Software vulnerabilities are weaknesses that can cause an accidental system failure or provide bad actors a means to compromise your software.
Artifact Analysis provides two kinds of OS scanning to find vulnerabilities in containers:
The On-Demand Scanning API allows you to manually scan container images for OS vulnerabilities, either locally on your computer or remotely in Container Registry or Artifact Registry.
The Container Scanning API allows you to automate OS vulnerability detection, scanning each time you push an image to Container Registry or Artifact Registry. Enabling this API also enables language package scans for Go and Java vulnerabilities.
See pricing to learn more about the costs associated with scanning container images.
Both automated and on-demand scanning support OS package vulnerability scanning for Linux distributions and obtains CVE data from the following sources:
- National Vulnerability Database
- Red Hat Enterprise Linux
- CentOS - Red Hat and CentOS share the same source of vulnerability data. Because CentOS packages are published after Red Hat packages, a fix available for a vulnerability in Red Hat may take some time to also be available for CentOS.
Supported Linux versions
Artifact Analysis supports vulnerability scanning for the following OS versions:
- Debian GNU/Linux - Versions: 9, 10, 11, 12
- Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10, 21.04, 21.10, 22.04, 22.10, 23.04, 23.10
- Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18
- CentOS - Versions: 6, 7, 8 and minor versions
- Red Hat Enterprise Linux (RHEL) - Versions: 6, 7, 8, 9 and minor versions are supported for automated registry scans.
- Artifact Analysis delivers vulnerability scanning results for RHEL based on the latest minor version for each major version released. There may be inaccuracies in scanning results for older minor versions of RHEL.
- RHEL Version 9 isn't supported for on-demand scanning.
Severity levels for vulnerabilities
Artifact Analysis uses the following severity levels:
The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.
Two types of severity are associated with each vulnerability:
- Effective severity - The severity level assigned by the Linux distribution maintainer. If these severity levels are unavailable, Artifact Analysis uses the severity value from the note provider, (NVD). If NVD's CVSS v2 rating is unavailable, Artifact Analysis uses the CVSS v3 rating from NVD.
- CVSS score - The Common Vulnerability Scoring System score and associated severity level, with two scoring versions:
For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. You can determine the vulnerability score relevant for your project.
Default Artifact Analysis service account
Artifact Analysis analyzes your container images using a service account,
a special Google account that collects information about your images on your
behalf. The email for the Artifact Analysis service account is
account uses the Container Analysis Service Agent role.
If you enable vulnerability scanning, the Container Scanning API used by this
feature also uses a special Google account. The email for that service account
The account uses the Container Scanner Service Agent role.
You can view your project's service accounts via the IAM menu of the Google Cloud console.
Artifact Analysis interfaces
In the Google Cloud console, you can view image vulnerabilities and image metadata for containers in Artifact Registry.
You can use the gcloud CLI to view vulnerabilities and image metadata.
You can also use the Artifact Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use the API to create new notes and occurrences, view vulnerability occurrences, etc.
The Artifact Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.
Controlling deployment of vulnerable images
Based on the vulnerability information provided by Artifact Analysis, you can use Binary Authorization to create a vulnerability allowlist as part of your Cloud Build pipeline. If the vulnerabilities violate the policy in the allowlist, the build fails.
Automatic scanning for Java and Go
Automatic language package scanning isn't supported in Container Registry. However, if you choose to transition to hosting your images from Container Registry to Artifact Registry, automatic language package scanning is supported. Learn more about transitioning to Artifact Registry.