Configure artifact guard policies

This document describes how to create and manage artifact guard policies. For an overview of the service, features, and benefits, see the Artifact guard overview.

Before you begin

Before you can create an artifact guard policy, you must enable artifact guard in Security Command Center and obtain the required Identity and Access Management (IAM) roles and permissions.

Then, you can create a policy in the Google Cloud console or using Google Cloud CLI.

Enable artifact guard

Follow the steps in Configure Security Command Center services to enable artifact guard.

Required role

To get the permissions that you need to use artifact guard, ask your administrator to grant you the following Identity and Access Management (IAM) role on your project or organization:

Artifact Scan Guard Evaluation Admin (roles/artifactscanguard.policyEvaluator)

This role can be granted using the Google Cloud console or by running the following Google Cloud CLI command:

project

  gcloud organizations add-iam-policy-binding PROJECT_ID \
        --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
        --role="roles/artifactscanguard.policyEvaluator" \

Replace the following:

PROJECT_ID
YOUR_SERVICE_ACCOUNT_EMAIL

organization

  gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
        --member="serviceAccount:YOUR_SERVICE_ACCOUNT_EMAIL" \
        --role="roles/artifactscanguard.policyEvaluator" \

Replace the following:

ORGANIZATION_ID
YOUR_SERVICE_ACCOUNT_EMAIL

For more information about granting roles, see Manage access to projects, folders, and organizations.

For more artifact guard roles, see Artifact guard roles and permissions.

Create a policy in the Google Cloud console

To create an artifact guard policy in the Google Cloud console, follow these steps:

In the Google Cloud console, go to Security > Rules, and click Create artifact guard policy or Create policy.
Enter a Policy ID and Description for the policy, then click Continue.
Select policy scopes and actions:
- CI/CD platform
  - Select connector(s): The connectors this policy should be associated with. For every CI/CD build associated with the selected connectors, this policy will be evaluated.
  Tip: If you have not already created a connector, click Manage connectors to open the CI/CD integration page. Once you have created a connector to your CI/CD environment, return to Create policy page and click Refresh to refresh your connector options.
  - Policy action: Select the action to take when the policy is violated.
    - Block builds failing the policy
    - Pass builds with alerts: CI/CD scanner policy evaluation results are displayed in the connected build pipelines.
- Registry
  - Container Analysis Projects: This is only applicable to organizations, not projects. Add the Google Cloud projects you want this policy to be applied to.
  - Artifact Registry repositories: Select the repositories you want this policy to be applied to. These must be valid Artifact Registry repositories. If left blank, the policy will be applied to all repositories.
  - Policy Action: Select the action to take when the policy is violated.
    - Audit only: The policy is evaluated and any violations are logged for auditing purposes without blocking the resource. To see any violations, you must call the API using ListArtifactPoliciesEvaluations and GetArtifactPoliciesEvaluation.
    - Admission control: If a violation occurs while the policy is evaluated, the resource is blocked from proceeding.
      - Set Binary Authorization policies to dry run mode: See Enable dry-run mode for more information.
      - Binary Authorization Projects: This is only applicable to organizations, not projects. Add the Google Cloud projects you want admission control to be applied to.
      - GKE clusters: If left blank, admission control is applied to all GKE clusters.
      - Override Binary Authorization policies: This checkbox must be selected to update the Binary Authorization policy for admission control.
- Runtime
  - Runtime projects: This is only applicable to organizations, not projects. Add runtime projects that contain GKE clusters.
  - GKE clusters: Select the GKE clusters you want this policy to be applied to. If left blank, the policy will be applied to all GKE clusters in the selected projects.
Define the policy rule. A policy rule is a set of criteria that determines which vulnerabilities and packages are allowed in your environment. A policy rule includes the following:
- Severity threshold: Set the minimum severity level for a vulnerability to be included in policy evaluation. Vulnerabilities must meet or exceed this threshold to be included.
  
  For example, configuring the rule to Medium includes all Medium, High, and Critical vulnerabilities in the assessment.
- Vulnerability count threshold: Sets the maximum number of allowed vulnerabilities after other policy filters are applied. The policy is violated only if the count of these specific, filtered vulnerabilities exceeds the limit.
  
  For example, if you set a Severity threshold of High, exclude vulnerabilities with unavailable fixes, and set a count threshold of five, a build fails if it contains more than five fixable vulnerabilities that are rated High or Critical.
- Vulnerability status: Specify whether to include only vulnerabilities for which a fix is available. This allows prioritized remediation by targeting all vulnerabilities or only fixable ones.
- Exceptions and Restrictions: These sections let you create specific allowances or blocks that override the general policy.
  - Exempted CVEs: Specify CVEs that are deemed acceptable in your environment for a specified duration. This is helpful for implementing temporary workarounds. You can set an expiration date for these exceptions. After this date, the vulnerability is no longer permitted and causes the policy to fail.
  - Restricted CVEs: Specify CVEs to always block, regardless of their severity rating. This is particularly useful for denoting vulnerabilities that present a unique risk to your specific application or infrastructure.
  - Allowed packages: List packages considered secure. Package version can be defined; otherwise, all versions are allowed.
  - Restricted packages: List packages to restrict. Restricted packages cause the policy to fail. Package version can be defined; otherwise, all versions are restricted.
Click Create.

Available artifact guard policies are listed in the table on the Rules page.

Create a policy using Google Cloud CLI

This section outlines the gcloud CLI commands available for artifact guard and how to use them.

Google Cloud CLI prerequisites

Ensure your gcloud CLI version is 559.0.0 or higher.
Set your project as the config project.

To do this, run the following gcloud CLI commands:

   gcloud components update --version=559.0.0
   gcloud config set project PROJECT_ID

Google Cloud CLI commands

create

gcloud alpha scc artifact-guard policies create \
    (POLICY --location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)) \
    --policy-file-path=PATH_TO_FILE

POLICY: The complete identifier for the policy, in one of the following formats:
- {organizations/ORGANIZATION_ID/locations/LOCATION/policies/POLICY_ID}
- {projects/PROJECT_NUMBER/locations/LOCATION/policies/POLICY_ID}
- {policy_id -location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)}
PATH_TO_FILE: The local path to the YAML document containing the policy definition. See the YAML file section of this document for details on the YAML file structure.

get

gcloud alpha scc artifact-guard policies describe \
    (POLICY --location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER))

POLICY: The complete identifier for the policy, in one of the following formats:
- {organizations/ORGANIZATION_ID/locations/LOCATION/policies/POLICY_ID}
- {projects/PROJECT_NUMBER/locations/LOCATION/policies/POLICY_ID}
- {policy_id -location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)}

list

gcloud alpha scc artifact-guard policies list PARENT

PARENT: An organization or project. Acceptable formats for the parent resource include:
- {organizations/ORGANIZATION_ID/locations/LOCATION}
- {projects/PROJECT_NUMBER/locations/LOCATION}

delete

gcloud alpha scc artifact-guard policies delete \
    (POLICY --location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)) \
    [--etag=ETAG]

POLICY: The complete identifier for the policy, in one of the following formats:
- {organizations/ORGANIZATION_ID/locations/LOCATION/policies/POLICY_ID}
- {projects/PROJECT_NUMBER/locations/LOCATION/policies/POLICY_ID}
- {policy_id -location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)}
etag: Optional. For concurrency control. The request proceeds only if the resource's etag matches.

update

gcloud alpha scc artifact-guard policies update \
    (POLICY --location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)) \
    --policy-file-path=PATH_TO_FILE [--allow-missing] \
    [--update-mask=UPDATE_MASK]

POLICY: The complete identifier for the policy, in one of the following formats:
- {organizations/ORGANIZATION_ID/locations/LOCATION/policies/POLICY_ID}
- {projects/PROJECT_NUMBER/locations/LOCATION/policies/POLICY_ID}
- {policy_id -location=LOCATION (--organization=ORGANIZATION_ID | --project=PROJECT_NUMBER)}
PATH_TO_FILE: The local path to the YAML document containing the definition of fields to be updated.
allow_missing: Optional boolean. If true, creates a new policy if the specified policy doesn't exist.
update-mask: Comma-separated list of fields to update. An empty string or "*" means a full policy update. Valid fields for the update mask include:
- display_name
- description
- scope
- enablement_state
- vulnerability_policy
- annotations

YAML file

A YAML file for a artifact guard policy definition must follow this template:

  displayName: <Human readable display name for the policy>
  description: <Description of the policy>

  vulnerabilityPolicy: # (at least one of these rules must be defined)
    exemptedCves:
      - id: <cve-id-1>
        gracePeriodExpirationTime: <optional-grace-period-expiration-time>
      - id: <cve-id-2>
        gracePeriodExpirationTime: <optional-grace-period-expiration-time>

    maxAllowedSeverity: <The maximum severity allowed in the detected
    vulnerabilities. The severity values can be LOW, MEDIUM, HIGH, CRITICAL>

    maximumAllowedVulnerabilities: <The maximum number of vulnerabilities that
    can be detected>

    excludeUnfixable: <Whether to exclude the vulnerabilities without an
    available fix from the purview of the policy evaluation>

    restrictedCves:
      - <restricted-cve-id-1>
      - <restricted-cve-id-2>

    allowedPackages:
      - name: <allowed_package_name_1>
        version: <optional_version_of_allowed_package_1. If unspecified, all the
        versions of the package are allowed>
      - name: <allowed_package_name_2>
        version: <optional_version_of_allowed_package_2>

    restrictedPackages:
      - name: <restricted_package_name_1>
        version: <optional_version_of_restricted_package_1. If unspecified, all
        the versions of the package are restricted>
      - name: <restricted_package_name_2>
        version: <optional_version_of_restricted_package_2>

  scope:
    pipeline:
      connectorIds:
        - <connector_id_1>
        - <connector_id_2>
      enforcementAction: <action to take in case the policy evaluation fails.
      The supported values are AUDIT_ONLY or BLOCK_BUILD>

    registry:
      projectIds:
        - <project_id_1>
      garRepositoryNamePatterns:
        - <repository_name_pattern_1>
      imageNamePatterns:
        - <image_name_pattern_1>
      enforcementAction: <AUDIT_ONLY or ADMISSION_CONTROL>
      admissionControl:
        deploymentProjectIds:
          - <project_id_1>
        gkeClusterNames:
          - <cluster_name_1>
        dryRun: <bool>
        overrideBinauthzPolicy: <bool>

    runtime:
        deploymentProjectIds:
          - <project_id_1>
        gkeClusterNames:
          - <cluster_name_1>
        dryRun: <bool>
        overrideBinauthzPolicy: <bool>
        enforcementAction: <AUDIT_ONLY or BLOCK_DEPLOYMENT>

  enablementState: <The enablement state of the policy. The supported values are
  ACTIVE, INACTIVE>

The following is a sample artifact guard policy file:

  displayName: 'A sample policy'
  description: Vulnerability Policy
  vulnerabilityPolicy:
    exemptedCves:
      - id: CVE-2022-40897
        gracePeriodExpirationTime: '2026-09-10T18:58:08Z'
      - id: CVE-2024-6345
    maxAllowedSeverity: MEDIUM
    maximumAllowedVulnerabilities: 5
    excludeUnfixable: true
    restrictedCves:
      - CVE-2013-4392
      - CVE-2024-4143
    allowedPackages:
      - name: systemd
        version: '257.7'
      - name: util-linux
    restrictedPackages:
      - name: ncurses
        version: 6.5+20250216
      - name: setuptools
  scope:
    pipeline:
      connectorIds:
        - organizations/123/locations/global/connectors/demoConnector
      enforcementAction: BLOCK_BUILD
    registry:
      projectIds:
        - projects/my-registry-project-id
        - projects/another-registry-project
      garRepositoryNamePatterns:
        - us-west1-docker.pkg.dev/my-registry-project-id/my-repo
        - gcr.io/team-a/internal-artifacts
      imageNamePatterns:
        - my-repo/service-a:.*
        - my-repo/service-b:v1\..*
      enforcementAction: ADMISSION_CONTROL
      admissionControl:
        deploymentProjectIds:
          - projects/my-deployment-project
        gkeClusterNames:
          - //container.googleapis.com/projects/my-deployment-project/locations/us-central1/clusters/gke-cluster-a
          - //container.googleapis.com/projects/my-deployment-project/locations/us-central1/clusters/gke-cluster-b
        dryRun: true
        overrideBinauthzPolicy: true
    runtime:
      deploymentProjectIds:
        - projects/my-deployment-project
      gkeClusterNames:
        - //container.googleapis.com/projects/my-deployment-project/locations/us-central1/clusters/gke-cluster-a
        - //container.googleapis.com/projects/my-deployment-project/locations/us-central1/clusters/gke-cluster-b
      dryRun: false
      overrideBinauthzPolicy: false
      enforcementAction: BLOCK_DEPLOYMENT
  enablementState: ACTIVE

Performance and limitations

Maximum policies per parent resource: A parent resource (organization or project) can define a maximum of 1,000 policies. This includes all types of security policies configured within artifact guard.
Maximum vulnerability policies per parent resource: Within the overall policy limit, there's a limit on the number of policies focused on vulnerability findings. A parent resource (organization or project) can have a maximum of 500 policies that target vulnerabilities.
Maximum policies per pipeline: For each individual CI/CD pipeline where artifact guard policies are integrated for build time enforcement, a maximum of 100 policies is allowed.
Maximum updates per policy per week: For each policy, a maximum of 100 updates can be made every week.
Maximum pipeline connectors per policy: Each policy can have a maximum of 100 pipeline connectors associated with it.
Maximum Exempted and Restricted CVEs per policy: Each policy can exempt and restrict a maximum of 100 CVEs.
Maximum Allowed and Restricted packages per policy: Each policy can allow and restrict a maximum of 100 packages.

For additional constraints, see Troubleshooting.

Troubleshooting

This section outlines artifact guard policy fields and common errors with their resolutions.

Policy validation

Artifact guard validates policy definitions when you create or update policies. If validation fails, artifact guard rejects the request and provides a detailed error message.

General policy fields

Name	Description	Required	Constraints	Sample Values
Parent	Defines the policy's application scope.	Yes	Only policies in the `global` location are supported.	`organizations/123/locations/global` `projects/123/locations/global`
Policy ID	A unique identifier for the policy.	Yes	Up to 100 characters. Must start with a letter, end with an alphanumeric character, and only contain letters, numbers, hyphens, or underscores.	`my-policy-1`
Display Name	A human-readable name for the policy.	No	Up to 63 characters. Recommended to be unique.	`My vulnerability policy`
Description	A description of the policy.	No	Up to 2048 characters.	`Checks for critical vulnerabilities.`
Policy Type	The type of policy being defined.	Yes	Only `vulnerability_policy` is supported.	`vulnerability_policy`
Enablement State	The enablement state of the policy.	Yes	Must be `ACTIVE` or `INACTIVE`.	`ACTIVE`

Vulnerability Policy

Name	Description	Multi-valued	Constraints	Sample Values
maximumAllowedVulnerabilities	Maximum number of vulnerabilities allowed before the policy is violated.	No	Must be a non-negative number if set.	`10`
maxAllowedSeverity	Maximum severity of vulnerabilities that are allowed by the policy.	No	Must be either `LOW`, `MEDIUM`, `HIGH` or `CRITICAL`.
exemptedCves	List of CVEs that are exempt from this policy.	Yes	Up to 100 entries. Each ID must be in `CVE-YYYY-NNNN` format. Grace period expiration, if provided, must be a valid timestamp. Cannot overlap with `restrictedCves`.	`- id: CVE-2024-12345` `gracePeriodExpirationTime: 2027-01-01T00:00:00Z` `- id: CVE-2025-4000`
restrictedCves	List of CVEs that are explicitly disallowed by this policy.	Yes	Up to 100 entries. Each ID must be in `CVE-YYYY-NNNN` format. Cannot overlap with `exemptedCves`.	`- CVE-2024-54321` `- CVE-2025-5001`
allowedPackages	List of packages that are allowed, potentially overriding other rules.	Yes	Up to 100 entries. Package names cannot be empty. Cannot conflict with `restrictedPackages`.	`- name: nginx` `version: 1.0` `- name: python` `version: 3.12.4`
restrictedPackages	List of packages that are explicitly disallowed.	Yes	Up to 100 entries. Package names cannot be empty. Cannot conflict with `allowedPackages`.	`- name: npm` `version: 9.0.0`
excludeUnfixable	Whether to exclude vulnerabilities that have no available fix.	No	Boolean. Default is `false`.	`true`
exemptionDaysPostDisclosure	Number of days to exempt vulnerabilities after their disclosure date.	No	Must be a non-negative number, if set. Default is `0`.	`30`

Policy scope

Pipeline scope

Name	Description	Required	Constraints	Sample Values
connectorIds	List of Connector IDs that the policy applies to during CI/CD pipeline scanning.	Yes	Minimum 1 entry, maximum 100 entries. Your organization or project must be onboarded to CI/CD scanning. Each ID must follow the correct format, belong to your organization or project, and point to an existing connector.	`organizations/123/locations/global/connectors/connector-1` `projects/123/locations/global/connectors/connector-1`
enforcementAction	Action to take when the policy is violated.	Yes	Must be either `AUDIT_ONLY` or `BLOCK_BUILD`.	`BLOCK_BUILD`

Registry scope

Name	Description	Required	Constraints	Sample Values
projectIds	List of project IDs where the policy applies.	No	Min 1 entry. Each ID must be a valid Google Cloud project ID.	`projects/123, projects/456`
garRepositoryNamePatterns	List of Google Cloud Artifact Registry repository name patterns.	No	Max 100 entries. Must be a valid Google Cloud Artifact Registry repository pattern.	`us-west1-docker.pkg.dev/my-project/my-repo, gcr.io/team-a/*`
imageNamePatterns	Regular expression patterns for fully qualified image names.	No	Max 100 entries. Must be a valid regular expression.	`'my-repo/service-a:.', 'my-repo/service-b:v1..'`
enforcementAction	The action to take when the policy is violated.	Yes	Must be either `AUDIT_ONLY` or `ADMISSION_CONTROL`.	`ADMISSION_CONTROL`
admissionControl	Configuration details for admission control.	No	Must be present if `enforcementAction` is `ADMISSION_CONTROL`.

Runtime scope

The runtime scope allows artifact guard to monitor container images actively running within your GKE environment. When a policy is applied to this scope, Security Command Center vulnerability findings are automatically enhanced with policy metadata for images deployed in the specified projects or clusters.

Name	Description	Required	Constraints	Sample Values
projectIds	List of project IDs where GKE clusters are deployed and vulnerability assessment is enabled.	Yes	Must be selected at the organization level.	`projects/my-gke-deployment-123`
gkeClusterNames	Specific GKE clusters for which the policy needs to be evaluated.	No	Can be selected at the organization or project level.	`projects/prod-env/locations/us-central1/clusters/main-cluster`

If a container image running in a monitored GKE cluster violates a policy, the ArtifactGuardPolicies metadata is added to the Security Command Center vulnerability finding message, as follows:

// Added to the SCC 'message Finding'
ArtifactGuardPolicies artifact_guard_policies = X;

message ArtifactGuardPolicies {
  string resource_id = 1;     // e.g., //us-docker.pkg.dev/google-samples/containers/gke/security/...
  repeated Policy failing_policies = 2;
}

message Policy {
  enum Type {
    TYPE_UNSPECIFIED = 0;
    VULNERABILITY = 1;
  }
  Type type = 1;
  string policy_id = 2;     // e.g., organizations/3392779/locations/global/policies/prod-policy
  string failure_reason = 3;     // e.g., severity=HIGH AND max_vuln_count=2
}

Enforcement action

For BLOCK_BUILD and BLOCK_DEPLOYMENT actions, the policy evaluation returns a recommended enforcement action. However, you must configure the actual enforcement in the pipeline configuration using this recommendation.

Policy deletion

Active policies cannot be deleted and result in a FAILED_PRECONDITION error. To delete a policy, first set its state to Inactive.

Common errors

The following table outlines some common errors and how to resolve them.

Error Message Hint	Cause	Resolution
parent is required	The parent field is missing from the request.	Provide a valid parent in one of the following formats: `organizations/{org_id}/locations/global` `parents/{project_number}/locations/global` .
policy definition is required	The policy object is missing from the request.	Provide a valid policy object in the request.
display name has a maximum length of...	The display name exceeds 63 characters.	Shorten the display name to 63 characters or less.
description has a maximum length of...	The description exceeds 2048 characters.	Shorten the description to 2048 characters or less.
policy type is required	Policy type (for example, `vulnerabilityPolicy`) is missing from the request.	Add a `vulnerabilityPolicy` or other policy type to your policy.
enablement state is invalid	An invalid or deprecated enablement state was used.	Use `ACTIVE` or `INACTIVE`.
scope is required	No scope (Pipeline, Registry, or Runtime) was defined.	Add at least one valid scope to your policy.
CVE name must be in the format...	A CVE ID in `exemptedCves` or `restrictedCves` is invalid.	Ensure all CVE IDs follow the `CVE-YYYY-NNNN` format.
CVE ... cannot be exempted and restricted	The same CVE ID exists in both `exemptedCves` and `restrictedCves`.	Remove the CVE from one of the lists.
package name cannot be empty	A package in `allowedPackages` or `restrictedPackages` has an empty name.	Provide a name for all packages.
package ... cannot be allowed and restricted	The same package is listed in both `allowedPackages` and `restrictedPackages`.	Remove the package from one of the lists.
connector IDs are required	The `connectorIds` field is missing in a Pipeline scope.	Provide at least one Connector ID.
connector ID must be in the format...	A Connector ID is malformed.	Ensure IDs are in one of the following formats: `organizations/{org_id}/locations/global/connectors/{connector_id}` . `projects/{project_number}/locations/{location}/connectors/{connector_id}`
connector ID ... does not exist	A specified connector ID does not exist.	Verify that the connector exists or remove it from the list.
GAR repository name pattern must be...	An invalid repository pattern was provided in a Registry scope.	Ensure patterns match valid Google Cloud Artifact Registry repository formats.
project ID must be a valid GCP project ID...	An invalid project ID was provided in a Registry or Runtime scope.	Provide valid Google Cloud project IDs.
enforcement action should be specified	The `enforcementAction` is missing in a Pipeline or Runtime scope.	Set the enforcement action (for example, `AUDIT_ONLY, BLOCK_BUILD` (Pipeline only), or `BLOCK_DEPLOYMENT` (Runtime only)).
number of policies per organization exceeds the limit...	You have reached the maximum number of policies (1000) for your organization.	Delete unused policies before creating new ones.
number of vulnerability policies ... exceeds the limit...	You have reached the maximum number of vulnerability policies (500).	Delete unused vulnerability policies before creating new ones.
number of policies per pipeline exceeds the limit...	A connector is associated with more than 100 policies.	Reduce the number of policies associated with the connector.
number of policy revisions ... exceeds the limit...	You have updated a policy more than 100 times in 7 days.	Wait or reduce update frequency.

Common operational issues

Besides policy content validation failures, issues can arise with the underlying Google Cloud control plane. These issues can affect API requests, long-running operations, and resource states, typically appearing as specific error codes or unusual behavior.

Issue	Symptom(s)	How to Troubleshoot
Concurrent Modification	`UpdatePolicy` or `DeletePolicy` fails with an `ABORTED` error code and `"Provided etag is out of date"` message.	Troubleshooting: This happens when the `etag` in your request doesn't match the policy's current server version, indicating a modification by another request. Resolution: Read the policy again to get the latest etag, then retry the request with the new etag.
Request Validated but Not Executed	A `CreatePolicy`, `UpdatePolicy`, or `DeletePolicy` request returns successfully, but you observe no change to the resource.	Troubleshooting: This typically occurs when `validate_only: true` is set in the request. This flag instructs the service to perform all validations without committing any changes. Resolution: Set `validate_only` to `false` or omit the field in your request.
Update Creates a New Policy	An `UpdatePolicy` request creates a policy instead of returning a "not found" error when the policy doesn't exist.	Troubleshooting: This is the intended behavior when `allow_missing: true` is included in an `UpdatePolicyRequest`. Resolution: If you only want to update an existing policy, set `allow_missing` to `false` or omit the field.
Permission Denied or API Not Enabled	Requests fail with `PERMISSION_DENIED` or an error message like `"Artifact Guard API has not been used in the project before or it is disabled."`	Troubleshooting: The API might be disabled, or the caller may not have sufficient permissions. Resolution: In your Google Cloud project, enable the Artifact Guard API (`artifactscanguard.googleapis.com`). Confirm that the user or service account performing the operation has the necessary IAM roles.
Operation Timeout	A request that returns a long-running operation (LRO) takes too long to complete or fails with `DEADLINE_EXCEEDED`.	Troubleshooting: This may indicate a temporary slowdown or issue in the backend service. Resolution: Poll the LRO status. If it fails or times out, retry the operation after a few moments. If the issue persists, check the Google Cloud Status Dashboard for any ongoing incidents or contact Google Cloud Support.