> For the complete documentation index, see [llms.txt](https://spring-gcp.saturnism.me/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://spring-gcp.saturnism.me/deployment/docker/vulnerability-scanning.md).

# Vulnerability Scanning

[Cloud Container Analysis](https://cloud.google.com/container-registry/docs/container-analysis) can scan your container images stored in Container Registry for vulnerabilities. See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more detail.

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

## Enable API

```bash
gcloud services enable containeranalysis.googleapis.com
gcloud services enable containerscanning.googleapis.com
```

## Push an Image

Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you  have to re-push it the image. For example, follow the [Container Image section](/deployment/docker/container-image.md), and re-push the Hello World container image.

```bash
PROJECT_ID=$(gcloud config get-value project)

./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \
  -Dimage=gcr.io/${PROJECT_ID}/helloworld
```

## Vulnerabilities

Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry.

```bash
PROJECT_ID=$(gcloud config get-value project)

open https://gcr.io/$PROJECT_ID/helloworld
```

On the right hand side, see the **Vulnerabilities** column:

![](/files/-MFkXpYhboNg6DsA6zuK)

Click into **View vulnerabilities** to see the details:

![](/files/-MFkY-Dvxwgr9QYHKbMG)

You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format:

```bash
PROJECT_ID=$(gcloud config get-value project)

gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \
  --show-package-vulnerability
```

{% hint style="info" %}
See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more information on vulnerability database sources.
{% endhint %}

## Continuous Scan

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

{% hint style="info" %}
See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more information.
{% endhint %}
