本文說明如何建立及儲存軟體物料清單 (SBOM),列出容器映像檔中的依附元件。
將容器映像檔儲存在 Artifact Registry 中,並使用 Artifact Analysis 掃描安全漏洞後,您就能使用 Google Cloud CLI 產生 SBOM。
Artifact Analysis 會將 SBOM 儲存在 Cloud Storage 中,如要進一步瞭解 Cloud Storage 費用,請參閱「定價」一文。
事前準備
-
Sign in to your Google Account.
If you don't already have one, sign up for a new account.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator
), which contains theresourcemanager.projects.create
permission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Container Analysis, Container Scanning APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin
), which contains theserviceusage.services.enable
permission. Learn how to grant roles. -
Install the Google Cloud CLI.
-
如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI。
-
如要初始化 gcloud CLI,請執行下列指令:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator
(
roles/resourcemanager.projectCreator
), which contains theresourcemanager.projects.create
permission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry, Container Analysis, Container Scanning APIs.
Roles required to enable APIs
To enable APIs, you need the Service Usage Admin IAM role (
roles/serviceusage.serviceUsageAdmin
), which contains theserviceusage.services.enable
permission. Learn how to grant roles. -
Install the Google Cloud CLI.
-
如果您使用外部識別資訊提供者 (IdP),請先 使用聯合身分登入 gcloud CLI。
-
如要初始化 gcloud CLI,請執行下列指令:
gcloud init
- 在 Artifact Registry 中建立 Docker 存放區,並將容器映像檔推送至該存放區。如果您不熟悉 Artifact Registry,請參閱 Docker 快速入門導覽課程。
- URI 是 SBOM 檔案所描述的 Artifact Registry 映像檔 URI,類似於
us-east1-docker.pkg.dev/my-image-repo/my-image
。圖片可為標記格式或摘要格式。 以標記格式提供的圖片會解析為摘要格式。
必要的角色
如要取得管理 Cloud Storage 值區及上傳 SBOM 檔案所需的權限,請要求管理員授予專案的儲存空間管理員 (roles/storage.admin
) 身分與存取權管理角色。如要進一步瞭解如何授予角色,請參閱「管理專案、資料夾和機構的存取權」。
產生 SBOM 檔案
如要產生 SBOM 檔案,請使用下列指令:
gcloud artifacts sbom export --uri=URI
地點
構件分析會將 SBOM 儲存在 Cloud Storage 中。
您可以使用 Google Cloud 控制台或 gcloud CLI 查看 SBOM。如要找出包含 SBOM 的 Cloud Storage 值區,請使用 gcloud CLI 搜尋 SBOM。
產生 SBOM,但不掃描安全漏洞
如要產生 SBOM,但不想持續掃描專案中的安全漏洞,只要在將映像檔推送至 Artifact Registry 前啟用 Container Scanning API,仍可匯出 SBOM。將映像檔推送至 Artifact Registry 並匯出 SBOM 後,請務必停用 Container Scanning API,以免系統對後續的安全漏洞掃描作業收費。