Scan Python packages automatically

Learn how to enable automatic scanning, push a container image on Artifact Registry, and see a list of any vulnerabilities found in the image.

Artifact Analysis scans for vulnerabilities each time an image is pushed to Artifact Registry. Platform administrators and application developers can use this automatic scanning feature to help identify risks in their software delivery pipeline.

This quickstart uses a simple publicly available package to demonstrate one type of package scanning. By default, Artifact Analysis scans for vulnerabilities in multiple package types once you enable the scanning API. Supported package types include: OS, Go, Java (Maven), Python and Node.js (npm).

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.
  3. To initialize the gcloud CLI, run the following command:

    gcloud init
  4. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  5. Make sure that billing is enabled for your Google Cloud project.

  6. Enable the Artifact Registry and Container Scanning APIs:

    gcloud services enable containerscanning.googleapis.com  artifactregistry.googleapis.com
  7. Install the Google Cloud CLI.
  8. To initialize the gcloud CLI, run the following command:

    gcloud init
  9. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  10. Make sure that billing is enabled for your Google Cloud project.

  11. Enable the Artifact Registry and Container Scanning APIs:

    gcloud services enable containerscanning.googleapis.com  artifactregistry.googleapis.com

Create a Docker repository in Artifact Registry

Create a Docker repository to store the sample image for this quickstart.

  1. Open the Repositories page in the Google Cloud console.

    Open the Repositories page

  2. Click Create Repository.

  3. On the Create Repository page, input the following settings:

    • Name: quickstart-docker-repo
    • Format: Docker
    • Mode: Standard
    • Location type: Region
    • Region: us-central1
  4. Click Create.

You see the Repositories page. Your quickstart-docker-repo repository is added to the repository list.

Configure authentication

Before you can push or pull images with Artifact Registry, you must configure Docker to use the Google Cloud CLI to authenticate requests to Artifact Registry.

In the Cloud Shell or your local shell, set up authentication for Docker repositories in the region us-central1:

gcloud auth configure-docker us-central1-docker.pkg.dev

Obtain a package

  1. Change to a directory where you want to save your container image.

  2. Copy an image into your local directory. For example, you can use TensorFlow. This image contains Python and has some vulnerabilities.

This purpose of this guide is only to scan an image and view results. Prior knowledge of Tensorflow isn't required.

Run the following command to get the image:

docker pull amancevice/pandas:1.2.5-jupyter

Tag your package with a repository name

When you want to push a package to Artifact Registry, you need to configure the docker push command to push the image to a specific location.

Run the following command to tag the image as quickstart-image:tag1:

docker tag amancevice/pandas:1.2.5-jupyter \
us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1

Where:

  • PROJECT is your Google Cloud project ID. If your project ID contains a colon (:), see Domain-scoped projects.
  • us-central1 is the Artifact Registry repository region.
  • docker.pkg.dev is the hostname for Docker repositories.
  • quickstart-image is the image name you want to use in the repository. The image name can be different than the local image name.
  • tag1 is a tag you're adding to the Docker image. If you didn't specify a tag, Docker will apply the default tag latest.

Push the image to Artifact Registry

Artifact Analysis automatically scans new Python packages in container images when they're uploaded to Artifact Registry.

To push your image to your Docker repository in Artifact Registry, run the following command:

docker push us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1

Replace PROJECT with your Google Cloud project ID. If your project ID contains a colon (:), see Domain-scoped projects.

View vulnerability scanning results

To see the vulnerabilities in an image:

  1. Get the list of repositories.

    Open the Repositories page

  2. In the repositories list, click a repository.

  3. In the images list, click an image name.

    Vulnerability totals for each image digest are displayed in the Vulnerabilities column.

    Screenshot of an image with vulnerabilities

  4. To view the list of vulnerabilities for an image, click the link in the Vulnerabilities column.

    The Scan results section displays a summary of the package types scanned, total vulnerabilities, vulnerabilities with fixes available, vulnerabilities without fixes, and effective severity.

    Screenshot of the Scan Results section with vulnerabilities, fixes, and effective severity

    The table of vulnerabilities lists the Common Vulnerabilities and Exposures (CVE) name for each vulnerability found, the effective severity, Common Vulnerability Scoring System (CVSS) score, fixes (when available), the name of the package that contains the vulnerability, and the package type.

    You can filter and sort these files to check a specific file, directory, or type of file by file extension.

    Google Cloud console displays up to 1200 vulnerabilities in this table. If your image has more than 1200 vulnerabilities, you must use gcloud or the API to view the full list.

  5. For details about a specific CVE, click the CVE name.

  6. To view vulnerability occurrence details such as version number and affected location, click View or View Fixed in the row with the name of the vulnerability. The link text is View for vulnerabilities without a fix, and View Fixed for vulnerabilities where a fix has been applied.

Other ways to view results

The Google Cloud console displays up to 1200 vulnerabilities. If your image has more than 1200 vulnerabilities, you must use gcloud or the API to view the full list.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.

If you created a new project for this guide, you can now delete the project.

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

What's next