本快速入門導覽課程說明如何提取容器映像檔,並使用 On-Demand Scanning API 手動掃描作業系統安全漏洞,以及擷取已識別的安全漏洞。如要完成本快速入門導覽,請使用 Cloud Shell 和 Ubuntu 範例映像檔。
事前準備
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
In the Google Cloud console, on the project selector page,
select or create a Google Cloud project.
[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-03 (世界標準時間)。"],[[["\u003cp\u003eThis guide demonstrates how to manually scan a container image for operating system vulnerabilities using the On-Demand Scanning API.\u003c/p\u003e\n"],["\u003cp\u003eThe process involves using Cloud Shell to pull a container image, exemplified by the latest Ubuntu image, using \u003ccode\u003edocker pull\u003c/code\u003e.\u003c/p\u003e\n"],["\u003cp\u003eThe \u003ccode\u003egcloud artifacts docker images scan\u003c/code\u003e command initiates the vulnerability scan of the pulled image, and returns a scan name for further actions.\u003c/p\u003e\n"],["\u003cp\u003eScan results are retrieved using the \u003ccode\u003egcloud artifacts docker images list-vulnerabilities\u003c/code\u003e command and the scan name from the previous scan.\u003c/p\u003e\n"],["\u003cp\u003eThis resource also provides information on enabling automated scanning and offers additional resources to understand container scanning concepts.\u003c/p\u003e\n"]]],[],null,["# Quickstart: Scan OS packages manually\n\nScan OS packages manually\n=========================\n\nThis quickstart shows you how to pull a container image, manually scan it for operating system vulnerabilities with\nthe On-Demand Scanning API, and retrieve identified vulnerabilities. To follow this\nquickstart you will use Cloud Shell and an example Ubuntu image.\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the On-Demand Scanning API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=ondemandscanning.googleapis.com&redirect=https://cloud.google.com/artifact-analysis/docs/quickstart-scanning-os-manually)\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the On-Demand Scanning API.\n\n\n [Enable the API](https://console.cloud.google.com/flows/enableapi?apiid=ondemandscanning.googleapis.com&redirect=https://cloud.google.com/artifact-analysis/docs/quickstart-scanning-os-manually)\n\nDownload and scan an image\n--------------------------\n\n1. Open a Cloud Shell in your project.\n\n [Open Cloud Shell](https://console.cloud.google.com/?cloudshell=true)\n\n This opens a terminal with all the required tools to follow this guide.\n2. Use docker to pull the latest Ubuntu image.\n\n docker pull ubuntu:latest\n\n3. Run the scan.\n\n gcloud artifacts docker images scan ubuntu:latest\n\n This triggers that scanning process and returns the scan name when finished: \n\n ```\n ✓ Scanning container image\n ✓ Locally extracting packages and versions from local container image\n ✓ Remotely initiating analysis of packages and versions\n ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/1a6fd941-b997-4e5f-ba4f-6351f30e7dad]\n Done.\n\n done: true\n metadata:\n '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata\n createTime: '2021-01-26T13:43:53.112123Z'\n resourceUri: ubuntu:latest\n name: projects/my-project/locations/us/operations/1a6fd941-b99f-4eaf-ba4f-6e5af30e7dad\n response:\n '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse\n scan: projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160\n ```\n4. Use the scan name, the value of `scan` from the output, to fetch the scan results.\n\n gcloud artifacts docker images list-vulnerabilities \\\n projects/my-project/locations/us/scans/893c91ce-7fe6-4f1a-a69a-d6ca1b465160\n\nClean up\n--------\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, follow these steps.\nIf you created a new project for this guide, you can now delete the project.\n\nWhat's next\n-----------\n\n- [Explore all the On-Demand Scanning API options](/artifact-analysis/docs/scan-os-on-demand).\n- [Enable automated scanning](/artifact-analysis/docs/scan-os-automatically).\n- [Understand container scanning concepts](/artifact-analysis/docs/container-scanning-overview)."]]
