1. Overview

Google Cloud Registry requires the storage.admin permission in order to enumerate repositories in a registry. This is done via wildcards. If the credentials you pass into the defender has readonly permissions it will be able to scan specific repositories in the registry as expected, but wildcards will fail.

2. Error messages

There are no error messages. Nothing shows up in the logs.

3. Steps to confirm the issue

  • Scan a repository in your registry

  • Add in a wildcard

    • At this step nothing should happen. No progress bar, no errors.

4. Troubleshooting steps

  • Update the registry credentials to have the storage.admin permission

  • Scan the same repository with the wildcard as before

4.1. Prisma Cloud version:

All versions are affected.

5. Cautionary notes

Wildcard scanning requires more resources and permissions than scanning specific repos, which may not fit your individual use case.