Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-03 (世界標準時間)。"],[[["\u003cp\u003eThis guide demonstrates how to manually scan a container image using On-Demand Scanning to identify vulnerabilities in both system and Maven packages.\u003c/p\u003e\n"],["\u003cp\u003eYou will use the Cloud Shell and an example Alpine image to pull a container image using docker, and then scan it using the \u003ccode\u003egcloud\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eThe scanning process is triggered with the \u003ccode\u003egcloud artifacts docker images scan\u003c/code\u003e command, returning a scan name upon completion.\u003c/p\u003e\n"],["\u003cp\u003eThe scan results, including vulnerabilities for both Maven and Linux packages, can be retrieved using the scan name and the \u003ccode\u003egcloud artifacts docker images list-vulnerabilities\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eInstructions are included to clean up resources and avoid incurring charges to your Google Cloud account by deleting the used project.\u003c/p\u003e\n"]]],[],null,["Scan Java packages manually This quickstart shows you how to pull a container image, manually scan it with\nOn-Demand Scanning, and retrieve identified vulnerabilities for system and Maven\npackages. To follow this quickstart you will use Cloud Shell and an example\nAlpine image.\n\nBefore you begin\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the On-Demand Scanning API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=ondemandscanning.googleapis.com&redirect=https://cloud.google.com/artifact-analysis/docs/quickstart-scanning-java-manually)\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the On-Demand Scanning API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=ondemandscanning.googleapis.com&redirect=https://cloud.google.com/artifact-analysis/docs/quickstart-scanning-java-manually)\n\nDownload and scan an image\n\n1. Open a Cloud Shell in your project.\n\n [Open Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n\n This opens a terminal with all the required tools to follow this guide.\n2. Use docker to pull the container image:\n\n docker pull jenkins:2.60.3-alpine\n\n3. Run the scan:\n\n gcloud artifacts docker images scan jenkins:2.60.3-alpine --additional-package-types=MAVEN\n\n This triggers that scanning process and returns the scan name when finished: \n\n ```\n ✓ Scanning container image \n ✓ Locally extracting packages and versions from local container image\n ✓ Remotely initiating analysis of packages and versions\n ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad]\n Done.\n\n done: true\n metadata:\n '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata\n createTime: '2021-01-26T13:43:53.112123Z'\n resourceUri: jenkins:2.60.3-alpine\n name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad\n response:\n '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse\n scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160\n ```\n4. Use the scan name, the value of `scan` from the output, to fetch the scan results:\n\n gcloud artifacts docker images list-vulnerabilities \\\n projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160\n\n The output contains a list of Maven and Linux package vulnerabilities. Maven\n package vulnerabilities can be identified by the field `packageType:MAVEN`.\n\nClean up\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, follow these steps.\nIf you created a new project for this guide, you can now delete the project.\n\n\u003cbr /\u003e\n\n- Open the Settings page (found under IAM \\& Admin) in the Google Cloud console.\n\n [Open\n the Settings page](https://console.cloud.google.com/iam-admin/settings)\n\n \u003cbr /\u003e\n\n- Click **Select a project**.\n\n- Select a project you want to delete, and click **Open**.\n\n- Click **Shut down**.\n\n- Enter the Project ID, then click **Shut down**.\n\nWhat's next\n\n- [Explore all the Java package scanning options](/artifact-analysis/docs/scan-java-on-demand).\n- [Understand container scanning concepts](/artifact-analysis/docs/container-scanning-overview)."]]
