Container scanning overview

Artifact Analysis provides two ways to scan images: automatic scanning and on-demand scanning. This document outlines feature details for both types of scanning.

Artifact Analysis also provides metadata management. To learn more about how you can use scanning and metadata storage together to secure your CI/CD pipeline from end to end, see the Artifact Analysis overview.

See pricing to learn more about the costs associated with scanning container images.

This overview assumes you are already familiar with using Docker repositories in Artifact Registry or Container Registry (Deprecated).

Automatic scanning

Artifact Analysis performs vulnerability scans on your artifacts in Artifact Registry or Container Registry (Deprecated). Artifact Analysis also identifies dependencies and licenses to help you understand your software composition.

Automatic scanning comprises two main tasks: on-push scanning and continuous analysis.

On-push scanning

Artifact Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. This scan extracts information about the packages in the container. The images are scanned only once, based on the image's digest. This means that adding or modifying tags won't trigger new scans.

Artifact Analysis only detects vulnerabilities in packages that are publicly monitored for security vulnerabilities.

When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.

Artifact Analysis does not automatically scan existing images. To scan an existing image, you must push it again.

Continuous analysis

Artifact Analysis creates occurrences for vulnerabilities found when you upload the image. After the initial scan, it continuously monitors the metadata for scanned images in Artifact Registry and Container Registry for new vulnerabilities.

Artifact Analysis receives new and updated vulnerability information from vulnerability sources multiple times each day. When new vulnerability data arrives, Artifact Analysis updates the metadata of the scanned images to keep it up-to-date. Artifact Analysis updates existing vulnerability occurrences, creates new vulnerability occurrences for new notes, and deletes vulnerability occurrences that are no longer valid.

Artifact Analysis only updates the metadata for images that were pushed or pulled in the last 30 days. Artifact Analysis archives metadata that is older than 30 days.To re-scan an image with archived metadata, pull that image. Refreshing metadata can take up to 24 hours.

Manifest lists

You can also use vulnerability scanning with manifest lists. A manifest list is a list of pointers to manifests for several platforms. They allow a single image to work with multiple architectures or variations of an operating system.

Artifact Analysis vulnerability scanning only supports Linux amd64 images. If your manifest list points to more than one Linux amd64 image, only the first one will be scanned; if there are no pointers to Linux amd64 images, you won't get any scanning results.

On-demand scanning

On-demand scanning lets you scan container images locally on your computer or in your registry, using the gcloud CLI. This gives you the flexibility to customize your CI/CD pipeline, depending on when you need to access the vulnerability results.

Supported package types

The most comprehensive features of Artifact Analysis are available for automatic scanning in Artifact Registry.

When you push container images to Docker repositories in Artifact Registry, Artifact Analysis can scan for vulnerabilities in several types of OS packages and application language packages. On-demand scanning can identify vulnerabilities in a subset of these package types.

Container Registry is Deprecated. With Container Registry, automatic scanning only scans OS packages. If you're using Container Registry, learn how to transition to Artifact Registry.

The following table compares the types of packages that Artifact Analysis can scan with each scanning service:

Automatic scanning with Artifact Registry Automatic scanning with Container Registry (Deprecated) On-demand scanning
OS packages
Go packages
Java packages
Python packages
Node.js packages
Ruby packages
Rust packages
.NET packages
PHP packages

Artifact Analysis only scans application language packages in Artifact Registry when the packages are containerized and stored in a Docker format repository. The other Artifact Registry repository formats aren't supported.

For more information on the features available for each registry product, view the comparison chart.

Artifact Analysis is not supported on Windows Server containers.

Artifact Analysis interfaces

In the Google Cloud console, you can view image vulnerabilities and image metadata for containers in Artifact Registry.

You can use the gcloud CLI to view vulnerabilities and image metadata.

You can also use the Artifact Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use also the API to create custom notes and occurrences and view vulnerability occurrences.

The Artifact Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.

Control deployment of vulnerable images

You can use Binary Authorization to create a vulnerability allowlist based on the vulnerability information provided by Artifact Analysis as part of your Cloud Build pipeline. If the vulnerabilities violate the policy in the allowlist, the build fails.

You can also integrate Artifact Analysis with Binary Authorization to create attestations, which can prevent container images with known security issues from running in your deployment environment.

Vulnerability sources

The following section lists the vulnerability sources that Artifact Analysis uses to obtain CVE data.

OS package scans

Both automated and on-demand scanning support OS package vulnerability scanning for Linux distributions. Artifact Analysis uses the following sources:

Language package scans

Artifact Analysis supports vulnerability scanning for language packages within a container image. The vulnerability data is obtained from the GitHub Advisory Database.

In most cases, each vulnerability is assigned a CVE ID and this ID becomes the main identifier for that vulnerability. In cases where there is no CVE ID assigned to a vulnerability, a GHSA ID is assigned as identifier instead. If later on that vulnerability gets a CVE ID, then the vulnerability ID is updated to match the CVE. See Check for a specific vulnerability in a project for more information.

Supported versions

Artifact Analysis supports vulnerability scanning for the following versions:

  • Debian GNU/Linux - Versions: 9, 10, 11, 12
  • Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10, 21.04, 21.10, 22.04, 22.10, 23.04, 23.10, 24.04
  • Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20
  • CentOS - Versions: 6, 7, 8 and minor versions
  • Red Hat Enterprise Linux (RHEL) - Versions: 6, 7, 8, 9 and minor versions are supported for automatic registry scans.
  • Go - Artifact Analysis reports vulnerabilities for packages in the Go standard library, and external Go packages not included in the standard library. The vulnerabilities are reported with a different label for each type of package.
  • Java - Artifact Analysis supports Maven packages that follow the Maven naming conventions. If the package version includes spaces, it won't be scanned.
  • Python - Python version matching follows PEP 440 semantics.
  • Node.js - Package version matching follows the semantic versioning specification.
  • Ruby - Artifact Analysis scans RubyGems packages. See RybyGems semantic versioning.
  • Rust - Artifact Analysis scans Cargo packages. See Rust semantic versioning.
  • .NET - Artifact Analysis scans NuGet packages. See NuGet semantic versioning.
  • PHP - Artifact Analysis scans Composer packages. See Composer semantic versioning.

Limitations

  • Artifact Analysis delivers vulnerability scanning results for RHEL based on the latest minor version for each major version released. There may be inaccuracies in scanning results for older minor versions of RHEL.
  • RHEL Version 9 isn't supported for on-demand scanning.

What's next