This document describes how to set up notifications for updates to notes and occurrences.
Container Analysis provides notifications via Pub/Sub whenever it scans for vulnerabilities and other metadata. When a note or occurrence is created or updated, a message is published to the corresponding topic for each API version. Use the topic respective your current API version.
Before you begin
- Connectez-vous à votre compte Google.
Si vous n'en possédez pas déjà un, vous devez en créer un.
-
Dans Google Cloud Console, sur la page de sélection du projet, sélectionnez ou créez un projet Google Cloud.
- Activez l'API Container Analysis.
- Installez et initialisez le SDK Cloud.
- Learn how to set up access control for metadata in your project. Skip this step if you only consume metadata from vulnerability occurrences created by Container Analysis container scanning.
Create Pub/Sub topics
After you activate the Container Analysis API, the following Pub/Sub topics are created for you in your project:
container-analysis-notes-v1
+container-analysis-occurrences-v1
If the topics were accidentally deleted or are missing, you can add them yourself.
Console
Go to the Pub/Sub topics page in the Cloud Console.
Click Create Topic.
Enter a topic for notes with the URI:
projects/PROJECT-ID/topics/container-analysis-notes-v1
where PROJECT-ID is your Google Cloud project ID.
Click Create.
Create another topic for occurrences with the URI:
projects/PROJECT-ID/topics/container-analysis-occurrences-v1
gcloud
Run the following commands in your shell or terminal window:
gcloud pubsub topics create projects/PROJECT-ID/topics/container-analysis-notes-v1
gcloud pubsub topics create projects/PROJECT-ID/topics/container-analysis-occurrences-v1
To learn more about the gcloud pubsub topics
command, see the
topics
documentation.
Anytime a note or an occurrence is created or updated, a message is published to the respective topic.
Pub/Sub payloads are in JSON and their schema is as follows:
Notes:
{ "name": "projects/PROJECT_ID/notes/NOTE_ID", "kind": "NOTE_KIND", "notificationTime": "NOTIFICATION_TIME", }
Occurrences:
{ "name": "projects/PROJECT_ID/occurrences/OCCURRENCE_ID", "kind": "NOTE_KIND", "notificationTime": "NOTIFICATION_TIME", }
where:
- NOTE_KIND is one of the values in
NoteKind
- NOTIFICATION_TIME is a timestamp in RFC 3339 UTC "Zulu" format, accurate to nanoseconds.
Create Pub/Sub subscriptions
To listen to events, create a Pub/Sub subscription associated with the topic:
Console
Go to the Pub/Sub subscriptions page in the Cloud Console.
Click Create Subscription.
Type a name for the subscription. For example, notes.
Enter the URI of the topic for notes:
projects/PROJECT-ID/topics/container-analysis-notes-v1
where
<var>PROJECT-ID</var>
is your Google Cloud project ID.Click Create.
Create another subscription for occurrences with the URI:
projects/PROJECT-ID/topics/container-analysis-occurrences-v1
gcloud
To receive Pub/Sub events, you must first create a subscription
associated with the container-analysis-occurrences-v1
topic:
gcloud pubsub subscriptions create \
--topic container-analysis-occurrences-v1 occurrences
Going forward, you can pull messages concerning your occurrences using your new subscription:
gcloud pubsub subscriptions pull \
--auto-ack occurrences
Java
To learn how to install and use the client library for Container Analysis, see the Container Analysis Client Libraries. For more information, see the Container Analysis Java API reference documentation.
Go
To learn how to install and use the client library for Container Analysis, see the Container Analysis Client Libraries. For more information, see the Container Analysis Go API reference documentation.
Node.js
To learn how to install and use the client library for Container Analysis, see the Container Analysis Client Libraries. For more information, see the Container Analysis Node.js API reference documentation.
Ruby
To learn how to install and use the client library for Container Analysis, see the Container Analysis Client Libraries. For more information, see the Container Analysis Ruby API reference documentation.
Python
To learn how to install and use the client library for Container Analysis, see the Container Analysis Client Libraries. For more information, see the Container Analysis Python API reference documentation.
Subscriber applications only receive messages that are published to the topic after the subscription is created.
What's next
For instructions on how to use Container Analysis to store and manage your customers' metadata, see Providing Metadata for Images.
You can integrate Binary Authorization with vulnerability scanning to prevent images with known security issues from running in your deployment environment. For instructions on doing this see, Vulnerability Scanning Integration.