diff --git a/deployment/live/witness/dev/terragrunt.hcl b/deployment/live/witness/dev/terragrunt.hcl
index 33c4800..a04326b 100644
--- a/deployment/live/witness/dev/terragrunt.hcl
+++ b/deployment/live/witness/dev/terragrunt.hcl
@@ -7,7 +7,8 @@ inputs = merge(
   include.root.locals,
   {
     public_witness_config_urls = ["https://raw.githubusercontent.com/transparency-dev/witness-network/refs/heads/main/lists/testing/log-list.1"]
-    witness_docker_image       = "us-central1-docker.pkg.dev/checkpoint-distributor/distributor-docker-dev/witness:latest"
+    witness_docker_repo        = "https://ghcr.io"
+    witness_docker_image       = "transparency-dev/witness/omniwitness_gcp:latest"
     witness_secret_name        = "witness_secret_dev"
     witness_service_account    = "cloudrun-witness-dev-sa@checkpoint-distributor.iam.gserviceaccount.com"
 
diff --git a/deployment/modules/witness/main.tf b/deployment/modules/witness/main.tf
index bb81485..7339648 100644
--- a/deployment/modules/witness/main.tf
+++ b/deployment/modules/witness/main.tf
@@ -29,11 +29,11 @@ terraform {
   required_providers {
     google = {
       source  = "hashicorp/google"
-      version = "6.0.1"
+      version = "7.18.0"
     }
     google-beta = {
       source  = "hashicorp/google-beta"
-      version = "6.0.1"
+      version = "7.18.0"
     }
   }
 }
@@ -103,6 +103,23 @@ locals {
   spanner_db_full = "projects/${var.project_id}/instances/${google_spanner_instance.witness_spanner.name}/databases/${google_spanner_database.witness_db.name}"
 }
 
+# Set up an artifact registry to cache remote images we depend on via Cloud Run, below.
+#
+# This is intended to guard against the upstream image being unavailable for some reason.
+resource "google_artifact_registry_repository" "witness" {
+  location      = var.region 
+  repository_id = "witness-remote-${var.env}"
+  description   = "Remote repository with witness docker images upstream"
+  format        = "DOCKER"
+  mode          = "REMOTE_REPOSITORY"
+  remote_repository_config {
+    description = "Pull-through cache of witness repository"
+    common_repository {
+      uri         = var.witness_docker_repo
+    }
+  }
+}
+
 ###
 ### Set up Cloud Run service
 ###
@@ -134,7 +151,8 @@ resource "google_cloud_run_v2_service" "default" {
     }
     max_instance_request_concurrency = 1000
     containers {
-      image = var.witness_docker_image
+      # Access the witness docker image via our "pull-through" cache artifcat registry.
+      image = "${google_artifact_registry_repository.witness.registry_uri}/${var.witness_docker_image}"
       name  = "witness"
       args = concat([
         "--logtostderr",
diff --git a/deployment/modules/witness/variables.tf b/deployment/modules/witness/variables.tf
index d00fe56..362abd6 100644
--- a/deployment/modules/witness/variables.tf
+++ b/deployment/modules/witness/variables.tf
@@ -29,8 +29,13 @@ variable "env" {
   type        = string
 }
 
+variable "witness_docker_repo" {
+  description = "The full URL of the docker registry where the witness docker image can be found"
+  type        = string
+}
+
 variable "witness_docker_image" {
-  description = "The full image URL (path & tag) for the witness docker image to deploy"
+  description = "The image name and tag of the witness docker image to deploy, as found on the witness_docker_repo."
   type        = string
 }