{"results":[{"id":"ar-access-scopes-can-restrict-beyond-iam","text":"Compute Engine VM access scopes can further restrict Artifact Registry access beyond IAM roles — the default `read-only` scope blocks writes even if the SA has Writer role; `cloud-platform` scope is needed for push.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-auth-configure-docker-per-hostname","text":"The `gcloud auth configure-docker HOSTNAME` command configures the Docker credential helper for a specific Artifact Registry hostname (e.g., `us-west1-docker.pkg.dev`).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cloud-build-default-read-write","text":"Cloud Build's default service account has read/write access to Artifact Registry.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cloudrun-cross-project-service-agent","text":"Cloud Run cross-project Artifact Registry access requires granting roles to the Cloud Run Service Agent (`service-PROJECT-NUMBER@serverless-robot-prod.iam.gserviceaccount.com`), not just the runtime service account.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-cmek-encryption-supported","text":"Artifact Registry supports CMEK encryption via Cloud KMS (Google-managed encryption by default), and organization policy can enforce CMEK.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-default-compute-sa-read-only","text":"Compute Engine, GKE, and Cloud Run default service accounts get read-only access to Artifact Registry by default.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-no-egress-charge-same-region","text":"No egress charge from Artifact Registry to Google Cloud services in the same region.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"ar-replaces-container-registry","text":"Artifact Registry is Google Cloud's recommended registry, replacing Container Registry, with support for both container images and language packages (Go, Java, Node.js, Python, Ruby, Helm).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"binary-authorization-build-to-runtime-security-chain","text":"Binary Authorization forms a continuous supply chain security chain: Cloud Build creates attestations at build time and can block unauthorized deployments, while GKE continuous validation (CV) monitors running containers against policies — covering both deployment-time gating and runtime drift detection.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-adaptive-protection-requires-enterprise","text":"Adaptive Protection requires a Cloud Armor Enterprise subscription and is enabled per-security policy.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-auto-ddos-global-external-alb","text":"DDoS protection is automatic (no configuration needed) for global external Application Load Balancers, classic Application Load Balancers, and external proxy Network Load Balancers.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-compensates-vpc-ingress-visibility-gap","text":"Cloud Armor's edge-first defense compensates for VPC-level ingress visibility gaps by filtering and logging malicious traffic at the Google Cloud edge before it reaches the VPC boundary where flow logs have systematic blind spots for denied ingress packets.","truth_value":"OUT","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-edge-first-layered-defense","text":"Cloud Armor provides edge-first layered defense with four independent mechanisms: automatic DDoS protection at the Google Cloud edge for global external ALBs, prioritized rule evaluation ensuring highest-priority matches win, OWASP CRS 3.3.2-based WAF rules for application-layer filtering, and Enterprise-tier protection covering HTTP/HTTPS/HTTP2/QUIC protocols.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-enterprise-ddos-protocols","text":"Cloud Armor Enterprise DDoS protection supports HTTP, HTTPS, HTTP/2, and QUIC protocols.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-operates-at-edge","text":"Cloud Armor operates at the Google Cloud edge, filtering traffic before it reaches backend resources or enters VPC networks.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-prioritized-rules","text":"Cloud Armor security policies use prioritized rules — the highest-priority matching rule wins.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-supports-hybrid-multicloud","text":"Cloud Armor supports hybrid and multi-cloud deployments — it is not limited to GCP-hosted backends.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-armor-waf-owasp-crs-332","text":"Cloud Armor preconfigured WAF rules are based on OWASP Core Rule Set 3.3.2 (CRS) and do not support XML body parsing.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-admin-cannot-set-iam-policy","text":"`roles/dns.admin` can manage DNS records but cannot set IAM policies on zones (lacks `setIamPolicy` permission).","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"cloud-dns-alias-records-skipped-bind-export","text":"ALIAS records are skipped when exporting Cloud DNS zones to BIND format.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":344,"limit":20,"offset":0}