Spring Boot on GCP
  • Introduction
  • Getting Started
    • Google Cloud Platform
    • Cloud Shell
    • gcloud CLI
    • Hello World!
      • Cloud Shell
      • App Engine
      • Cloud Run
      • Kubernetes Engine
      • Compute Engine
      • Cloud Functions
  • Application Development
    • Development Tools
    • Spring Cloud GCP
    • Cloud Services
      • Databases
        • Cloud SQL
        • Cloud Spanner
        • Cloud Firestore
          • Datastore Mode
          • Native Mode
      • Messaging
        • Cloud Pub/Sub
        • Kafka
      • Secret Management
      • Storage
      • Cache
        • Memorystore Redis
        • Memorystore Memcached (beta)
      • Other Services
    • Observability
      • Trace
      • Logging
      • Metrics
      • Profiling
      • Debugging
    • DevOps
      • Artifact Repository
  • Deployment
    • Runtime Environments
    • Container
      • Container Image
      • Secure Container Image
      • Container Awareness
      • Vulnerability Scanning
      • Attestation
    • Kubernetes
      • Kubernetes Cluster
      • Deployment
      • Resources
      • Service
      • Health Checks
      • Load Balancing
        • External Load Balancing
        • Internal Load Balancing
      • Scheduling
      • Workload Identity
      • Binary Authorization
    • Istio
      • Getting Started
      • Sidecar Proxy
  • Additional Resources
    • Code Labs
    • Presentations / Videos
    • Cheat Sheets
Powered by GitBook
On this page
  • Enable API
  • Push an Image
  • Vulnerabilities
  • Continuous Scan

Was this helpful?

  1. Deployment
  2. Container

Vulnerability Scanning

PreviousContainer AwarenessNextAttestation

Last updated 4 years ago

Was this helpful?

can scan your container images stored in Container Registry for vulnerabilities. See for more detail.

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

Enable API

gcloud services enable containeranalysis.googleapis.com
gcloud services enable containerscanning.googleapis.com

Push an Image

Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the , and re-push the Hello World container image.

PROJECT_ID=$(gcloud config get-value project)

./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \
  -Dimage=gcr.io/${PROJECT_ID}/helloworld

Vulnerabilities

Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry.

PROJECT_ID=$(gcloud config get-value project)

open https://gcr.io/$PROJECT_ID/helloworld

On the right hand side, see the Vulnerabilities column:

Click into View vulnerabilities to see the details:

You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format:

PROJECT_ID=$(gcloud config get-value project)

gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \
  --show-package-vulnerability

Continuous Scan

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

See for more information on vulnerability database sources.

See for more information.

Cloud Container Analysis
Vulnerability Scanning documentation
Container Image section
Vulnerability Scanning documentation
Vulnerability Scanning documentation