Enabling and disabling Container Analysis

Container Analysis provides metadata storage and vulnerability scanning for images in both Container Registry and Artifact Registry through two APIs:

  • Container Analysis API - This enables metadata storage in your project. You won't incur additional charges for using this API.

  • Container Scanning API - This enables vulnerability scanning in your project. You get billed for every scanned image, see pricing.

This page describes how to enable and disable both APIs for an existing project.

Enabling the Container Analysis API

When you enable the Container Analysis API, the service is enabled for both Container Registry and Artifact Registry.

Enable the Container Analysis API if you are only usingContainer Analysis for managing metadata and you are not using vulnerability scanning in your project. You can enable the API for an existing project, or create a new project and then enable the API.

Enable the Container Analysis API

Users and service accounts that need to view occurrences must have the Container Analysis Occurrences Viewer. See Configuring access control for information about granting permissions.

Disabling the Container Analysis API

When you disable the Container Analysis API, the service is turned off for both Container Registry and Artifact Registry.

To disable both the Container Analysis API and the Container Scanning API, follow the instructions to disable services.

Enabling the Container Scanning API

Enabling the Container Scanning API also enables vulnerability scanning as well as the Container Analysis API. You can enable the API for an existing project, or create a new project and then enable the API.

Enable the Container Scanning API

Disabling the Container Scanning API

To disable vulnerability scanning for both Container Registry and Artifact Registry, do the following:

Console

  1. Open the Settings page for either service in the Cloud Console.

    Artifact Registry:

    Open the Settings page

    Container Registry:

    Open the Settings page

  2. Click Disable Vulnerability Scanning.

gcloud

Run the following command:

gcloud services disable containerscanning.googleapis.com

Extending your monitoring time window

Container Analysis continuously monitors the vulnerability metadata for scanned images in Container Registry and Artifact Registry. The default time window for continuous monitoring is 30 days, after this period your images are stale and the metadata is no longer updated.

To extend the monitoring window, you must pull or push the image within the 30-day period. We recommend creating a scheduled task to re-push containers that don't require frequent updating, for example, your Istio and proxy images.

What's next