From 7beed3017042af21993eafa7842fa29debb74e60 Mon Sep 17 00:00:00 2001
From: nobletrout <nobletrout@gmail.com>
Date: Mon, 6 Dec 2021 20:28:46 -0500
Subject: [PATCH] docs: provide more information on scanning Google's GCR
 (#1426)

Co-authored-by: Teppei Fukuda <knqyf263@gmail.com>
---
 docs/advanced/private-registries/gcr.md | 37 +++++++++++++++++++++++--
 1 file changed, 35 insertions(+), 2 deletions(-)

diff --git a/docs/advanced/private-registries/gcr.md b/docs/advanced/private-registries/gcr.md
index 5c0371f2e1f6..ac87a4cc9429 100644
--- a/docs/advanced/private-registries/gcr.md
+++ b/docs/advanced/private-registries/gcr.md
@@ -1,7 +1,40 @@
-Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
+# Requirements
+None, Trivy uses Google Cloud SDK. You don't need to install `gcloud` command.
 
-If you want to use target project's repository, you can settle via `GOOGLE_APPLICATION_CREDENTIAL`.
+# Privileges
+Credential file must have the `roles/storage.objectViewer` permissions.
+More information can be found in [Google's documentation](https://cloud.google.com/container-registry/docs/access-control)
+
+## JSON File Format
+The JSON file specified should have the following format provided by google's service account mechanisms:
+
+```json
+{
+  "type": "service_account",
+  "project_id": "your_special_project",
+  "private_key_id": "XXXXXXXXXXXXXXXXXXXXxx",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nNONONONO\n-----END PRIVATE KEY-----\n",
+  "client_email": "somedude@your_special_project.iam.gserviceaccount.com",
+  "client_id": "1234567890",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/somedude%40your_special_project.iam.gserviceaccount.com"
+}
+```
+
+# Usage
+If you want to use target project's repository, you can set them via `GOOGLE_APPLICATION_CREDENTIALS`.
 ```bash
 # must set TRIVY_USERNAME empty char
 export GOOGLE_APPLICATION_CREDENTIALS=/path/to/credential.json
 ```
+
+# Testing
+You can test credentials in the following manner (assuming they are in `/tmp` on host machine).
+
+```bash
+docker run -it --rm -v /tmp:/tmp\
+  -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/service_account.json\
+  aquasec/trivy image gcr.io/your_special_project/your_special_image:your_special_tag
+```