Artifact Analysis provides two ways to scan images: automatic scanning and on-demand scanning. This document outlines feature details for both types of scanning.
Artifact Analysis also provides metadata management. To learn more about how you can use scanning and metadata storage together to secure your CI/CD pipeline from end to end, see the Artifact Analysis overview.
See pricing to learn more about the costs associated with scanning container images.
This overview assumes you are already familiar with using Docker repositories in Artifact Registry or Container Registry (Deprecated).
Automatic scanning
Artifact Analysis performs vulnerability scans on your artifacts in Artifact Registry or Container Registry (Deprecated). Artifact Analysis also identifies dependencies and licenses to help you understand your software composition.
Automatic scanning comprises two main tasks: on-push scanning and continuous analysis.
On-push scanning
Artifact Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. This scan extracts information about the packages in the container. The images are scanned only once, based on the image's digest. This means that adding or modifying tags won't trigger new scans.
Artifact Analysis only detects vulnerabilities in packages that are publicly monitored for security vulnerabilities.
When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.
Continuous analysis
Artifact Analysis creates occurrences for vulnerabilities found when you upload the image. After the initial scan, it continuously monitors the metadata for scanned images in Artifact Registry and Container Registry for new vulnerabilities.
Artifact Analysis receives new and updated vulnerability information from vulnerability sources multiple times each day. When new vulnerability data arrives, Artifact Analysis updates the metadata of the scanned images to keep it up-to-date. Artifact Analysis updates existing vulnerability occurrences, creates new vulnerability occurrences for new notes, and deletes vulnerability occurrences that are no longer valid.
Artifact Analysis only updates the metadata for images that were pushed or pulled in the last 30 days. After 30 days, the metadata will no longer be updated, and the results will be stale. Furthermore, Artifact Analysis archives metadata that is stale for more than 90 days, and the metadata won't be available in the Google Cloud console, gcloud, or by using the API. To re-scan an image with stale or archived metadata, pull that image. Refreshing metadata can take up to 24 hours.
Manifest lists
You can also use vulnerability scanning with manifest lists. A manifest list is a list of pointers to manifests for several platforms. They allow a single image to work with multiple architectures or variations of an operating system.
Artifact Analysis vulnerability scanning only supports Linux amd64 images. If your manifest list points to more than one Linux amd64 image, only the first one will be scanned; if there are no pointers to Linux amd64 images, you won't get any scanning results.
On-demand scanning
On-demand scanning lets you scan container images locally on your computer or in your registry, using the gcloud CLI. This gives you the flexibility to customize your CI/CD pipeline, depending on when you need to access the vulnerability results.
Supported package types
When you push container images to Docker repositories in Artifact Registry, Artifact Analysis can scan for vulnerabilities in several types of OS packages and application language packages.
Container Registry is Deprecated. With Container Registry, automatic scanning only scans OS packages. If you're using Container Registry, learn how to transition to Artifact Registry.
The following tables compare the types of packages that Artifact Analysis can scan with each scanning service:
Supported OS packages
Automatic scanning with Artifact Registry | Automatic scanning with Container Registry (Deprecated) | On-demand scanning | |
---|---|---|---|
AlmaLinux OS | |||
Alpine | |||
CentOS | |||
Chainguard | |||
Debian | Google Distroless | ||
Red Hat Enterprise Linux (RHEL) | |||
Red Hat Universal Base Image (UBI) | |||
Rocky Linux | |||
SUSE Linux Enterprise Server (SLES) | |||
Ubuntu | |||
Wolfi |
Supported application language packages
Automatic scanning with Artifact Registry | Automatic scanning with Container Registry (Deprecated) | On-demand scanning | |
---|---|---|---|
Go packages | |||
Java packages | |||
Node.js packages | |||
PHP packages | |||
Python packages | |||
Ruby packages | |||
Rust packages | |||
.NET packages |
Artifact Analysis only scans application language packages in Artifact Registry when the packages are containerized and stored in a Docker format repository. The other Artifact Registry repository formats aren't supported.
For more information on the features available for each registry product, view the comparison chart.
Artifact Analysis is not supported on Windows Server containers.
Artifact Analysis interfaces
In the Google Cloud console, you can view image vulnerabilities and image metadata for containers in Artifact Registry.
You can use the gcloud CLI to view vulnerabilities and image metadata.
You can also use the Artifact Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use also the API to create custom notes and occurrences and view vulnerability occurrences.
The Artifact Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.
Control deployment of vulnerable images
You can use Binary Authorization to create a vulnerability allowlist based on the vulnerability information provided by Artifact Analysis as part of your Cloud Build pipeline. If the vulnerabilities violate the policy in the allowlist, the build fails.
You can also integrate Artifact Analysis with Binary Authorization to create attestations, which can prevent container images with known security issues from running in your deployment environment.
Vulnerability sources
The following section lists the vulnerability sources that Artifact Analysis uses to obtain CVE data.
OS package scans
Artifact Analysis uses the following sources:
- AlmaLinux OS
- Alpine
- CentOS - Red Hat and CentOS share the same source of vulnerability data. Because CentOS packages are published after Red Hat packages, a fix available for a vulnerability in Red Hat may take some time to also be available for CentOS.
- Chainguard
- Debian
- Google Distroless is based on Debian and uses the Debian vulnerability data.
- National Vulnerability Database
- Red Hat Enterprise Linux (RHEL)
- Red Hat Universal Base Image (UBI)
- Rocky Linux
- SUSE Linux Enterprise Server (SLES)
- Ubuntu
- Wolfi
Language package scans
Artifact Analysis supports vulnerability scanning for language packages within a container image. The vulnerability data is obtained from the GitHub Advisory Database.
In most cases, each vulnerability is assigned a CVE ID and this ID becomes the main identifier for that vulnerability. In cases where there is no CVE ID assigned to a vulnerability, a GHSA ID is assigned as identifier instead. If later on that vulnerability gets a CVE ID, then the vulnerability ID is updated to match the CVE. See Check for a specific vulnerability in a project for more information.
Supported OS versions
Artifact Analysis supports vulnerability scanning for the following versions of operating system software:
- AlmaLinux OS - Versions: 8, 9, and minor versions
- Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20
- CentOS - Versions: 6, 7, 8, and minor versions
- Chainguard - Rolling updates on a single release track.
- Debian GNU/Linux - Versions: 9, 10, 11, 12
- Red Hat Enterprise Linux (RHEL) - Versions: 6, 7, 8, 9, and minor versions are supported for automatic registry scans.
- Red Hat Universal Base Image (UBI) - Versions 8, 9, and minor versions
- Rocky Linux - Versions: 8, 9, and minor versions
- SUSE Linux Enterprise Server (SLES) - Versions: 12, 15, and minor versions; SLES for SAP is also supported with the same versions
- Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10, 21.04, 21.10, 22.04, 22.10, 23.04, 23.10, 24.04
- Wolfi - Rolling updates on a single release track.
Limitations
- Artifact Analysis delivers vulnerability scanning results for RHEL based on the latest minor version for each major version released. There may be inaccuracies in scanning results for older minor versions of RHEL.
- RHEL Version 9 isn't supported for on-demand scanning.
Package managers and semantic versioning
- Go - Artifact Analysis reports vulnerabilities for packages in the Go standard library, and external Go packages not included in the standard library. The vulnerabilities are reported with a different label for each type of package.
- Java - Artifact Analysis supports Maven packages that follow the Maven naming conventions. If the package version includes spaces, it won't be scanned.
- Node.js - Package version matching follows the semantic versioning specification.
- PHP - Artifact Analysis scans Composer packages. See Composer semantic versioning.
- Python - Python version matching follows PEP 440 semantics.
- Ruby - Artifact Analysis scans RubyGems packages. See RybyGems semantic versioning.
- Rust - Artifact Analysis scans Cargo packages. See Rust semantic versioning.
- .NET - Artifact Analysis scans NuGet packages. See NuGet semantic versioning.