Container Analysis provides metadata storage and vulnerability scanning for images in both Container Registry and Artifact Registry through two APIs:
Container Analysis API - This enables metadata storage in your project. You won't incur additional charges for using this API.
This page describes how to enable and disable both APIs for an existing project.
Enabling the Container Analysis API
When you enable the Container Analysis API, the service is enabled for both Container Registry and Artifact Registry.
Enable the Container Analysis API if you are only using Container Analysis for managing metadata and you are not using vulnerability scanning in your project. You can enable the API for an existing project, or create a new project and then enable the API.
Users and service accounts that need to view occurrences must have the Container Analysis Occurrences Viewer. See Configuring access control for information about granting permissions.
Disabling the Container Analysis API
When you disable the Container Analysis API, the service is turned off for both Container Registry and Artifact Registry.
To disable both the Container Analysis API and the Container Scanning API, follow the instructions to disable services.
Enabling the Container Scanning API
Enabling the Container Scanning API also enables vulnerability scanning as well as the Container Analysis API. You can enable the API for an existing project, or create a new project and then enable the API.
Disabling the Container Scanning API
To disable vulnerability scanning for both Container Registry and Artifact Registry, do the following:
Run the following command:
gcloud services disable containerscanning.googleapis.com
Extending your monitoring time window
Container Analysis continuously monitors the vulnerability metadata for scanned images in Container Registry and Artifact Registry. The default time window for continuous monitoring is 30 days, after this period your images are stale and the metadata is no longer updated.
To extend the monitoring window, you must pull or push the image within the 30-day period. We recommend creating a scheduled task to re-push containers that don't require frequent updating, for example, your Istio and proxy images.
- Get started with vulnerability scanning.
- Read the Container Analysis overview.
- View vulnerability information for your container images.