Scan Go packages automatically
Learn how to enable automatic scanning, push a container image on Artifact Registry, and see a list of any vulnerabilities found in the image.
Artifact Analysis scans for vulnerabilities each time an image is pushed to Artifact Registry. Platform administrators and application developers can use this automatic scanning feature to help identify risks in their software delivery pipeline.
This quickstart uses a simple publicly available package to demonstrate one type of package scanning. By default, Artifact Analysis scans for vulnerabilities in multiple package types once you enable the scanning API. Supported package types include: OS, Go, Java (Maven), Python and Node.js (npm).
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry and Container Scanning APIs:
gcloud services enable containerscanning.googleapis.com
artifactregistry.googleapis.com - Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Artifact Registry and Container Scanning APIs:
gcloud services enable containerscanning.googleapis.com
artifactregistry.googleapis.com
Artifact Analysis does not automatically scan existing images. To scan an existing image, you must push it again.
Create a Docker repository in Artifact Registry
Create a Docker repository to store the sample image for this quickstart.
Open the Repositories page in the Google Cloud console.
Click Create Repository.
On the Create Repository page, input the following settings:
- Name:
quickstart-docker-repo
- Format: Docker
- Mode: Standard
- Location type: Region
- Region:
us-central1
- Name:
Click Create.
You see the Repositories page. Your quickstart-docker-repo
repository is added to the repository list.
Configure authentication
Before you can push or pull images with Artifact Registry, you must configure Docker to use the Google Cloud CLI to authenticate requests to Artifact Registry.
In the Cloud Shell or your local shell, set up authentication for Docker repositories in the region us-central1
:
gcloud auth configure-docker us-central1-docker.pkg.dev
Obtain a package
Change to a directory where you want to save your container image.
Copy an image into your local directory. For example, you can use Docker to pull the latest Go image from Docker Hub.
docker pull golang:1.17.6-alpine
Tag your package with a repository name
When you want to push a package to Artifact Registry, you need to configure the docker push
command to push the image to a specific location.
Run the following command to tag the image as quickstart-image:tag1
:
docker tag golang:1.17.6-alpine \ us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1
Where:
- PROJECT is your Google Cloud
project ID.
If your project ID contains a colon (
:
), see Domain-scoped projects. us-central1
is the Artifact Registry repository region.docker.pkg.dev
is the hostname for Docker repositories.quickstart-image
is the image name you want to use in the repository. The image name can be different than the local image name.tag1
is a tag you're adding to the Docker image. If you didn't specify a tag, Docker will apply the default taglatest
.
Push the image to Artifact Registry
Artifact Analysis automatically scans new Go packages when they're uploaded to Artifact Registry.
To push your image to your Docker repository in Artifact Registry, run the following command:
docker push us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1
Replace PROJECT with your Google Cloud
project ID.
If your project ID contains a colon (:
), see
Domain-scoped projects.
View vulnerability scanning results
To see the vulnerabilities in an image:
Get the list of repositories.
In the repositories list, click a repository.
In the images list, click an image name.
Vulnerability totals for each image digest are displayed in the Vulnerabilities column.
To view the list of vulnerabilities for an image, click the link in the Vulnerabilities column.
The Scan results section displays a summary of the package types scanned, total vulnerabilities, vulnerabilities with fixes available, vulnerabilities without fixes, and effective severity.
The table of vulnerabilities lists the Common Vulnerabilities and Exposures (CVE) name for each vulnerability found, the effective severity, Common Vulnerability Scoring System (CVSS) score, fixes (when available), the name of the package that contains the vulnerability, and the package type.
You can filter and sort these files to check a specific file, directory, or type of file by file extension.
Google Cloud console displays up to 1200 vulnerabilities in this table. If your image has more than 1200 vulnerabilities, you must use gcloud or the API to view the full list.
For details about a specific CVE, click the CVE name.
To view vulnerability occurrence details such as version number and affected location, click View or View Fixed in the row with the name of the vulnerability. The link text is View for vulnerabilities without a fix, and View Fixed for vulnerabilities where a fix has been applied.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.
If you created a new project for this guide, you can now delete the project.- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.