# Vulnerability Scanning [Cloud Container Analysis](https://cloud.google.com/container-registry/docs/container-analysis) can scan your container images stored in Container Registry for vulnerabilities. See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more detail. Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days. ## Enable API ```bash gcloud services enable containeranalysis.googleapis.com gcloud services enable containerscanning.googleapis.com ``` ## Push an Image Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the [Container Image section](https://spring-gcp.saturnism.me/deployment/docker/container-image), and re-push the Hello World container image. ```bash PROJECT_ID=$(gcloud config get-value project) ./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \ -Dimage=gcr.io/${PROJECT_ID}/helloworld ``` ## Vulnerabilities Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry. ```bash PROJECT_ID=$(gcloud config get-value project) open https://gcr.io/$PROJECT_ID/helloworld ``` On the right hand side, see the **Vulnerabilities** column: ![](https://3412348858-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-L_Laqs9uSAihPmRemDj%2F-MFkXF7r6uabbeIWv9n3%2F-MFkXpYhboNg6DsA6zuK%2Fimage.png?alt=media\&token=74ec3ac4-98af-427f-96e4-acfe0cdfe2fc) Click into **View vulnerabilities** to see the details: ![](https://3412348858-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-L_Laqs9uSAihPmRemDj%2F-MFkXF7r6uabbeIWv9n3%2F-MFkY-Dvxwgr9QYHKbMG%2Fimage.png?alt=media\&token=bfc8c3f6-e9a8-4e08-b823-3489a161a82e) You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format: ```bash PROJECT_ID=$(gcloud config get-value project) gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \ --show-package-vulnerability ``` {% hint style="info" %} See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more information on vulnerability database sources. {% endhint %} ## Continuous Scan Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days. {% hint style="info" %} See [Vulnerability Scanning documentation](https://cloud.google.com/container-registry/docs/vulnerability-scanning) for more information. {% endhint %}