Skip to content

Instantly share code, notes, and snippets.

@deepansharya1111

deepansharya1111/Inspect Code from Artifact Registry.md

Created December 27, 2025 19:11
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save deepansharya1111/53dce5e96874c8b4f6d47a550509e7b4 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save deepansharya1111/53dce5e96874c8b4f6d47a550509e7b4 to your computer and use it in GitHub Desktop.
Download ZIP
Pull a container image from Artifact Registry, and inspect the application code if available
Raw
Inspect Code from Artifact Registry.md

Retrieve and Inspect Cloud Run Artifact Images (Generalized Guide)

This guide helps you pull a container image from Artifact Registry, extract files (e.g., app source under /app), and capture environment details. Use the parameter placeholders to adapt to any project.

Prerequisites

  • Artifact Registry read access: roles/artifactregistry.reader on the repository (or project).
  • Cloud Shell or any environment with Docker and gcloud installed.

Parameters

  • PROJECT_ID: Your GCP project ID
  • REGION: Artifact Registry region (e.g., us-central1)
  • REPO_NAME: Artifact Registry repository name
  • IMAGE_NAME: Container image name
  • TAG: Image tag (e.g., latest) or digest (e.g., sha256:...)

1) Set project and grant read access (if needed)

Generalized:

gcloud config set project PROJECT_ID
# From a privileged account, grant Artifact Registry read access:
# Project-level:
# gcloud projects add-iam-policy-binding PROJECT_ID \
#   --member="user:OTHER_EMAIL" \
#   --role="roles/artifactregistry.reader"
# Repository-level:
# gcloud artifacts repositories add-iam-policy-binding REPO_NAME \
#   --location=REGION \
#   --member="user:OTHER_EMAIL" \
#   --role="roles/artifactregistry.reader"

Example used:

gcloud config set project gen-ai-data-poc
# gcloud artifacts repositories add-iam-policy-binding cloud-run-source-deploy \
#   --location=us-central1 \
#   --member="user:OTHER_EMAIL" \
#   --role="roles/artifactregistry.reader"

2) Configure Docker auth and pull the image

Generalized:

gcloud auth configure-docker REGION-docker.pkg.dev

# Pull by tag
docker pull REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME:TAG

# Or pin by digest
# docker pull REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME@sha256:DIGEST

Example used:

gcloud auth configure-docker us-central1-docker.pkg.dev

docker pull us-central1-docker.pkg.dev/gen-ai-data-poc/cloud-run-source-deploy/generative-sketch-animator-long:latest
# docker pull us-central1-docker.pkg.dev/gen-ai-data-poc/cloud-run-source-deploy/generative-sketch-animator-long@sha256:ee3b7def97402f8d36d790a726bd5133ea88ef3c18db68009a17c0f40b0b3a1a

3) Extract files from the image

Generalized:

CID=$(docker create REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME:TAG)

# Option A: Copy entire filesystem (large)
docker cp "$CID":/ ./fs

# Option B: Copy common app directories
# docker cp "$CID":/app ./app
# docker cp "$CID":/usr/src/app ./usr-src-app

docker rm "$CID"

Example used:

CID=$(docker create us-central1-docker.pkg.dev/gen-ai-data-poc/cloud-run-source-deploy/generative-sketch-animator-long:latest)
docker cp "$CID":/app ./app
docker rm "$CID"

4) Capture environment details (if source isn’t present)

Generalized:

# Python dependencies
docker run --rm REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME:TAG python -m pip freeze > requirements.txt

# Debian/Ubuntu packages
docker run --rm REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME:TAG dpkg -l > packages.txt

# Alpine packages
docker run --rm REGION-docker.pkg.dev/PROJECT_ID/REPO_NAME/IMAGE_NAME:TAG sh -c "apk info -vv" > apk-packages.txt

Example used:

docker run --rm us-central1-docker.pkg.dev/gen-ai-data-poc/cloud-run-source-deploy/generative-sketch-animator-long:latest python -m pip freeze > requirements.txt
docker run --rm us-central1-docker.pkg.dev/gen-ai-data-poc/cloud-run-source-deploy/generative-sketch-animator-long:latest dpkg -l > packages.txt
# docker run --rm us-central1-docker.pkg.dev/gen-ai-data-poc/cloud-run-source-deploy/generative-sketch-animator-long:latest sh -c "apk info -vv" > apk-packages.txt

5) Optional: Find the image reference from Cloud Run

Generalized:

gcloud run services describe SERVICE_NAME --region REGION --format='value(spec.template.spec.containers[0].image)'

Example used:

gcloud run services describe GENERATIVE_SERVICE --region us-central1 --format='value(spec.template.spec.containers[0].image)'

Notes

  • Final production images often don’t include original source—multi-stage builds copy only build artifacts. If /app or /usr/src/app is present, you can recover code there.
  • If you plan ongoing collaboration, push recovered code into a shared Git repo (Cloud Source Repositories or GitHub) and deploy Cloud Run from that repo.
  • Ensure secrets are not embedded in images or code. Use Secret Manager for sensitive values.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment