Cloud Container Analysisarrow-up-right can scan your container images stored in Container Registry for vulnerabilities. See Vulnerability Scanning documentationarrow-up-right for more detail.
Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.
Copy gcloud services enable containeranalysis.googleapis.com
gcloud services enable containerscanning.googleapis.com Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the Container Image section , and re-push the Hello World container image.
Copy PROJECT_ID = $( gcloud config get-value project )
./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \
-Dimage=gcr.io/ ${ PROJECT_ID } /helloworld Vulnerabilities
Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry.
Copy PROJECT_ID = $( gcloud config get-value project )
open https://gcr.io/ $PROJECT_ID /helloworld On the right hand side, see the Vulnerabilities column:
Click into View vulnerabilities to see the details:
You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format:
Continuous Scan
Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.
