Google Cloud Platform (GCP) is a cloud computing platform that provides access to technology services, such as infrastructure as a service and emerging technology services, on an as-needed basis.

Aptible integrates with GCP to give you governance over and visibility into the security of your containers.


Up-to-date asset inventory
Once you integrate your GCP project with Comply, Comply will display the Google Container Registry (GCR) assets such as repositories and images within that GCP project. Comply gives you visibility into your GCR assets by automatically updating and tagging repositories and images in the “Container Registry” asset groups in Comply.

Automatic evidence collection
Comply will scan your GCP project settings and container registry contents to ensure that a wide range of security measures are correctly implemented (see the Automations table below for the full scope of what evidence is automatically collected).

Automated issue detection
When a Comply scan identifies something that's against common security practices, the Automation will create an issue. These issues can be automatically tracked and have reminders to help expedite remediation.


Comply's GCP integration relies on utilizing a Comply-generated service account with specified read-only permissions. This service account requests read-only access to GCP APIs and services. Comply leverages a narrow set of read-only API calls and does not write back any information into your GCP project.


AutomationServiceDescriptionReturnsFramework Mappings
Container Vulnerability ScanningGCRChecks whether Container Scanning is enabled on a GCP project.Comply creates an issue if Container Scanning is not enabled on a GCP Project.ISO 27001:2013: A.12.6.1
SOC 2: CC7.1
PCI: 11.2.1, 11.2.2, 11.2.3, 6.1
NIST Cybsecurity V1.1: DE.CM-8, PR.IP-12
FedRAMP: RA-5 (3), RA-5, RA-5 (5)
Container Image Vulnerability ScanGCRChecks whether the latest container image in each container repository has been discovered by a container scanner.Comply creates an issue if a container image was not discovered by a container scanner.ISO 27001:2013: A.12.6.1
SOC 2: CC7.1
PCI: 11.2.1, 11.2.2, 11.2.3, 6.1
NIST Cybsecurity V1.1: DE.CM-8, PR.IP-12
FedRAMP: RA-5 (3), RA-5, RA-5 (5)


  • Container Vuln Scan Enabled - Vulnerability scanning is enabled on the GCP project (Container Scanning API is enabled).
  • Container Vuln Scan Disabled - Vulnerability scanning is disabled on the GCP project (Container Scanning API is disabled).
  • Container Vuln Scan Discovered - The latest container image in container repo was discovered by the container scanner.
  • Container Vuln Scan Not Discovered - The latest container image in container repo was not discovered by the container scanner.


  1. Navigate to the Integrations Configuration section: Automations > Integration Configuration
  2. Click Add Integration, and select GCP. Enter a unique name for the integration and the GCP project id.
  1. Follow the instructions in the Comply app to create a new IAM role in the GCP console for the project specified. This IAM role grants the Comply-generated Service Account read-only access to your GCP account.
    a. Log into the GCP IAM console and select the project id.
    b. APIs & Services > Verify and enable (as needed) the following APIs/Services on the project:
    Container Registry API
    Container Analysis API
    Resource Manager API
    c. Roles > Create a new custom IAM role. You can title the role something like “Comply GCP Viewer”. Select “Role launch stage” > “General Availability”. Add the following permissions:

d. IAM > Add member. Use the Comply-generated service account email from the Comply integration page as the member. Add the custom “Comply GCP Viewer” role and the Google predefined role “Service Usage Viewer”.

  1. In the Comply App, continue clicking through the integration setup steps to test and sync the GCP integration.

IAM Policy and APIs/Services

Summary of permissions required for Comply-generated service account:

RolePermissionComply Usage
Custom Rolecontaineranalysis.occurrences.listGet container image vulnerability data
Custom Roleresourcemanager.projects.getGet metadata for the GCP project
Custom Rolestorage.objects.listGet list of container repos and images
Service Usage ViewerPre-defined by Google

Note: The underlying permission we require is “serviceusage.services.list”, however that permission is still marked as “testing” by Google, so is more stable to attach the Google predefined “Service Usage” Viewer role to the Aptible Service Account.
Determine if specific GCP services are enabled

Summary of APIs/Services enabled:

GCP APIComply Usage
Container Analysis APIRead container image vulnerability scan results
Container Registry APIRead metadata for your Google Container Registry
Resource Manager APIRead metadata describing your GCP project


Common integration set-up issues include:

  1. Not granting all of the required permissions or enabling all of the required APIs [Fix: Verify that the Service Account is in the correct project, all of the permissions and roles required are attached to the integration-specific Service Account, and the APIs listed above are enabled in your GCP project.]

If you receive an error message when trying to sync your integration, please check the above items and contact [email protected] if the problem persists.