                                                                                                                      • per-team projects for application artifacts<\/li>\n
                                                                                                                      • Prefer immutable references<\/strong> (digests) for production build inputs when supported, to avoid \u201cmoving tags\u201d risk.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        IAM \/ Security best practices<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Use least privilege<\/strong>:<\/li>\n
                                                                                                                        • CI service account: reader access to dependency repos, writer access to output repos<\/li>\n
                                                                                                                        • Developers: reader access, limited writer access where necessary<\/li>\n
                                                                                                                        • Use group-based IAM<\/strong> (Google Groups \/ Cloud Identity) rather than user-by-user grants.<\/li>\n
                                                                                                                        • Use separate service accounts per pipeline<\/strong> to isolate blast radius.<\/li>\n
                                                                                                                        • Protect admin roles (artifactregistry.admin<\/code>, project IAM admins) with strong controls (MFA, approvals).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Cost best practices<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Create artifact retention and cleanup policies:<\/li>\n
                                                                                                                          • keep only N versions per service<\/li>\n
                                                                                                                          • delete old build artifacts that are not deployed<\/li>\n
                                                                                                                          • Avoid cross-region pulls and pushes.<\/li>\n
                                                                                                                          • Monitor:<\/li>\n
                                                                                                                          • Artifact Registry storage growth<\/li>\n
                                                                                                                          • Cloud Build minutes and concurrency<\/li>\n
                                                                                                                          • Logging ingestion<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Performance best practices<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Co-locate build, registry, and runtime in the same region when possible.<\/li>\n
                                                                                                                            • Use caching patterns (where supported) in CI to avoid repeated downloads and rebuilds.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Reliability best practices<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Treat your artifact strategy as critical infrastructure:<\/li>\n
                                                                                                                              • define repository naming conventions and access patterns<\/li>\n
                                                                                                                              • have a rollback plan using previous artifact versions<\/li>\n
                                                                                                                              • Keep base image upgrades controlled and tested; roll out via staged environments.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Operations best practices<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Turn on and retain relevant Cloud Audit Logs<\/strong> for artifact access and admin changes.<\/li>\n
                                                                                                                                • Standardize:<\/li>\n
                                                                                                                                • repo naming (platform-base<\/code>, team-apps<\/code>, prod-images<\/code>)<\/li>\n
                                                                                                                                • tagging strategy (v1.2.3<\/code>, gitsha-...<\/code>, environment tags)<\/li>\n
                                                                                                                                • Use dashboards\/alerts for:<\/li>\n
                                                                                                                                • build failures<\/li>\n
                                                                                                                                • deploy failures<\/li>\n
                                                                                                                                • unusual artifact pull patterns<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Use labels\/tags to record:<\/li>\n
                                                                                                                                  • owning team<\/li>\n
                                                                                                                                  • environment<\/li>\n
                                                                                                                                  • application name<\/li>\n
                                                                                                                                  • data classification (if applicable)<\/li>\n
                                                                                                                                  • If you mirror artifacts, record metadata (in documentation or tagging conventions) about source and verification steps.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    \n\n\n\n
                                                                                                                                    12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                                    Assured Open Source Software is a Security control, but it must be part of a larger secure SDLC.<\/p>\n\n\n\n
                                                                                                                                    Identity and access model<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Control access through IAM:<\/li>\n
                                                                                                                                    • Who can pull approved dependencies?<\/li>\n
                                                                                                                                    • Who can publish artifacts?<\/li>\n
                                                                                                                                    • Who can administer repositories?<\/li>\n
                                                                                                                                    • Prefer service accounts for automation; avoid long-lived user credentials in CI.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      Encryption<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • In transit: TLS to Google APIs.<\/li>\n
                                                                                                                                      • At rest: Google-managed encryption by default in supported services (Artifact Registry, Cloud Build logs).<\/li>\n
                                                                                                                                      • For stronger control, evaluate CMEK where supported by the underlying services (Artifact Registry supports CMEK in some contexts; verify in official docs for your location and repo type).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Network exposure<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Reduce dependency on open internet:<\/li>\n
                                                                                                                                        • restrict egress from CI environments<\/li>\n
                                                                                                                                        • use approved endpoints for pulling dependencies<\/li>\n
                                                                                                                                        • Consider restricted Google APIs endpoints for regulated environments (implementation depends on your networking model).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Secrets handling<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Do not store registry credentials in plaintext.<\/li>\n
                                                                                                                                          • Use:<\/li>\n
                                                                                                                                          • service account identities<\/li>\n
                                                                                                                                          • short-lived tokens<\/li>\n
                                                                                                                                          • Secret Manager for any required secrets (if applicable)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Enable and retain:<\/li>\n
                                                                                                                                            • Cloud Audit Logs for Artifact Registry and Cloud Build<\/li>\n
                                                                                                                                            • Cloud Build logs and deployment logs<\/li>\n
                                                                                                                                            • Regularly review:<\/li>\n
                                                                                                                                            • who accessed which repositories<\/li>\n
                                                                                                                                            • unusual pull patterns (potential data exfil or compromised credentials)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Assured Open Source Software can support compliance goals by strengthening third-party software controls.<\/li>\n
                                                                                                                                              • You still need:<\/li>\n
                                                                                                                                              • documented processes<\/li>\n
                                                                                                                                              • evidence collection<\/li>\n
                                                                                                                                              • separation of duties<\/li>\n
                                                                                                                                              • change management\n  Do not treat any single service as \u201ccompliance done.\u201d<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • Allowing direct dependency pulls from the internet in CI alongside Assured Open Source Software (defeats the point).<\/li>\n
                                                                                                                                                • Using broad IAM roles (e.g., granting admin to many users).<\/li>\n
                                                                                                                                                • Not pinning dependencies (tags that move, unbounded semver ranges).<\/li>\n
                                                                                                                                                • No retention strategy: old vulnerable images remain available and get reused.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Use artifact immutability practices:<\/li>\n
                                                                                                                                                  • pin by digest for production deployments where possible<\/li>\n
                                                                                                                                                  • keep a promotion pipeline (dev \u2192 stage \u2192 prod) that promotes the same artifact<\/li>\n
                                                                                                                                                  • Combine with policy:<\/li>\n
                                                                                                                                                  • allowlist registries<\/li>\n
                                                                                                                                                  • enforce that production deploys only from approved Artifact Registry projects<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    \n\n\n\n
                                                                                                                                                    13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                                    Because Assured Open Source Software is curated and may be entitlement-based, the biggest \u201cgotchas\u201d are often around scope and availability.<\/p>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • Coverage is not universal:<\/strong> Not every OSS dependency will be available.<\/li>\n
                                                                                                                                                    • Artifact types may vary:<\/strong> Containers vs language packages vs OS packages\u2014verify what is supported now.<\/li>\n
                                                                                                                                                    • Location constraints:<\/strong> Endpoints may be available only in certain Artifact Registry locations.<\/li>\n
                                                                                                                                                    • Access constraints:<\/strong> You may need org\/project enablement to see the catalog or access certain repositories.<\/li>\n
                                                                                                                                                    • Scanning expectations:<\/strong> Vulnerability data display depends on whether artifacts are stored in your project and on current scanning behavior. Don\u2019t assume \u201ceverything is scanned and visible everywhere.\u201d<\/li>\n
                                                                                                                                                    • Mirroring changes semantics:<\/strong> If you copy an image into your own repo, you improve governance, but you may not automatically preserve all upstream metadata in the way you expect. Validate how provenance\/signatures apply in your workflow.<\/li>\n
                                                                                                                                                    • Build reproducibility isn\u2019t automatic:<\/strong> Using a better upstream helps, but you still need pinned versions, deterministic builds, and controlled build environments.<\/li>\n
                                                                                                                                                    • Cost surprises:<\/strong> Artifact storage growth and cross-region egress can be non-obvious.<\/li>\n
                                                                                                                                                    • Migration challenges:<\/strong> Moving from \u201cpublic registry everywhere\u201d to controlled sources can break builds; plan phased adoption and developer enablement.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                      Assured Open Source Software is one approach to supply-chain Security. In practice, teams combine multiple controls.<\/p>\n\n\n\n
                                                                                                                                                      Comparison table<\/h3>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                      Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      Assured Open Source Software (Google Cloud)<\/strong><\/td>\nTeams wanting a curated, more trusted OSS source in Google Cloud<\/td>\nStronger sourcing model; integrates with Google Cloud artifact + IAM patterns<\/td>\nCurated coverage; may require enablement; exact supported ecosystems vary<\/td>\nWhen standardizing OSS consumption in Google Cloud with stronger assurances<\/td>\n<\/tr>\n
                                                                                                                                                      Artifact Registry alone<\/strong><\/td>\nGeneral artifact storage and governance<\/td>\nStrong IAM, audit logs, lifecycle management, regional control<\/td>\nDoesn\u2019t automatically solve upstream trust; you still need a trusted source<\/td>\nWhen you already have secure upstreams or you mirror and govern carefully<\/td>\n<\/tr>\n
                                                                                                                                                      Binary Authorization (GKE)<\/strong><\/td>\nEnforcing deploy-time policy for containers in GKE<\/td>\nStrong admission control; enforces attestations and trusted images<\/td>\nGKE-specific; doesn\u2019t source dependencies by itself<\/td>\nWhen you need strict \u201conly verified images run\u201d enforcement on GKE<\/td>\n<\/tr>\n
                                                                                                                                                      Container Analysis \/ scanning features<\/strong><\/td>\nDetecting known vulnerabilities<\/td>\nHelps identify CVEs and prioritize fixes<\/td>\nDetection is not prevention; depends on scanning coverage<\/td>\nWhen you need vulnerability visibility on stored artifacts<\/td>\n<\/tr>\n
                                                                                                                                                      Self-managed internal mirror (e.g., Nexus\/Artifactory)<\/strong><\/td>\nMulti-cloud or on-prem heavy environments<\/td>\nFull control, can mirror everything, mature enterprise features<\/td>\nYou operate it; patching\/availability is on you; trust model is still yours<\/td>\nWhen you need portability and broad ecosystem coverage with internal ops capacity<\/td>\n<\/tr>\n
                                                                                                                                                      GitHub Dependabot \/ Renovate<\/strong><\/td>\nDependency update automation<\/td>\nGreat developer workflow; PR-based upgrades<\/td>\nDoesn\u2019t provide a trusted artifact source; relies on upstream registries<\/td>\nWhen your main gap is upgrade automation rather than artifact sourcing<\/td>\n<\/tr>\n
                                                                                                                                                      AWS CodeArtifact<\/strong><\/td>\nAWS-native artifact management<\/td>\nGood AWS integration, IAM-based access<\/td>\nDifferent ecosystem; not Google Cloud<\/td>\nWhen your platform is primarily AWS<\/td>\n<\/tr>\n
                                                                                                                                                      Azure Artifacts<\/strong><\/td>\nAzure DevOps-centric teams<\/td>\nIntegrated with Azure DevOps pipelines<\/td>\nDifferent ecosystem; not Google Cloud<\/td>\nWhen you are standardized on Azure DevOps<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                      Enterprise example (regulated multi-team platform)<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Problem:<\/strong> A regulated enterprise has 50+ teams deploying microservices to GKE and Cloud Run. Builds pull dependencies directly from public registries, and Security audits repeatedly flag weak supply-chain controls.<\/li>\n
                                                                                                                                                      • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                      • Assured Open Source Software as an approved upstream for selected OSS artifacts<\/li>\n
                                                                                                                                                      • Artifact Registry as the centralized artifact store<\/li>\n
                                                                                                                                                      • Cloud Build as the standard build platform (or integrated external CI with federated identity)<\/li>\n
                                                                                                                                                      • Policies:
                                                                                                                                                          \n
                                                                                                                                                        • CI egress restrictions so builds can\u2019t fetch arbitrary internet dependencies<\/li>\n
                                                                                                                                                        • IAM least privilege on repositories<\/li>\n
                                                                                                                                                        • Binary Authorization on GKE to ensure only artifacts from approved repos deploy (where applicable)<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                        • Observability:
                                                                                                                                                            \n
                                                                                                                                                          • Cloud Audit Logs retained for repository access and admin actions<\/li>\n
                                                                                                                                                          • Logging and Monitoring dashboards for build\/deploy failures and unusual access<\/li>\n<\/ul>\n<\/li>\n
                                                                                                                                                          • Why Assured Open Source Software was chosen:<\/strong><\/li>\n
                                                                                                                                                          • Provides a clearer and more defensible dependency sourcing story for audits<\/li>\n
                                                                                                                                                          • Aligns with Google Cloud native artifact and identity controls<\/li>\n
                                                                                                                                                          • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                          • Reduced dependency-source risk<\/li>\n
                                                                                                                                                          • Standardized build patterns<\/li>\n
                                                                                                                                                          • Improved audit evidence and faster Security reviews<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            Startup \/ small-team example (fast shipping, limited Security headcount)<\/h3>\n\n\n\n
                                                                                                                                                              \n
                                                                                                                                                            • Problem:<\/strong> A startup ships weekly and uses many OSS dependencies. They had a scare with a compromised dependency and want better controls without building a full Security program from scratch.<\/li>\n
                                                                                                                                                            • Proposed architecture:<\/strong><\/li>\n
                                                                                                                                                            • Use Assured Open Source Software for the most important base images\/dependencies (where supported)<\/li>\n
                                                                                                                                                            • Store application images in Artifact Registry<\/li>\n
                                                                                                                                                            • Use Cloud Build triggers for builds and Cloud Run for deployment<\/li>\n
                                                                                                                                                            • Keep a simple policy: production services must deploy only from the team\u2019s Artifact Registry repo<\/li>\n
                                                                                                                                                            • Why Assured Open Source Software was chosen:<\/strong><\/li>\n
                                                                                                                                                            • Faster to adopt than building an internal mirror and vetting program<\/li>\n
                                                                                                                                                            • Good fit for Google Cloud-native workflow<\/li>\n
                                                                                                                                                            • Expected outcomes:<\/strong><\/li>\n
                                                                                                                                                            • Lower risk from upstream dependency compromise<\/li>\n
                                                                                                                                                            • Better consistency across builds<\/li>\n
                                                                                                                                                            • Minimal operational overhead<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                              1) Is Assured Open Source Software the same as Artifact Registry?<\/strong>\nNo. Artifact Registry is a repository service for storing and managing artifacts. Assured Open Source Software is about trusted sourcing of selected OSS artifacts<\/strong>, often consumed through Google Cloud artifact workflows.<\/p>\n\n\n\n
                                                                                                                                                              2) Does Assured Open Source Software include every open source package?<\/strong>\nNo. It is typically a curated set. Verify the supported packages\/ecosystems in the official docs.<\/p>\n\n\n\n
                                                                                                                                                              3) Do I still need vulnerability scanning if I use Assured Open Source Software?<\/strong>\nOften yes. Better sourcing reduces risk, but you still need vulnerability management, patching, and runtime controls.<\/p>\n\n\n\n
                                                                                                                                                              4) Is Assured Open Source Software free?<\/strong>\nAssured Open Source Software may not be billed as a standalone SKU, but you will pay for related services you use (Artifact Registry, Cloud Build, Cloud Run, networking). Verify current pricing details in official docs.<\/p>\n\n\n\n
                                                                                                                                                              5) Can I use it outside Google Cloud?<\/strong>\nPossibly, depending on how artifacts are accessed and licensing\/entitlements, but the best integration story is within Google Cloud. Verify supported access patterns in official docs.<\/p>\n\n\n\n
                                                                                                                                                              6) Does it solve dependency confusion?<\/strong>\nIt can help by standardizing and controlling dependency sources, but you must also configure package managers, repository priorities, and CI network controls correctly.<\/p>\n\n\n\n
                                                                                                                                                              7) Should I pin by tag or digest?<\/strong>\nFor production, pinning by digest is often preferred for immutability where supported. Use tags for human readability but ensure your deployment process is deterministic.<\/p>\n\n\n\n
                                                                                                                                                              8) How do I prove developers used Assured Open Source Software?<\/strong>\nUse:\n– repository access logs (Cloud Audit Logs)\n– build configuration reviews (Cloud Build configs)\n– policy enforcement (restrict egress; allowlist registries)<\/p>\n\n\n\n
                                                                                                                                                              9) Does mirroring an Assured Open Source Software image into my repo reduce its assurance?<\/strong>\nMirroring improves governance and access control, but you must validate how provenance\/signatures apply post-copy. Test your verification workflow and consult official guidance.<\/p>\n\n\n\n
                                                                                                                                                              10) Can I enforce that builds only pull from approved sources?<\/strong>\nYes, typically via:\n– CI egress restrictions\n– using only internal\/approved repositories\n– organization policies and guardrails\nExact implementation depends on your network and CI design.<\/p>\n\n\n\n
                                                                                                                                                              11) Is Assured Open Source Software a replacement for SBOM tooling?<\/strong>\nNot necessarily. It\u2019s a sourcing control. SBOM generation\/management may still be required for your compliance and Security workflows.<\/p>\n\n\n\n
                                                                                                                                                              12) What\u2019s the main operational effort?<\/strong>\nDesigning:\n– repository structure and IAM\n– build templates and guardrails\n– update and patching workflows for base images\/dependencies<\/p>\n\n\n\n
                                                                                                                                                              13) Can I use it with external CI like GitHub Actions?<\/strong>\nUsually yes, using secure identity federation or service account keys (keys are not recommended). Prefer Workload Identity Federation where possible; verify patterns in official docs.<\/p>\n\n\n\n
                                                                                                                                                              14) How do I roll out across many teams?<\/strong>\nStart with:\n– a platform \u201cgolden path\u201d\n– templates and example repos\n– staged enforcement (warn \u2192 block)\n– training and developer enablement<\/p>\n\n\n\n
                                                                                                                                                              15) What\u2019s the fastest way to get started?<\/strong>\nUse the lab approach in this tutorial:\n– pick one Assured Open Source Software artifact\n– mirror it into your repo\n– build one service from it\n– then standardize via templates<\/p>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              17. Top Online Resources to Learn Assured Open Source Software<\/h2>\n\n\n\n
                                                                                                                                                              \n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                              Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                              Official product page<\/td>\nhttps:\/\/cloud.google.com\/assured-open-source-software<\/td>\nHigh-level overview and positioning within Google Cloud Security<\/td>\n<\/tr>\n
                                                                                                                                                              Official documentation<\/td>\nhttps:\/\/cloud.google.com\/assured-open-source-software\/docs<\/td>\nAuthoritative configuration, supported ecosystems, and current workflows<\/td>\n<\/tr>\n
                                                                                                                                                              Artifact management docs<\/td>\nhttps:\/\/cloud.google.com\/artifact-registry\/docs<\/td>\nPractical repository setup, IAM patterns, and artifact operations used with Assured Open Source Software<\/td>\n<\/tr>\n
                                                                                                                                                              Official pricing<\/td>\nhttps:\/\/cloud.google.com\/artifact-registry\/pricing<\/td>\nCore cost driver for storing\/mirroring artifacts<\/td>\n<\/tr>\n
                                                                                                                                                              Official pricing<\/td>\nhttps:\/\/cloud.google.com\/build\/pricing<\/td>\nCloud Build cost model for CI pipelines<\/td>\n<\/tr>\n
                                                                                                                                                              Official pricing<\/td>\nhttps:\/\/cloud.google.com\/run\/pricing<\/td>\nCloud Run cost model if you deploy workloads<\/td>\n<\/tr>\n
                                                                                                                                                              Supply-chain guidance<\/td>\nhttps:\/\/cloud.google.com\/docs\/security<\/td>\nEntry point for Google Cloud Security concepts and related services<\/td>\n<\/tr>\n
                                                                                                                                                              SLSA reference<\/td>\nhttps:\/\/slsa.dev\/<\/td>\nBackground on provenance and supply-chain levels (conceptual grounding)<\/td>\n<\/tr>\n
                                                                                                                                                              OSV database<\/td>\nhttps:\/\/osv.dev\/<\/td>\nUnderstand vulnerability identifiers and ecosystem vulnerability data (commonly referenced in OSS security workflows)<\/td>\n<\/tr>\n
                                                                                                                                                              Google Cloud Tech (videos)<\/td>\nhttps:\/\/www.youtube.com\/@googlecloudtech<\/td>\nTalks and demos; search within channel for \u201cAssured OSS\u201d and \u201csoftware supply chain\u201d<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                              \n\n\n\n\n\n\n\n\n
                                                                                                                                                              Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                              DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nDevOps, CI\/CD, Cloud, Security fundamentals<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                              ScmGalaxy.com<\/td>\nBeginners to intermediate DevOps learners<\/td>\nSCM, DevOps foundations, tooling<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n
                                                                                                                                                              CLoudOpsNow.in<\/td>\nCloud operations and platform roles<\/td>\nCloud ops, SRE-style operations<\/td>\nCheck website<\/td>\nhttps:\/\/cloudopsnow.in\/<\/td>\n<\/tr>\n
                                                                                                                                                              SreSchool.com<\/td>\nSREs, production operations teams<\/td>\nSRE practices, reliability, incident response<\/td>\nCheck website<\/td>\nhttps:\/\/sreschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                              AiOpsSchool.com<\/td>\nOps teams exploring AIOps<\/td>\nAIOps concepts, operations automation<\/td>\nCheck website<\/td>\nhttps:\/\/aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                              \n\n\n\n\n\n\n\n
                                                                                                                                                              Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                              RajeshKumar.xyz<\/td>\nDevOps \/ Cloud training content<\/td>\nBeginners to advanced practitioners<\/td>\nhttps:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n
                                                                                                                                                              devopstrainer.in<\/td>\nDevOps tooling and CI\/CD training<\/td>\nDevOps engineers, students<\/td>\nhttps:\/\/devopstrainer.in\/<\/td>\n<\/tr>\n
                                                                                                                                                              devopsfreelancer.com<\/td>\nPractical DevOps help and enablement<\/td>\nSmall teams needing hands-on guidance<\/td>\nhttps:\/\/devopsfreelancer.com\/<\/td>\n<\/tr>\n
                                                                                                                                                              devopssupport.in<\/td>\nDevOps support and operational training<\/td>\nOps teams and engineers<\/td>\nhttps:\/\/devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                              \n\n\n\n\n\n\n
                                                                                                                                                              Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                              cotocus.com<\/td>\nCloud\/DevOps consulting<\/td>\nArchitecture, CI\/CD, cloud migrations<\/td>\nStandardizing Artifact Registry and CI pipelines; operationalizing secure SDLC patterns<\/td>\nhttps:\/\/cotocus.com\/<\/td>\n<\/tr>\n
                                                                                                                                                              DevOpsSchool.com<\/td>\nDevOps and cloud consulting\/training<\/td>\nPlatform engineering, pipeline design, skills enablement<\/td>\nDesigning golden pipelines; rolling out org-wide build standards; training teams on secure artifact practices<\/td>\nhttps:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n
                                                                                                                                                              DEVOPSCONSULTING.IN<\/td>\nDevOps consulting services<\/td>\nCI\/CD, automation, operational improvements<\/td>\nCI hardening, repository governance, build\/deploy standardization<\/td>\nhttps:\/\/devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                              \n\n\n\n
                                                                                                                                                              21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                              What to learn before this service<\/h3>\n\n\n\n
                                                                                                                                                              To use Assured Open Source Software effectively, you should understand:<\/p>\n\n\n\n
                                                                                                                                                                \n
                                                                                                                                                              • Basics of Google Cloud projects, IAM, and service accounts<\/li>\n
                                                                                                                                                              • Artifact concepts: container registries, package repositories, versioning<\/li>\n
                                                                                                                                                              • CI\/CD fundamentals (build, test, artifact, deploy)<\/li>\n
                                                                                                                                                              • Basic container knowledge (Dockerfile, image tags\/digests)<\/li>\n
                                                                                                                                                              • Security basics: least privilege, audit logs, supply-chain threats<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                What to learn after this service<\/h3>\n\n\n\n
                                                                                                                                                                To build a mature supply-chain Security program on Google Cloud:<\/p>\n\n\n\n
                                                                                                                                                                  \n
                                                                                                                                                                • Artifact Registry governance at scale (multi-project strategies)<\/li>\n
                                                                                                                                                                • Cloud Build secure builds, build isolation, and provenance concepts<\/li>\n
                                                                                                                                                                • Policy enforcement:<\/li>\n
                                                                                                                                                                • Binary Authorization (for GKE)<\/li>\n
                                                                                                                                                                • org policy constraints<\/li>\n
                                                                                                                                                                • Vulnerability management workflows and patch SLAs<\/li>\n
                                                                                                                                                                • SBOM and provenance verification tooling (only what\u2019s officially supported for your artifact types)<\/li>\n
                                                                                                                                                                • Network security for CI (egress restriction patterns)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                  Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                                    \n
                                                                                                                                                                  • Cloud security engineer<\/li>\n
                                                                                                                                                                  • Platform engineer \/ internal developer platform engineer<\/li>\n
                                                                                                                                                                  • DevSecOps engineer<\/li>\n
                                                                                                                                                                  • SRE (especially CI\/CD and release engineering)<\/li>\n
                                                                                                                                                                  • Cloud solution architect<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                    Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                                    Assured Open Source Software itself is not typically a standalone certification topic, but it aligns with:<\/p>\n\n\n\n
                                                                                                                                                                      \n
                                                                                                                                                                    • Google Cloud Security Engineer learning paths<\/li>\n
                                                                                                                                                                    • Professional Cloud DevOps Engineer learning paths\nVerify current Google Cloud certification tracks: https:\/\/cloud.google.com\/learn\/certification<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                      Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                                        \n
                                                                                                                                                                      • Build a \u201csecure base image pipeline\u201d:<\/li>\n
                                                                                                                                                                      • consume an Assured Open Source Software base image<\/li>\n
                                                                                                                                                                      • mirror it internally<\/li>\n
                                                                                                                                                                      • build sample apps from it<\/li>\n
                                                                                                                                                                      • enforce usage via templates<\/li>\n
                                                                                                                                                                      • Create a multi-team Artifact Registry layout with least-privilege IAM.<\/li>\n
                                                                                                                                                                      • Implement CI egress controls so builds can only reach approved artifact sources.<\/li>\n
                                                                                                                                                                      • Track and rotate base images across services with staged rollouts.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                        \n\n\n\n
                                                                                                                                                                        22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                                          \n
                                                                                                                                                                        • Assured Open Source Software:<\/strong> A Google Cloud Security offering providing a more trusted channel for consuming selected open source artifacts (often abbreviated \u201cAssured OSS\u201d).<\/li>\n
                                                                                                                                                                        • Artifact Registry:<\/strong> Google Cloud service for storing and managing container images and packages with IAM-based access control.<\/li>\n
                                                                                                                                                                        • Supply chain security:<\/strong> Controls that reduce risk from third-party components across source, build, storage, and deployment.<\/li>\n
                                                                                                                                                                        • Dependency confusion:<\/strong> A class of attacks where a build system fetches a malicious package from an unexpected registry due to naming\/priority issues.<\/li>\n
                                                                                                                                                                        • Typosquatting:<\/strong> Malicious packages published with names similar to popular dependencies.<\/li>\n
                                                                                                                                                                        • Provenance:<\/strong> Metadata describing how an artifact was built and from what sources (conceptual; exact availability depends on artifact type and tooling).<\/li>\n
                                                                                                                                                                        • Digest:<\/strong> Immutable hash reference for a container image (@sha256:...<\/code>), safer than mutable tags.<\/li>\n
                                                                                                                                                                        • CI\/CD:<\/strong> Continuous integration and continuous delivery\/deployment pipelines.<\/li>\n
                                                                                                                                                                        • IAM:<\/strong> Identity and Access Management; controls who can do what in Google Cloud.<\/li>\n
                                                                                                                                                                        • Cloud Audit Logs:<\/strong> Logs that record admin activity and data access for Google Cloud services (subject to configuration and log type).<\/li>\n
                                                                                                                                                                        • Least privilege:<\/strong> Granting only the minimum access needed to perform a task.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                                          \n\n\n\n
                                                                                                                                                                          23. Summary<\/h2>\n\n\n\n
                                                                                                                                                                          Assured Open Source Software is a Google Cloud Security service focused on safer consumption of open source software<\/strong> through a more trusted, curated artifact source and supply-chain assurance patterns. It fits best when you want to reduce upstream dependency risk and standardize dependency sourcing across teams using Google Cloud-native tooling like Artifact Registry and Cloud Build.<\/p>\n\n\n\n
                                                                                                                                                                          Cost-wise, the biggest drivers are usually Artifact Registry storage\/egress<\/strong>, Cloud Build minutes<\/strong>, and runtime costs (Cloud Run\/GKE) rather than a direct Assured Open Source Software line item\u2014confirm the current pricing model in official docs. Security-wise, it improves your posture only when combined with least-privilege IAM, controlled CI egress, pinned dependencies, audit logging, and policy enforcement<\/strong>.<\/p>\n\n\n\n
                                                                                                                                                                          Use Assured Open Source Software when you need a practical, scalable way to strengthen OSS supply-chain controls in Google Cloud. Next, deepen your implementation by standardizing repository layout, CI templates, and enforcement policies, and by validating provenance\/vulnerability workflows using the official documentation: https:\/\/cloud.google.com\/assured-open-source-software\/docs<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                                          Security<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[51,10],"tags":[],"class_list":["post-792","post","type-post","status-publish","format-standard","hentry","category-google-cloud","category-security"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/792","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=792"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/792\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=792"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=792"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=792"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}