Container Analysis

Container Analysis is a service that provides vulnerability scanning and metadata storage for containers. The scanning service performs vulnerability scans on images in Container Registry and Artifact Registry, then stores the resulting metadata and makes it available for consumption through an API. Metadata storage allows storing information from different sources, including vulnerability scanning, other Google Cloud services, and third-party providers.

Container Analysis as a strategic information API

Container Analysis is a Cloud infrastructure component that enables you to store and retrieve structured metadata for Google Cloud resources. In the context of your CI/CD pipeline, Container Analysis can be integrated to store metadata about your deployment process and make decisions based on that metadata.

At various phases of your release process, people or automated systems can add metadata that describes the result of an activity. For example, you might add metadata to your image indicating that it has passed an integration test suite or a vulnerability scan.

Container Analysis in CI/CD

Figure 1. Diagram that shows Container Analysis as CI/CD pipeline component that interacts with metadata across source, build, storage, and deployment stages as well as runtime environments.

Container Analysis associates metadata with images through notes and occurrences. To learn more about these concepts, see the metadata storage page. The service also performs vulnerability scans for new images pushed to Container Registry or Artifact Registry. To learn more about this feature, see vulnerability scanning.

Vulnerability Scanning and On-Demand Scanning

Container Analysis provides two features to scan containers for vulnerabilities:

Automatic scanning with the Container Scanning API
The scanning process is triggered automatically every time you push a new image to Artifact Registry or Container Registry.
The vulnerability information is continuously updated when new vulnerabilities are discovered.
Manual scanning with the On-Demand Scanning API
You must run a command to trigger the scan.
The scanning results are available for up to 48 hours after the scan is completed. The vulnerability information is not updated after the scan is finished.
You can scan images stored locally, without having to push them to Artifact Registry or Container Registry first.

What's next