Jump to Content
Security & Identity

Shift security left with on-demand vulnerability scanning

August 25, 2021
Brian Russell

Product Manager

Nikhil Kaul

Head of Product Marketing

Try Google Cloud

Start building on Google Cloud with $300 in free credits and 20+ always free products.

Free trial

Detection and remediation of security vulnerabilities before they reach deployment is critical in a cloud-native world. This makes scanning for vulnerabilities early and often an important part of continuous integration and delivery (CI/CD) processes. The earlier a problem is detected, the fewer downstream issues will occur. The process of checking for vulnerabilities earlier in development is called "shifting left". In fact, building security into software development also  speeds up  software delivery and performance. Thanks to shift-left, research from DevOps Research and Assessment (DORA) shows high-performing teams spend 50 percent less time remediating security issues than low-performing teams. 


To help companies accomplish a leftward shift in their security, Google Cloud recently launched On-Demand Scanning to general availability.  This new feature checks for vulnerabilities both in locally stored container images and images stored within GCP registries. With On-Demand Scanning, vulnerabilities can be surfaced as soon as  an image is built, well before the image is pushed to a registry. This early visibility makes it possible to automate decisions and determine whether a container image should be promoted for broad use. Thus, vulnerable images surfaced within a CI pipeline can be fixed before delivery. Additionally, developers can use On-Demand Scanning as part of their local workflows via a simple gcloud command. You can learn more about this and how to build trust in your software delivery pipeline by checking out our recent secure software supply chain event.

https://storage.googleapis.com/gweb-cloudblog-publish/images/On-Demand_Scanning.max-1000x1000.jpg

Previously, we wrote about the benefits of Google Cloud’s vulnerability scanning in the software supply chain, right from build to deploy. Those key benefits still apply, and are strengthened with the addition of On-Demand Scanning. For instance, you can continue to monitor images stored in Artifact Registry (via automated scanning) in addition to On-Demand Scanning at build time. By using On-Demand Scanning at this earlier stage, vulnerabilities can be detected before an image is stored. This way you can reduce the number of vulnerable images pushed and ensure any newly discovered vulnerabilities are caught well before deployment. 

The data sources for vulnerabilities come directly from the industry-standard distros (e.g. Debian, RHEL, Ubuntu) and the National Vulnerabilities Database (NVD). Aggregating these sources allows you to see results that include the CVSS score assigned by NVD, and the severity assigned by the distro. Once you’ve identified a potential vulnerability, you can make decisions based on your own security policies and needs.

Results returned by On-Demand Scanning are formatted to the open-source Grafeas standard, and can be parsed in the same way as vulnerability scanning in Artifact Registry. Thus, any existing tooling that consumes the Grafeas format (including Artifact Registry and Container Registry) can be used with On-Demand Scanning. 

To get started today, all you need to do is enable the On-Demand Scanning API and connect it to your container. For guidance, take a look at our quickstart guide to run On-Demand Scanning on any local machine or try the tutorial that describes how to use On-Demand Scanning with Cloud Build.

Posted in