On-Demand Scanning

Software vulnerabilities are weaknesses that can either cause an accidental system failure or be intentionally exploited. On-Demand Scanning allows you to manually scan container images for vulnerabilities.

This page describes manual scanning with On-Demand Scanning. If you want to learn about automatic scanning see the vulnerability scanning documentation.

On-Demand Scanning

With On-Demand Scanning you can scan container images locally on your computer, in Container Registry, or in Artifact Registry, using the gcloud tool. This gives you the flexibility to customize your CI/CD pipeline, depending on when you need to access the vulnerability results. See pricing to learn more about the costs associated with scanning container images.

Vulnerability sources

On-Demand Scanning supports package vulnerability scanning for Linux distributions and obtains CVE data from the following sources:

Supported versions

On-Demand Scanning supports vulnerability scanning for the following OS versions:

  • Debian GNU/Linux - Versions: 9, 10, 11, 12, 13
  • Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10
  • Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13
  • CentOS - Versions: 6, 7, 8 and minor versions
  • Redhat - Versions: 6, 7, 8 and minor versions

Severity levels for vulnerabilities

On-Demand Scanning uses the following severity levels:

  • Critical
  • High
  • Medium
  • Low
  • Minimal

The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.

Two types of severity are associated with each vulnerability:

  • Effective severity - The severity level assigned by the Linux distribution. If distribution-specific severity levels are unavailable, On-Demand Scanning uses the severity level assigned by the note provider.

  • CVSS score - The Common Vulnerability Scoring System score and associated severity level. Refer to the CVSS 2.0 documentation for details on how CVSS scores are calculated.

For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.

What's next