# Vulnerability Scanning [Cloud Container Analysis](https://cloud.google.com/container-registry/docs/container-analysis) can scan your container images stored in Container Registry for vulnerabilities. See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more detail. Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days. ## Enable API ```bash gcloud services enable containeranalysis.googleapis.com gcloud services enable containerscanning.googleapis.com ``` ## Push an Image Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the [Container Image section](/deployment/docker/container-image.md), and re-push the Hello World container image. ```bash PROJECT_ID=$(gcloud config get-value project) ./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \ -Dimage=gcr.io/${PROJECT_ID}/helloworld ``` ## Vulnerabilities Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry. ```bash PROJECT_ID=$(gcloud config get-value project) open https://gcr.io/$PROJECT_ID/helloworld ``` On the right hand side, see the **Vulnerabilities** column: ![](/files/-MFkXpYhboNg6DsA6zuK) Click into **View vulnerabilities** to see the details: ![](/files/-MFkY-Dvxwgr9QYHKbMG) You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format: ```bash PROJECT_ID=$(gcloud config get-value project) gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \ --show-package-vulnerability ``` {% hint style="info" %} See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more information on vulnerability database sources. {% endhint %} ## Continuous Scan Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days. {% hint style="info" %} See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more information. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://spring-gcp.saturnism.me/deployment/docker/vulnerability-scanning.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.