Scan Go packages manually
This quickstart shows you how to pull a container image, manually scan it with On-Demand Scanning, and retrieve identified vulnerabilities for system and Go packages. To follow this quickstart you will use Cloud Shell and an example Alpine image.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the On-Demand Scanning API.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the On-Demand Scanning API.
Download and scan an image
Open a Cloud Shell in your project.
This opens a terminal with all the required tools to follow this guide.
Use docker to pull the container image:
docker pull golang:1.17.6-alpine
Run the scan:
gcloud artifacts docker images scan golang:1.17.6-alpine --additional-package-types=GO
This triggers that scanning process and returns the scan name when finished:
✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/849db1f8-2fb2-4559-9fe0-8720d8cd347c] Done. done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2022-01-11T16:58:11.711487Z' resourceUri: golang:1.16.13-alpine name: projects/my-project/locations/us/operations/f4adb1f8-20b2-4579-9fe0-8720d8cd347c response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef
Use the scan name, the value of
scan
from the output, to fetch the scan results:gcloud artifacts docker images list-vulnerabilities \ projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef
The output contains a list of Go, Go standard library, and Linux package vulnerabilities. The following labels indicate the type of Go vulnerabilities:
packageType:GO_STDLIB
. Go standard library vulnerabilities. This indicates that the vulnerability was found either in the Go toolchain used to build the binary, or in the standard library bundled with the toolchain. A possible fix is to upgrade your build toolchain.packageType:GO
. Go package vulnerabilities. This indicates that the vulnerability was found in a third-party package. A possible fix is to upgrade your dependent modules.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, follow these steps.
- In the Google Cloud console, go to the Manage resources page.
- In the project list, select the project that you want to delete, and then click Delete.
- In the dialog, type the project ID, and then click Shut down to delete the project.