Vulnerability Scanning

Cloud Container Analysis can scan your container images stored in Container Registry for vulnerabilities. See Vulnerability Scanning documentation for more detail.

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

Enable API

gcloud services enable containeranalysis.googleapis.com
gcloud services enable containerscanning.googleapis.com

Push an Image

Container images are scanned when they are pushed to Container Registry. To force a scan on an existing image, you have to re-push it the image. For example, follow the Container Image section, and re-push the Hello World container image.

PROJECT_ID=$(gcloud config get-value project)
./mvnw compile com.google.cloud.tools:jib-maven-plugin:2.4.0:build \
-Dimage=gcr.io/${PROJECT_ID}/helloworld

Vulnerabilities

Once the image is scanned, you can see the status of Vulnerability Scanning in Container Registry.

PROJECT_ID=$(gcloud config get-value project)
open https://gcr.io/$PROJECT_ID/helloworld

On the right hand side, see the Vulnerabilities column:

Click into View vulnerabilities to see the details:

You can list vulnerabilities for a specific container image. It'll be outputted in the raw YAML format:

PROJECT_ID=$(gcloud config get-value project)
gcloud beta container images describe gcr.io/$PROJECT_ID/helloworld \
--show-package-vulnerability

See Vulnerability Scanning documentation for more information on vulnerability database sources.

Continuous Scan

Container images are scanned upon push to Container Registry, and then continuously monitored/scanned if the image was pulled in the last 30 days.

See Vulnerability Scanning documentation for more information.