In this quickstart you will use Google Cloud Console and Cloud Shell to:
- Create a new project.
- Create a new Docker repository.
- Push an image to the repository.
- Scan the image.
- See a list of vulnerabilities found in the image by the scan.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.
- Enable the Container Scanning and Artifact Registry APIs.
Create a Docker repository
To add a new repository to your project:
Open the Repositories page in the Cloud Console.
Click Create Repository.
Specify
quickstart-analysisas the repository name.Choose Docker as the format.
Under Location Type, select Region and then choose the location
us-central1.Click Create.
The repository is added to the repository list
Configure Docker authentication
To interact with Artifact Registry repositories with Docker, you must configure Docker to use your Google Cloud credentials.
Open a Cloud Shell in your project.
This opens a terminal in your project with all the required tools to follow this guide.
Set up authentication to Docker repositories in the
us-central1region:gcloud auth configure-docker us-central1-docker.pkg.dev
Add an image to the repository
Now you are going to push an image to the Artifact Registry repository. Run the following commands in the Cloud Shell terminal where you configured Docker authentication.
Pull an official Ubuntu image from Docker Hub:
docker pull ubuntu:bionicTag the image with the repository name:
docker tag ubuntu:bionic us-central1-docker.pkg.dev/PROJECT_ID/quickstart-analysis/ubuntu:bionicWhere
PROJECT_IDis your Google Cloud Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.us-central1is the repository location.docker.pkg.devis the hostname for Docker repositories.ubuntu:bionicis the name and tag the image will have in the repository.
Push the image to the repository:
docker push us-central1-docker.pkg.dev/PROJECT_ID/quickstart-analysis/ubuntu:bionicWhere
PROJECT_IDis your Google Cloud Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.
See the image vulnerabilities
Container Analysis scans new images when they're uploaded to Artifact Registry. This scan extracts information about the system packages in the container.
To see the vulnerabilities in an image:
Get the list of repositories.
In the repositories list, click on
quickstart-analysis.Click on an image name.
Vulnerability totals for the images are displayed in the Vulnerabilities column.
To view the list of vulnerabilities for an image, click the link in the Vulnerabilities column.
The vulnerability list shows the severity, availability of a fix, and the name of the package that contains the vulnerability.
To learn more about a specific vulnerability from the vulnerability source, click the link in the Documentation column.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.
Delete the repository created for this quickstart.
Open the Repositories page in the Cloud Console.
In the repository list, select the
quickstart-analysisrepository.Click Delete.
What's next
- Learn how to get image vulnerabilities.
- Learn more about Container Analysis.