See the pricing page for more information.
Best practices for keeping your costs low
When you enable the Container Scanning API, every new image you push will be automatically scanned. To keep your costs low, separate the container images you want to scan into a different project.
Set up a new Google Cloud project and enable the Container Scanning API for that project. This project will incur normal billing charges for Artifact Registry and Container Registry (Deprecated). Push the images you want to scan to this project.
Add the following steps in your CI/CD pipeline:
Add a tag corresponding to the Artifact Registry or Container Registry project where Container Scanning is enabled.
Push the images to the project.
Estimate your scanning costs
To calculate the approximate cost for the images in a project, estimate the number of images you push in a timeframe and multiply that number by the price per scan. You can do this by running a shell script in Cloud Shell.
Open a Cloud Shell in your project.
Click the Open Editor icon and create a new file
cost-estimation.sh
with the following content:#!/bin/bash # Replace with price from https://cloud.google.com/artifact-analysis/pricing PRICE='PRICE' # Replace with your project data GC_PROJECT='PROJECT_REPOSITORY' START_DATE='START_DATE' END_DATE='END_DATE' REGION=$(echo $GC_PROJECT | sed -n 's/\/.*//p') if [ -z "$REGION" ]; then printf "'GC_PROJECT' value must be a valid GCR or AR repository (e.g. gcr.io/corp-staging or us-central1-docker.pkg.dev/myproj/myrepo" exit 1 fi IFS=$'\n' FILTER="timestamp.date('%Y-%m-%d', Z)>'$START_DATE' AND timestamp.date('%Y-%m-%d', Z)<'$END_DATE'" images=$( gcloud container images list --repository="$GC_PROJECT" | sed -n "/$REGION/p" | sed 's/NAME: //' ) num_images=$(echo $images | wc -w) printf "Using gcloud to filter $num_images images from $START_DATE to $END_DATE (takes about 1 second per image)\n\n" total_digests=0 for image in $images; do printf "querying $image\n" image_digests=$( gcloud container images list-tags --filter="$FILTER" "$image" 2> >(sed "s/Listed 0 items.//" | sed -n "/.\+/p" >&2) | wc -l) if [[ "$image_digests" -gt 1 ]]; then total_digests=$(( total_digests + $image_digests - 1 )) fi done total_price=$( python -c "print($total_digests * $PRICE)" ) echo '' echo "Number of images: $total_digests" echo "Estimated cost: $total_price"
Replace the following:
PRICE
: the price for automatic vulnerability scanning found in Pricing.PROJECT_REPOSITORY
: your project repository. For example,gcr.io/corp-staging
.START_DATE
: the starting date for the period to estimate, inY-m-d
format. For example,2020-03-01
.END_DATE
: the end date for the period to estimate, inY-m-d
format. For example,2020-03-31
.
Run the script:
bash cost-estimation.sh
It shows the total number of images and the total estimated cost:
Number of images: 53 Estimated cost: 13.78
This is only an estimation, the actual cost may change due to other factors, for example:
Pushing the same image to different multi-regions in the same project does not generate additional costs.
Pushing the same image to two different repositories within two different projects does not generate additional costs.
Check current vulnerability scanning costs
You can see this information in your billing report.
What's next
- Learn more about vulnerability scanning.