Vulnerability Scanning
​Cloud Container Analysis can scan your container images stored in Container Registry for vulnerabilities. See Vulnerability Scanning documentation for more detail.
Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.
gcloud services enable containeranalysis.googleapis.comgcloud services enable containerscanning.googleapis.com
Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the Container Image section, and re-push the Hello World container image.
PROJECT_ID=$(gcloud config get-value project)​./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \-Dimage=gcr.io/${PROJECT_ID}/helloworld
Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry.
PROJECT_ID=$(gcloud config get-value project)​open https://gcr.io/$PROJECT_ID/helloworld
On the right hand side, see the Vulnerabilities column:
Click into View vulnerabilities to see the details:
You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format:
PROJECT_ID=$(gcloud config get-value project)​gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \--show-package-vulnerability
See Vulnerability Scanning documentation for more information on vulnerability database sources.
Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.
See Vulnerability Scanning documentation for more information.
