View build security insights

This page explains how to view security information about your Cloud Build builds using the Security insights side panel in the Google Cloud console.

The Security insights side panel provides a high-level overview of multiple security metrics. You can use the side panel to identify and mitigate risks in your build process.

This panel displays the following information:

• Supply-chain Levels for Software Artifacts (SLSA) Level: Identifies the maturity level of your software build process in accordance with the SLSA specification. For example, this build has achieved SLSA Level Level 3. You can click the Learn more link to learn what this security level means.
• Vulnerabilities: An overview of any vulnerabilities found in your artifacts, and the name of the image that Container Analysis has scanned. You can click the image name to view vulnerability details. For example, in the screenshot, you can click on java-guestbook-backend.
• Build details: Details of the build such as the builder and the link to view logs.
• Build provenance: Provenance for the build.

Enable vulnerability scanning

The Security insights panel displays data from Cloud Build and from Container Analysis. Container Analysis is a service that scans for vulnerabilities in OS, Java (Maven) and Go packages when you upload build artifacts to Artifact Registry.

You must enable vulnerability scanning to receive the complete set of Security insights results.

1. Enable the Container Scanning API to turn on vulnerability scanning.

   Enable the Container Scanning API

2. Execute a build and store your build artifact in Artifact Registry. Container Analysis automatically scans the build artifacts.

   Vulnerability scanning may take a few minutes, depending on the size of your build.

For more information on vulnerability scanning, see Automatic scanning.

There is a cost for scanning. See the Pricing page for pricing information.

Grant permissions to view insights

To view Security insights in Google Cloud console, you must have the following IAM roles, or a role with equivalent permissions. If Artifact Registry and Container Analysis are running in different projects, you must add the Container Analysis Occurrences Viewer role or equivalent permissions in the project where Container Analysis is running.

• Cloud Build Viewer (roles/cloudbuild.builds.viewer): View insights for a build.
• Container Analysis Viewer (roles/containeranalysis.occurrences.viewer): View vulnerabilities and other dependency information.

View the Security insights side panel

To view the Security insights panel:

1. Open the Build History page in the Google Cloud console:

   Open the Build History page

2. Select your project and click Open.

3. In the Region drop-down menu, select the region in which you ran your build.

4. Click on your latest build.

   You see the Build details page.

5. Click on the Build artifacts tab.

6. Locate the row with the container image you built and in the Security insights column, click View. This opens the Security insights side panel.

SLSA level

The SLSA level rates your build's current level of security assurance based on a collection of guidelines.

Vulnerabilities

The Vulnerabilities card displays the number of vulnerability occurrences that Container Analysis identifies in your build artifacts. Container Analysis supports scanning for container images pushed to Artifact Registry. The scans detect vulnerabilities in operating system packages, and in application packages created in Java (Maven) or Go.

Scanning results are organized by severity level. The severity level is a qualitative assessment based on exploitability, scope, impact, and maturity of the vulnerability.

Click the image name to see the artifacts that have been scanned for vulnerabilities.

Build

The Build card includes the following information:

• Logs - links to your build log information
• Builder - builder name
• Completed - time elapsed since the build completed
• Provenance - verifiable metadata about a build

Provenance metadata includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration. You can also validate build provenance at any time.

To ensure that your future builds include provenance information, configure Cloud Build to require that your images have provenance metadata.

Use Cloud Build with Software Delivery Shield

The Security insights side panel in Cloud Build is one component of the Software Delivery Shield solution. Software Delivery Shield is a fully-managed, end-to-end software supply chain security solution that helps you to improve the security posture of developer workflows and tools, software dependencies, CI/CD systems used to build and deploy your software, and runtime environments such as Google Kubernetes Engine and Cloud Run.

To learn how you can use Cloud Build with other components of Software Delivery Shield to improve the security posture of your software supply chain, see Software Delivery Shield overview.

What's next

• Learn how to use Software Delivery Shield.
• Learn software supply chain security best practices.
• Learn how to store and view build logs.
• Learn how to troubleshoot build errors.