diff --git a/modules/artifact-registry/README.md b/modules/artifact-registry/README.md
index f38217a25..90853ab19 100644
--- a/modules/artifact-registry/README.md
+++ b/modules/artifact-registry/README.md
@@ -300,18 +300,19 @@ module "additive_iam" {
 | name | description | type | required | default |
 |---|---|:---:|:---:|:---:|
 | [cleanup_policies](variables.tf#L17) | Object containing details about the cleanup policies for an Artifact Registry repository. | <code title="map&#40;object&#40;&#123;&#10;  action &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    tag_state             &#61; optional&#40;string&#41;&#10;    tag_prefixes          &#61; optional&#40;list&#40;string&#41;&#41;&#10;    older_than            &#61; optional&#40;string&#41;&#10;    newer_than            &#61; optional&#40;string&#41;&#10;    package_name_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10;    version_name_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  most_recent_versions &#61; optional&#40;object&#40;&#123;&#10;    package_name_prefixes &#61; optional&#40;list&#40;string&#41;&#41;&#10;    keep_count            &#61; optional&#40;number&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;&#10;&#10;&#10;default &#61; null">map&#40;object&#40;&#123;&#8230;default &#61; null</code> | ✓ |  |
-| [format](variables.tf#L56) | Repository format. | <code title="object&#40;&#123;&#10;  apt &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  docker &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      common_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;object&#40;&#123;&#10;      immutable_tags &#61; optional&#40;bool&#41;&#10;    &#125;&#41;&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  kfp &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  generic &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  go &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  googet &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  maven &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;object&#40;&#123;&#10;      allow_snapshot_overwrites &#61; optional&#40;bool&#41;&#10;      version_policy            &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  npm &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  python &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  yum &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
-| [location](variables.tf#L206) | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | <code>string</code> | ✓ |  |
-| [name](variables.tf#L211) | Registry name. | <code>string</code> | ✓ |  |
-| [project_id](variables.tf#L216) | Registry project id. | <code>string</code> | ✓ |  |
+| [format](variables.tf#L63) | Repository format. | <code title="object&#40;&#123;&#10;  apt &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  docker &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      common_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;object&#40;&#123;&#10;      immutable_tags &#61; optional&#40;bool&#41;&#10;    &#125;&#41;&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  kfp &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  generic &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  go &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  googet &#61; optional&#40;object&#40;&#123;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;  maven &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;object&#40;&#123;&#10;      allow_snapshot_overwrites &#61; optional&#40;bool&#41;&#10;      version_policy            &#61; optional&#40;string&#41;&#10;    &#125;&#41;&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  npm &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  python &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; optional&#40;string&#41;&#10;      custom_repository &#61; optional&#40;string&#41;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;    virtual &#61; optional&#40;map&#40;object&#40;&#123;&#10;      repository &#61; string&#10;      priority   &#61; number&#10;    &#125;&#41;&#41;&#41;&#10;  &#125;&#41;&#41;&#10;  yum &#61; optional&#40;object&#40;&#123;&#10;    remote &#61; optional&#40;object&#40;&#123;&#10;      public_repository &#61; string &#35; &#34;BASE path&#34;&#10;&#10;&#10;      disable_upstream_validation &#61; optional&#40;bool&#41;&#10;      upstream_credentials &#61; optional&#40;object&#40;&#123;&#10;        username                &#61; string&#10;        password_secret_version &#61; string&#10;      &#125;&#41;&#41;&#10;    &#125;&#41;&#41;&#10;    standard &#61; optional&#40;bool&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;">object&#40;&#123;&#8230;&#125;&#41;</code> | ✓ |  |
+| [location](variables.tf#L213) | Registry location. Use `gcloud beta artifacts locations list' to get valid values. | <code>string</code> | ✓ |  |
+| [name](variables.tf#L218) | Registry name. | <code>string</code> | ✓ |  |
+| [project_id](variables.tf#L223) | Registry project id. | <code>string</code> | ✓ |  |
 | [cleanup_policy_dry_run](variables.tf#L38) | If true, the cleanup pipeline is prevented from deleting versions in this repository. | <code>bool</code> |  | <code>null</code> |
 | [description](variables.tf#L44) | An optional description for the repository. | <code>string</code> |  | <code>&#34;Terraform-managed registry&#34;</code> |
-| [encryption_key](variables.tf#L50) | The KMS key name to use for encryption at rest. | <code>string</code> |  | <code>null</code> |
+| [enable_vulnerability_scanning](variables.tf#L50) | Whether vulnerability scanning should be enabled in the repository. | <code>bool</code> |  | <code>true</code> |
+| [encryption_key](variables.tf#L57) | The KMS key name to use for encryption at rest. | <code>string</code> |  | <code>null</code> |
 | [iam](variables-iam.tf#L36) | IAM bindings in {ROLE => [MEMBERS]} format. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings](variables-iam.tf#L43) | Authoritative IAM bindings in {KEY => {role = ROLE, members = [], condition = {}}}. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  members &#61; list&#40;string&#41;&#10;  role    &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_bindings_additive](variables-iam.tf#L58) | Individual additive IAM bindings. Keys are arbitrary. | <code title="map&#40;object&#40;&#123;&#10;  member &#61; string&#10;  role   &#61; string&#10;  condition &#61; optional&#40;object&#40;&#123;&#10;    expression  &#61; string&#10;    title       &#61; string&#10;    description &#61; optional&#40;string&#41;&#10;  &#125;&#41;&#41;&#10;&#125;&#41;&#41;">map&#40;object&#40;&#123;&#8230;&#125;&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
 | [iam_by_principals](variables-iam.tf#L73) | Authoritative IAM binding in {PRINCIPAL => [ROLES]} format. Principals need to be statically defined to avoid cycle errors. Merged internally with the `iam` variable. | <code>map&#40;list&#40;string&#41;&#41;</code> |  | <code>&#123;&#125;</code> |
-| [labels](variables.tf#L200) | Labels to be attached to the registry. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
+| [labels](variables.tf#L207) | Labels to be attached to the registry. | <code>map&#40;string&#41;</code> |  | <code>&#123;&#125;</code> |
 
 ## Outputs
 
diff --git a/modules/artifact-registry/main.tf b/modules/artifact-registry/main.tf
index a9ac681e3..665b85602 100644
--- a/modules/artifact-registry/main.tf
+++ b/modules/artifact-registry/main.tf
@@ -21,17 +21,21 @@ locals {
 }
 
 resource "google_artifact_registry_repository" "registry" {
-  provider      = google-beta
-  project       = var.project_id
-  location      = var.location
-  description   = var.description
-  format        = upper(local.format_string)
-  labels        = var.labels
-  repository_id = var.name
-  mode          = "${upper(local.mode_string)}_REPOSITORY"
-  kms_key_name  = var.encryption_key
-
+  provider               = google-beta
+  project                = var.project_id
+  location               = var.location
+  description            = var.description
+  format                 = upper(local.format_string)
+  labels                 = var.labels
+  repository_id          = var.name
+  mode                   = "${upper(local.mode_string)}_REPOSITORY"
+  kms_key_name           = var.encryption_key
   cleanup_policy_dry_run = var.cleanup_policy_dry_run
+
+  vulnerability_scanning_config {
+    enablement_config = var.enable_vulnerability_scanning ? "INHERITED" : "DISABLED"
+  }
+
   dynamic "cleanup_policies" {
     for_each = var.cleanup_policies == null ? {} : var.cleanup_policies
     content {
diff --git a/modules/artifact-registry/variables.tf b/modules/artifact-registry/variables.tf
index 23b194a39..88c47215d 100644
--- a/modules/artifact-registry/variables.tf
+++ b/modules/artifact-registry/variables.tf
@@ -47,6 +47,13 @@ variable "description" {
   default     = "Terraform-managed registry"
 }
 
+variable "enable_vulnerability_scanning" {
+  description = "Whether vulnerability scanning should be enabled in the repository."
+  type        = bool
+  default     = true
+  nullable    = false
+}
+
 variable "encryption_key" {
   description = "The KMS key name to use for encryption at rest."
   type        = string
