Controlling your vulnerability scanning costs

Vulnerability scanning became a paid service with the general availability release of Container Analysis. During a promotional period, the billing costs are be reduced. See the pricing page for more information.

After the promotional period, when you enable the Container Scanning API, billing begins immediately.

Best practices for keeping your costs low

When you enable the Container Scanning API, every new image you push will be automatically scanned. To keep your costs low, separate the container images you want to scan into a different project.

  • Set up a new Google Cloud project and enable the Container Scanning API for that project. This project will incur normal billing charges for Artifact Registry and Container Registry. Push the images you want to scan to this project.

  • Add the following steps in your CI/CD pipeline:

  1. Add a tag corresponding to the Artifact Registry or Container Registry project where Container Scanning is enabled.

    1. Push the images to the project.

Estimating your scanning costs

To calculate the approximate cost for the images in a project, estimate the number of images you push in a time frame and multiply that number by the price, $ 0.26. You can do this by running a shell script in Cloud Shell.

  1. Open a Cloud Shell in your project.

    Open Cloud Shell

  2. Click the Open Editor icon and create a new file cost-estimation.sh with the following content:

        #!/bin/bash
    
        # Replace with your project data
        GC_PROJECT='PROJECT_REPOSITORY'
        START_DATE='START_DATE'
        END_DATE='END_DATE'
    
        IFS=$'\n'
        FILTER="timestamp.date('%Y-%m-%d', Z)>'$START_DATE' AND timestamp.date('%Y-%m-%d', Z)<'$END_DATE'"
        PRICE="0.26"
    
        images=$( gcloud container images list --repository="$GC_PROJECT" | sed -n '/gcr.io/p' )
        total_digests=0
    
        for image in $images; do
          image_digests=$( gcloud container images list-tags --filter="$FILTER" "$image" | wc -l )
          if [[ "$image_digests" -gt 1 ]]; then
            total_digests=$(( total_digests + $image_digests - 1 ))
          fi
        done
    
        total_price=$( python -c "print($total_digests * $PRICE)" )
    
        echo "Number of images: $total_digests"
        echo "Estimated cost: $total_price"
    

    Replace the following:

    • PROJECT_REPOSITORY: your project repository. For example, gcr.io/corp-staging.
    • START_DATE: the starting date for the period to estimate, in Y-m-d format. For example, 2020-03-01.
    • END_DATE: the end date for the period to estimate, in Y-m-d format. For example, 2020-03-31.
  3. Run the script:

    bash cost-estimation.sh
    

    It shows the total number of images and the total estimated cost:

    Number of images: 53
    Estimated cost: 13.78
    

This is only an estimation, the actual cost may change due to other factors, for example:

  • Pushing the same image to different multi-regions in the same project does not generate additional costs.

  • Pushing the same image to two different repositories within two different projects does not generate additional costs.

Checking current vulnerability scanning costs

If you have vulnerability scanning enabled in your project, during the promotional period, a discount is applied to your total scanning cost. You can see this information in your billing report.

What's next