手動掃描 OS 套件

本快速入門導覽課程說明如何提取容器映像檔,並使用 On-Demand Scanning API 手動掃描作業系統安全漏洞,以及擷取已識別的安全漏洞。如要完成本快速入門導覽,請使用 Cloud Shell 和 Ubuntu 範例映像檔。

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  6. Verify that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains the serviceusage.services.enable permission. Learn how to grant roles.

    Enable the API

  8. 下載及掃描圖片

    1. 在專案中開啟 Cloud Shell。

      開啟 Cloud Shell

      終端機隨即會開啟,並提供依本指南操作所需的所有工具。

    2. 使用 Docker 提取最新的 Ubuntu 映像檔。

      docker pull ubuntu:latest
      
    3. 執行掃描。

      gcloud artifacts docker images scan ubuntu:latest
      

      這會觸發掃描程序,並在完成時傳回掃描名稱:

      ✓ Scanning container image
        ✓ Locally extracting packages and versions from local container image
        ✓ Remotely initiating analysis of packages and versions
        ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad]
      Done.
      
      done: true
      metadata:
        '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
        createTime: '2021-01-26T13:43:53.112123Z'
        resourceUri: ubuntu:latest
      name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad
      response:
        '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
        scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
      
    4. 使用掃描名稱和輸出內容中的 scan 值,擷取掃描結果。

      gcloud artifacts docker images list-vulnerabilities \
      projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160
      

    清除所用資源

    如要避免系統向您的 Google Cloud 帳戶收取本頁所用資源的費用,請按照下列步驟操作。

    如果您是為了本指南建立新專案,現在可以刪除該專案。

    後續步驟