本快速入門導覽課程說明如何提取容器映像檔、使用隨選掃描功能手動掃描,以及擷取系統和 Go 套件中發現的安全漏洞。如要完成本快速入門導覽課程,請使用 Cloud Shell 和 Alpine 範例映像檔。
事前準備
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-03 (世界標準時間)。"],[[["\u003cp\u003eThis guide demonstrates how to manually scan a container image for vulnerabilities in system and Go packages using On-Demand Scanning.\u003c/p\u003e\n"],["\u003cp\u003eYou'll use Cloud Shell to pull a specified container image, in this case a \u003ccode\u003egolang:1.17.6-alpine\u003c/code\u003e image, via the docker command.\u003c/p\u003e\n"],["\u003cp\u003eThe process includes triggering a scan via the \u003ccode\u003egcloud artifacts docker images scan\u003c/code\u003e command, which initiates the analysis of packages and their versions.\u003c/p\u003e\n"],["\u003cp\u003eScan results are retrieved using the \u003ccode\u003egcloud artifacts docker images list-vulnerabilities\u003c/code\u003e command and will list any vulnerabilities found in Go standard library and third-party Go packages.\u003c/p\u003e\n"],["\u003cp\u003eThe guide provides instructions for cleaning up by deleting the project and also offers suggestions on managing project resources to avoid exceeding quotas.\u003c/p\u003e\n"]]],[],null,["Scan Go packages manually This quickstart shows you how to pull a container image, manually scan it with\nOn-Demand Scanning, and retrieve identified vulnerabilities for system and Go\npackages. To follow this quickstart you will use Cloud Shell and an example\nAlpine image.\n\nBefore you begin\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the On-Demand Scanning API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=ondemandscanning.googleapis.com&redirect=https://cloud.google.com/artifact-analysis/docs/quickstart-scanning-go-manually)\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the On-Demand Scanning API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=ondemandscanning.googleapis.com&redirect=https://cloud.google.com/artifact-analysis/docs/quickstart-scanning-go-manually)\n\nDownload and scan an image\n\n1. Open a Cloud Shell in your project.\n\n [Open Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n\n This opens a terminal with all the required tools to follow this guide.\n2. Use docker to pull the container image:\n\n docker pull golang:1.17.6-alpine\n\n3. Run the scan:\n\n gcloud artifacts docker images scan golang:1.17.6-alpine --additional-package-types=GO\n\n This triggers that scanning process and returns the scan name when finished: \n\n ```\n ✓ Scanning container image\n ✓ Locally extracting packages and versions from local container image\n ✓ Remotely initiating analysis of packages and versions\n ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/849db1f8-2fb2-4559-9fe0-8720d8cd347c]\n Done.\n done: true\n metadata:\n '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata\n createTime: '2022-01-11T16:58:11.711487Z'\n resourceUri: golang:1.16.13-alpine\n name: projects/my-project/locations/us/operations/f4adb1f8-20b2-4579-9fe0-8720d8cd347c\n response:\n '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse\n scan: projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef\n ```\n4. Use the scan name, the value of `scan` from the output, to fetch the scan results:\n\n gcloud artifacts docker images list-vulnerabilities \\\n projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef\n\n The output contains a list of Go, Go standard library, and Linux package\n vulnerabilities. The following labels indicate the type of Go\n vulnerabilities:\n - `packageType:GO_STDLIB`. Go standard library vulnerabilities. This indicates\n that the vulnerability was found either in the Go toolchain used to build\n the binary, or in the standard library bundled with the toolchain. A possible\n fix is to upgrade your build toolchain.\n\n - `packageType:GO`. Go package vulnerabilities. This indicates that the\n vulnerability was found in a third-party package. A possible fix is to\n upgrade your dependent modules.\n\nClean up\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, follow these steps.\n\n| **Caution** : Deleting a project has the following effects:\n|\n| - **Everything in the project is deleted.** If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.\n| - **Custom project IDs are lost.** When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as an `appspot.com` URL, delete selected resources inside the project instead of deleting the whole project.\n|\n|\n| If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects\n| can help you avoid exceeding project quota limits.\n1. In the Google Cloud console, go to the **Manage resources** page.\n\n [Go to Manage resources](https://console.cloud.google.com/iam-admin/projects)\n2. In the project list, select the project that you want to delete, and then click **Delete**.\n3. In the dialog, type the project ID, and then click **Shut down** to delete the project.\n\nWhat's next\n\n- [Explore all the Go package scanning options](/artifact-analysis/docs/scan-go-on-demand).\n- [Understand container scanning concepts](/artifact-analysis/docs/container-scanning-overview)."]]
