OS scanning overview

Software vulnerabilities are weaknesses that can cause an accidental system failure or provide bad actors a means to compromise your software.

Container Analysis provides automated and manual vulnerability scanning for containers in Artifact Registry and Container Registry to find vulnerabilities in OS packages. For language-specific vulnerabilities see Go scanning and Java scanning.

See pricing to learn more about the costs associated with scanning container images.

Vulnerability sources

Both automated and on-demand scanning support OS package vulnerability scanning for Linux distributions and obtains CVE data from the following sources:

• Debian
• Ubuntu
• Alpine
• National Vulnerability Database
• Red Hat Enterprise Linux
• CentOS - Red Hat and CentOS share the same source of vulnerability data. Because CentOS packages are published after Red Hat packages, a fix available for a vulnerability in Red Hat may take some time to also be available for CentOS.

On-Demand Scanning additionally supports scanning for Go and Maven packages within a container image based on GitHub Advisory Database. See Go package scanning and Java package scanning for details.

Supported Linux versions

OS scanning overview supports vulnerability scanning for the following OS versions:

• Debian GNU/Linux - Versions: 9, 10, 11
• Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10, 21.04, 21.10, 22.04
• Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16
• CentOS - Versions: 6, 7, 8, 9 and minor versions
• Redhat - Versions: 6, 7, 8, 9 and minor versions

Severity levels for vulnerabilities

OS scanning overview uses the following severity levels:

• Critical
• High
• Medium
• Low
• Minimal

The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.

Two types of severity are associated with each vulnerability:

• Effective severity - The severity level assigned by the Linux distribution. If distribution-specific severity levels are unavailable, OS scanning overview uses the severity level assigned by the note provider.

• CVSS score - The Common Vulnerability Scoring System score and associated severity level, with two scoring versions:

  • CVSS 2.0 - Available when using the API, the gcloud CLI, and the GUI.
  • CVSS 3.1 - Available when using the API and the gcloud CLI.

For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. You can decide the vulnerability score relevant for your project.

Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.

Default Container Analysis service account

Container Analysis analyzes your container images using a service account, a special Google account that collects information about your images on your behalf. The email for the Container Analysis service account is service-[PROJECT_NUMBER]@container-analysis.iam.gserviceaccount.com. This account uses the Container Analysis Service Agent role.

If you enable vulnerability scanning, the Container Scanning API used by this feature also uses a special Google account. The email for that service account is service-[PROJECT_NUMBER]@gcp-sa-containerscanning.iam.gserviceaccount.com. The account uses the Container Scanner Service Agent role.

You can view your project's service accounts via the IAM menu of the console.

Container Analysis interfaces

In the console, you can view image vulnerabilities and image metadata for containers in Artifact Registry.

You can use the gcloud CLI to view vulnerabilities and image metadata.

You can also use the Container Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use the API to create new notes and occurrences, view vulnerability occurrences, etc.

The Container Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.

Controlling deployment of vulnerable images

Based on the vulnerability information provided by Container Analysis, you can use Binary Authorization to create a vulnerability allowlist as part of your Cloud Build pipeline. If the vulnerabilities violate the policy in the allowlist, the build fails.

You can also integrate Container Analysis with Binary Authorization to create attestations, which can prevent container images with known security issues from running in your deployment environment.

What's next

• Get started with vulnerability scanning.
• Use automated scanning in your project.