Vulnerability Scanning
Cloud Container Analysis can scan your container images stored in Container Registry for vulnerabilities. See Vulnerability Scanning documentation for more detail.
Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

Enable API

1
gcloud services enable containeranalysis.googleapis.com
2
gcloud services enable containerscanning.googleapis.com
Copied!

Push an Image

Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the Container Image section, and re-push the Hello World container image.
1
PROJECT_ID=$(gcloud config get-value project)
2
3
./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \
4
-Dimage=gcr.io/${PROJECT_ID}/helloworld
Copied!

Vulnerabilities

Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry.
1
PROJECT_ID=$(gcloud config get-value project)
2
3
open https://gcr.io/$PROJECT_ID/helloworld
Copied!
On the right hand side, see the Vulnerabilities column:
Click into View vulnerabilities to see the details:
You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format:
1
PROJECT_ID=$(gcloud config get-value project)
2
3
gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \
4
--show-package-vulnerability
Copied!
See Vulnerability Scanning documentation for more information on vulnerability database sources.

Continuous Scan

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.
See Vulnerability Scanning documentation for more information.
Last modified 1yr ago