Container Analysis provides automated and manual vulnerability scanning for containers in Artifact Registry and Container Registry.
On-demand scanning lets you scan container images locally on your computer
or in your registry, using the
gcloud tool. This gives you the
flexibility to customize your CI/CD pipeline, depending on when you need to
access the vulnerability results. See pricing to
learn more about the costs associated with scanning container images.
Container Analysis performs vulnerability scans on container images in Artifact Registry and Container Registry, it monitors the vulnerability information to keep it up to date. This process comprises two main tasks: scanning and continuous analysis.
Container Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. This scan extracts information about the system packages in the container. The images are scanned only once, based on the image's digest. This means that adding or modifying tags won't trigger new scans, only changing the contents of the image will.
Container Analysis only detects packages publicly monitored for security vulnerabilities.
When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.
Container Analysis creates occurrences for vulnerabilities found when you upload the image. After the initial scan, it continuously monitors the metadata for scanned images in Artifact Registry and Container Registry for new vulnerabilities.
As Container Analysis receives new and updated vulnerability information from vulnerability sources, it updates the metadata of the scanned images to keep it up-to-date, creating new vulnerability occurrences for new notes and deleting vulnerability occurrences that are no longer valid.
Container Analysis only updates the vulnerability metadata for images that were pushed or pulled in the last 30 days. Container Analysis archives vulnerability metadata that is older than 30 days. To re-scan an image with archived vulnerability metadata, push or pull that image.
If you need access to the archived vulnerability metadata, contact support.
You can also use vulnerability scanning with manifest lists. A manifest list is a list of pointers to manifests for several platforms. They allow a single image to work with multiple architectures or variations of an operating system.
Container Analysis vulnerability scanning only supports Linux amd64 images. If your manifest list points to more than one Linux amd64 image, only the first one will be scanned; if there are no pointers to Linux amd64 images, you won't get any scanning results.
Container scanning supports package vulnerability scanning for Linux distributions and obtains CVE data from the following sources:
- National Vulnerability Database
- Red Hat Enterprise Linux
- CentOS - Red Hat and CentOS share the same source of vulnerability data. Because CentOS packages are published after Red Hat packages, a fix available for a vulnerability in Red Hat may take some time to also be available for CentOS.
Container scanning supports vulnerability scanning for the following OS versions:
- Debian GNU/Linux - Versions: 9, 10
- Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10
- Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13
- CentOS - Versions: 6, 7, 8 and minor versions
- Redhat - Versions: 6, 7, 8 and minor versions
Severity levels for vulnerabilities
Container scanning uses the following severity levels:
The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.
Two types of severity are associated with each vulnerability:
Effective severity - The severity level assigned by the Linux distribution. If distribution-specific severity levels are unavailable, Container scanning uses the severity level assigned by the note provider.
For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.
Default Container Analysis service account
Container Analysis analyzes your container images using a service account,
a special Google account that collects information about your images on your
behalf. The email for the Container Analysis service account is
account uses the Container Analysis Service Agent role.
If you enable vulnerability scanning, the Container Scanning API used by this
feature also uses a special Google account. The email for that service account
The account uses the Container Scanner Service Agent role.
You can view your project's service accounts via the IAM menu of the Cloud Console.
Container Analysis interfaces
In the Cloud Console, you can view image vulnerabilities and image metadata for containers in Artifact Registry.
You can use the
gcloud tool to view vulnerabilities and image
You can also use the Container Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use the API to create new notes and occurrences, view vulnerability occurrences, etc.
The Container Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.
Controlling deployment of vulnerable images
Based on the vulnerability information provided by Container Analysis, you can use Binary Authorization to create a vulnerability allowlist as part of your Cloud Build pipeline. If the vulnerabilities violate the policy in the allowlist, the build fails.