Software vulnerabilities are weaknesses that can cause an accidental system failure or provide bad actors a means to compromise your software. Container Analysis provides two types of language package scanning:
The On-Demand Scanning API allows you to manually scan container images for vulnerabilities in Go packages, either locally on your computer or remotely in Container Registry or Artifact Registry.
See pricing to learn more about the costs associated with scanning container images.
Vulnerability data is obtained from the GitHub Advisory Database.
The On-Demand Scanning API reports vulnerabilities for system packages, packages in the Go standard library, and external Go packages not included in the standard library. The vulnerabilities are reported with a different label for each type of package. See the scanning how-to guide for more information.
Severity levels for vulnerabilities
Go package scanning uses the following severity levels:
The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. Two types of severity are associated with each vulnerability:
Effective severity - The severity level assigned by the GitHub Advisory Database, with a slight difference: Moderate is reported as Medium by Container Analysis.
For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. You can decide the vulnerability score relevant for your project.
- On-demand scanning Quickstart.
- Automate Go package scanning.
- Learn how automatic OS and Java scanning work together in Artifact Registry.