手动扫描操作系统软件包
本快速入门介绍了如何拉取容器映像,使用 On-Demand Scanning API 手动扫描该映像以查找操作系统漏洞,以及检索已识别的漏洞。如需按照本快速入门中的说明操作,您需要使用 Cloud Shell 和 Ubuntu 示例映像。
准备工作
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the On-Demand Scanning API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the On-Demand Scanning API.
下载并扫描图片
在项目中打开 Cloud Shell。
这会打开一个终端,其中包含按照本指南操作所需的所有工具。
使用 docker 拉取最新的 Ubuntu 映像。
docker pull ubuntu:latest运行扫描。
gcloud artifacts docker images scan ubuntu:latest这会触发该扫描流程,并在完成后返回扫描名称:
✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad] Done. done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-26T13:43:53.112123Z' resourceUri: ubuntu:latest name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
使用扫描名称(输出中的
scan值)提取扫描结果。gcloud artifacts docker images list-vulnerabilities \ projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
清理
为避免因本页中使用的资源导致您的 Google Cloud 账号产生费用,请按照以下步骤操作。
如果您为本指南创建了一个新项目,现在可以删除该项目了。