Quickstart for Container Analysis

This page shows you how to scan an image on Artifact Registry with Container Analysis and see the list of vulnerabilities found in the image.

In this quickstart you will use Google Cloud Console and Cloud Shell to:

  1. Create a new project.
  2. Create a new Docker repository.
  3. Push an image to the repository.
  4. Scan the image.
  5. See a list of vulnerabilities found in the image by the scan.

Before you begin

  1. Faça login na sua conta do Google.

    Se você ainda não tiver uma, inscreva-se.

  2. No Console do Google Cloud, na página do seletor de projetos, selecione ou crie um projeto do Google Cloud.

    Acessar a página do seletor de projetos

  3. Verifique se o faturamento está ativado para seu projeto na nuvem. Saiba como confirmar se o faturamento está ativado para o projeto.

  4. Ative as APIs Container Scanning and Artifact Registry.

    Ative as APIs

Create a Docker repository

To add a new repository to your project:

  1. Open the Repositories page in the Cloud Console.

    Abrir a página "Repositórios"

  2. Click Create Repository.

  3. Specify quickstart-analysis as the repository name.

  4. Choose Docker as the format.

  5. Under Location Type, select Region and then choose the location us-central1.

  6. Click Create.

The repository is added to the repository list

Configure Docker authentication

To interact with Artifact Registry repositories with Docker, you must configure Docker to use your Google Cloud credentials.

  1. Open a Cloud Shell in your project.

    Open Cloud Shell

    This opens a terminal in your project with all the required tools to follow this guide.

  2. Set up authentication to Docker repositories in the us-central1 region:

    gcloud auth configure-docker us-central1-docker.pkg.dev
    

Add an image to the repository

Now you are going to push an image to the Artifact Registry repository. Run the following commands in the Cloud Shell terminal where you configured Docker authentication.

  1. Pull an official Ubuntu image from Docker Hub:

    docker pull ubuntu:bionic
    
  2. Tag the image with the repository name:

    docker tag ubuntu:bionic us-central1-docker.pkg.dev/PROJECT_ID/quickstart-analysis/ubuntu:bionic
    

    Where

    • PROJECT_ID is your Google Cloud Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.
    • us-central1 is the repository location.
    • docker.pkg.dev is the hostname for Docker repositories.
    • ubuntu:bionic is the name and tag the image will have in the repository.
  3. Push the image to the repository:

    docker push us-central1-docker.pkg.dev/PROJECT_ID/quickstart-analysis/ubuntu:bionic
    

    Where PROJECT_ID is your Google Cloud Console project ID. If your project ID contains a colon (:), see Domain-scoped projects.

See the image vulnerabilities

Container Analysis scans new images when they're uploaded to Artifact Registry. This scan extracts information about the system packages in the container.

To see the vulnerabilities in an image:

  1. Get the list of repositories.

    Open the Repositories page

  2. In the repositories list, click on quickstart-analysis.

  3. Click on an image name.

    Vulnerability totals for the images are displayed in the Vulnerabilities column.

    Screenshot of an image with vulnerabilities

  4. To view the list of vulnerabilities for an image, click the link in the Vulnerabilities column.

    The vulnerability list shows the severity, availability of a fix, and the name of the package that contains the vulnerability.

  5. To learn more about a specific vulnerability from the vulnerability source, click the link in the Documentation column.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used in this quickstart, follow these steps.

Delete the repository created for this quickstart.

  1. Open the Repositories page in the Cloud Console.

    Abrir a página "Repositórios"

  2. In the repository list, select the quickstart-analysis repository.

  3. Click Delete.

What's next