Scan Java packages automatically

Create a Docker repository in Artifact Registry

Create a Docker repository to store the sample image for this quickstart.

1. Open the Repositories page in the Google Cloud console.

   Open the Repositories page

2. Click Create Repository.

3. On the Create Repository page, input the following settings:

   • Name: quickstart-docker-repo
   • Format: Docker
   • Mode: Standard
   • Location type: Region
   • Region: us-central1

4. Click Create.

You see the Repositories page. Your quickstart-docker-repo repository is added to the repository list.

Configure authentication

Before you can push or pull images with Artifact Registry, you must configure Docker to use the Google Cloud CLI to authenticate requests to Artifact Registry.

In the Cloud Shell or your local shell, set up authentication for Docker repositories in the region us-central1:

gcloud auth configure-docker us-central1-docker.pkg.dev

Obtain a package

1. Change to a directory where you want to save your container image.

2. Copy an image into your local directory. For example, you can use Docker to pull the latest Jenkins image from Docker Hub.

   docker pull jenkins:2.60.3-alpine
   

Tag your package with a repository name

When you want to push a package to Artifact Registry, you need to configure the docker push command to push the image to a specific location.

Run the following command to tag the image as quickstart-image:tag1:

docker tag jenkins:2.60.3-alpine \
us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1

Where

• PROJECT is your Google Cloud project ID. If your project ID contains a colon (:), see Domain-scoped projects.
• us-central1 is the Artifact Registry repository region.
• docker.pkg.dev is the hostname for Docker repositories.
• quickstart-image is the image name you want to use in the repository. The image name can be different than the local image name.
• tag1 is a tag you're adding to the Docker image. If you didn't specify a tag, Docker will apply the default tag latest.

Push the image to Artifact Registry

Artifact Analysis automatically scans new images when they're uploaded to Artifact Registry.

To push the image to your Docker repository in Artifact Registry, run the following command:

docker push us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1

Replace PROJECT with your Google Cloud project ID. If your project ID contains a colon (:), see Domain-scoped projects.

View vulnerability scanning results

To see the vulnerabilities in an image:

1. Get the list of repositories.

   Open the Repositories page

2. In the repositories list, click a repository.

3. In the images list, click an image name.

   Vulnerability totals for each image digest are displayed in the Vulnerabilities column.

   

4. To view the list of vulnerabilities for an image, click the link in the Vulnerabilities column.

   The Scan results section displays a summary of the package types scanned, total vulnerabilities, vulnerabilities with fixes available, vulnerabilities without fixes, and effective severity.

   

   The table of vulnerabilities lists the Common Vulnerabilities and Exposures (CVE) name for each vulnerability found, the effective severity, Common Vulnerability Scoring System (CVSS) score, fixes (when available), the name of the package that contains the vulnerability, and the package type.

   You can filter and sort these files to check a specific file, directory, or type of file by file extension.

   Google Cloud console displays up to 1200 vulnerabilities in this table. If your image has more than 1200 vulnerabilities, you must use gcloud or the API to view the full list.

5. For details about a specific CVE, click the CVE name.

6. To view vulnerability occurrence details such as version number and affected location, click View or View Fixed in the row with the name of the vulnerability. The link text is View for vulnerabilities without a fix, and View Fixed for vulnerabilities where a fix has been applied.