Cannot use more granular roles to google managed container registry account - service-[PROJECT_NUMBER]@containerregistry.iam.gserviceaccount.com. Not sure if anyone can shed some lights on this.
It seems this service account is assigned with a primitive role "editor" by default when you enable google container registry API and you cannot change it to something more granular like cloudbuild.gserviceaccount.com
Google's doc on cloudbuild https://cloud.google.com/cloud-build/docs/securing-builds/set-service-account-permissions
But not much info on container registry https://cloud.google.com/container-registry/docs/overview
Our compliance tool picked up editor role are used by GCR service account. This is too much permission for just GCR access.