This document tells you how to enable and disable automatic scanning.
Artifact Analysis provides automated vulnerability scanning for container images in both Artifact Registry and Container Registry (Deprecated) through the Container Scanning API. Platform administrators and application developers can use the scan results to identify and mitigate risks to their software supply chain.
By default, Artifact Analysis scans all supported package types in your project when you enable the Container Scanning API. To lower costs and reduce noise in scanning findings, you can disable scanning on individual repositories. For more information, see Control scanning settings for an individual repository.
See the Pricing page for pricing information.
Limitations
The automatic scanning feature has the following limitations:
- Scanning isn't supported in Artifact Registry virtual repositories.
- Artifact Registry repositories must be in Docker format.
Enable the Container Scanning API
Artifact Analysis does not automatically scan existing images. To scan an existing image, you must push it again.
You can enable the Container Scanning API for an existing project, or create a new project and then enable the API. Enabling the Container Scanning API also enables the Container Analysis API for metadata storage and retrieval.
To enable vulnerability scanning for your project in Artifact Registry or Container Registry, complete the following steps:
In the Google Cloud console, open the Enable access to API page:
Enable the Container Scanning API
Control scanning settings for an individual repository
This section explains how to control the scanning settings for individual repositories. This feature is only supported in Artifact Registry.
By default, enabling the Container Scanning API activates scanning for all images you push to standard and remote Docker repositories in Artifact Registry. Scanning with Artifact Analysis provides comprehensive information about potential threats to your software supply chain. You can also disable scanning on individual repositories if needed.
You can disable scanning on repositories to:
- Manage your scanning costs within a project. You don't need to turn off scanning for an entire project, or create a new project to isolate repositories.
- Reduce the number of vulnerability findings you receive. You can focus on remediating vulnerabilities in specific repositories.
To change scanning settings for existing Artifact Registry repositories, see Update repositories.
To configure scanning settings for a new Artifact Registry repository, see Create standard repositories or Create remote repositories.
Disable the Container Scanning API
This section explains how to disable vulnerability scanning for your project in Artifact Registry or Container Registry.
When you disable the Container Scanning API, scanning stops for all repositories in your project. Scanning settings for individual repositories are preserved. If you previously disabled scanning on some repositories, and later re-enable the API for your project, those repositories will remain excluded from scanning.
To update scanning settings for individual repositories, see Update repositories.
Console
Open the Settings page for either registry service in the Google Cloud console.
Artifact Registry:
Container Registry:
In the Vulnerability Scanning section, click Disable.
gcloud
Run the following command:
gcloud services disable containerscanning.googleapis.com
Extend your monitoring time window
Artifact Analysis continuously monitors the vulnerability metadata for scanned images in Artifact Registry and Container Registry (Deprecated). The default time window for continuous monitoring is 30 days. After this period your images are stale and the vulnerability scanning results are no longer updated.
To extend the monitoring window, you must pull or push the image within the 30-day period. We recommend creating a scheduled task to re-push containers that don't require frequent updating, for example, your Istio and proxy images.