Container Analysis client libraries

This page shows how to get started with the Cloud Client Libraries for the Container Analysis API. Read more about the client libraries for Cloud APIs, including the older Google API Client Libraries, in Client Libraries Explained.

Installing the client library

Go

For more information, see Setting Up a Go Development Environment.

go get cloud.google.com/go/containeranalysis/apiv1

Java

For more information, see Setting Up a Java Development Environment.



If you are using Maven with a BOM, add the following to your pom.xml file:

<dependencyManagement>
  <dependencies>
    <dependency>
      <groupId>com.google.cloud</groupId>
      <artifactId>libraries-bom</artifactId>
      <version>26.0.0</version>
      <type>pom</type>
      <scope>import</scope>
    </dependency>
  </dependencies>
</dependencyManagement>

<dependencies>
  <dependency>
    <groupId>com.google.cloud</groupId>
    <artifactId>google-cloud-containeranalysis</artifactId>
  </dependency>

If you are using Maven without a BOM, add this to your dependencies:

<dependency>
  <groupId>com.google.cloud</groupId>
  <artifactId>google-cloud-containeranalysis</artifactId>
  <version>2.4.3</version>
</dependency>

If you are using Gradle, add the following to your dependencies:

implementation platform('com.google.cloud:libraries-bom:26.0.0')

implementation 'com.google.cloud:google-cloud-containeranalysis'

If you are using sbt, add the following to your dependencies:

libraryDependencies += "com.google.cloud" % "google-cloud-containeranalysis" % "2.4.3"

If you're using Visual Studio Code, IntelliJ, or Eclipse, you can add client libraries to your project using the following IDE plugins:

The plugins provide additional functionality, such as key management for service accounts. Refer to each plugin's documentation for details.

Node.js

For more information, see Setting Up a Node.js Development Environment.


npm install @google-cloud/containeranalysis

Python

For more information, see Setting Up a Python Development Environment.


It is recommended to install this library in a virtualenv using pip. Virtualenv allows you to install the Python libraries in an isolated environment, preventing conflicts with the system dependencies.

  • Mac and Linux

    pip install virtualenv
    virtualenv <your-env>
    source <your-env>/bin/activate
    <your-env>/bin/pip install google-cloud-containeranalysis</your-env></your-env></your-env>
    
  • Windows

    pip install virtualenv
    virtualenv <your-env>
    <your-env>\Scripts\activate
    <your-env>\Scripts\pip.exe install google-cloud-containeranalysis</your-env></your-env></your-env>
    

Ruby

For more information, see Setting Up a Ruby Development Environment.

gem install google-cloud-container_analysis

Setting up authentication

To run the client library, you must first set up authentication. One way to do that is to create a service account and set an environment variable, as shown in the following steps. For other ways to authenticate, see Authenticating as a service account.

Console

Create a service account:

  1. In the console, go to the Create service account page.

    Go to Create service account
  2. Select your project.
  3. In the Service account name field, enter a name. The console fills in the Service account ID field based on this name.

    In the Service account description field, enter a description. For example, Service account for quickstart.

  4. Click Create and continue.
  5. To provide access to your project, grant the following role(s) to your service account: Project > Owner.

    In the Select a role list, select a role.

    For additional roles, click Add another role and add each additional role.

  6. Click Continue.
  7. Click Done to finish creating the service account.

    Do not close your browser window. You will use it in the next step.

Create a service account key:

  1. In the console, click the email address for the service account that you created.
  2. Click Keys.
  3. Click Add key, and then click Create new key.
  4. Click Create. A JSON key file is downloaded to your computer.
  5. Click Close.

gcloud

Set up authentication:

  1. Create the service account:

    gcloud iam service-accounts create NAME

    Replace NAME with a name for the service account.

  2. Grant roles to the service account. Run the following command once for each of the following IAM roles: roles/owner:

    gcloud projects add-iam-policy-binding PROJECT_ID --member="serviceAccount:SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com" --role=ROLE

    Replace the following:

    • SERVICE_ACCOUNT_NAME: the name of the service account
    • PROJECT_ID: the project ID where you created the service account
    • ROLE: the role to grant
  3. Generate the key file:

    gcloud iam service-accounts keys create FILE_NAME.json --iam-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

    Replace the following:

    • FILE_NAME: a name for the key file
    • SERVICE_ACCOUNT_NAME: the name of the service account
    • PROJECT_ID: the project ID where you created the service account

Provide authentication credentials to your application code by setting the environment variable GOOGLE_APPLICATION_CREDENTIALS. This variable applies only to your current shell session. If you want the variable to apply to future shell sessions, set the variable in your shell startup file, for example in the ~/.bashrc or ~/.profile file.

Linux or macOS

export GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

Replace KEY_PATH with the path of the JSON file that contains your service account key.

For example:

export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/service-account-file.json"

Windows

For PowerShell:

$env:GOOGLE_APPLICATION_CREDENTIALS="KEY_PATH"

Replace KEY_PATH with the path of the JSON file that contains your service account key.

For example:

$env:GOOGLE_APPLICATION_CREDENTIALS="C:\Users\username\Downloads\service-account-file.json"

For command prompt:

set GOOGLE_APPLICATION_CREDENTIALS=KEY_PATH

Replace KEY_PATH with the path of the JSON file that contains your service account key.

Using the client library

The following example shows how to use the client library.

Go

To use this sample, prepare your machine for Go development, and complete the Container Analysis quickstart. For more information, see the Container Analysis Go API reference documentation.


import (
	"context"
	"fmt"

	containeranalysis "cloud.google.com/go/containeranalysis/apiv1"
	grafeaspb "google.golang.org/genproto/googleapis/grafeas/v1"
)

// getOccurrence retrieves and prints a specified Occurrence from the server.
func getOccurrence(occurrenceID, projectID string) (*grafeaspb.Occurrence, error) {
	// occurrenceID := path.Base(occurrence.Name)
	ctx := context.Background()
	client, err := containeranalysis.NewClient(ctx)
	if err != nil {
		return nil, fmt.Errorf("NewClient: %v", err)
	}
	defer client.Close()

	req := &grafeaspb.GetOccurrenceRequest{
		Name: fmt.Sprintf("projects/%s/occurrences/%s", projectID, occurrenceID),
	}
	occ, err := client.GetGrafeasClient().GetOccurrence(ctx, req)
	if err != nil {
		return nil, fmt.Errorf("client.GetOccurrence: %v", err)
	}
	return occ, nil
}

Java

Before trying this sample, follow the Java setup instructions in Setting up a Java development environment. For more information, see the Container Analysis Java API reference documentation.

import com.google.cloud.devtools.containeranalysis.v1.ContainerAnalysisClient;
import io.grafeas.v1.GrafeasClient;
import io.grafeas.v1.Occurrence;
import io.grafeas.v1.OccurrenceName;
import java.io.IOException;
import java.lang.InterruptedException;

public class GetOccurrence {
  // Retrieves and prints a specified Occurrence from the server
  public static Occurrence getOccurrence(String occurrenceId, String projectId) 
      throws IOException, InterruptedException {
    // String occurrenceId = "123-456-789";
    // String projectId = "my-project-id";
    final OccurrenceName occurrenceName = OccurrenceName.of(projectId, occurrenceId);

    // Initialize client that will be used to send requests. After completing all of your requests, 
    // call the "close" method on the client to safely clean up any remaining background resources.
    GrafeasClient client = ContainerAnalysisClient.create().getGrafeasClient();
    Occurrence occ = client.getOccurrence(occurrenceName);
    System.out.println(occ);
    return occ;
  }
}

Node.js

Before trying this sample, follow the Node.js setup instructions in Setting up a Node.js development environment. For more information, see the Container Analysis Node.js API reference documentation.

/**
 * TODO(developer): Uncomment these variables before running the sample
 */
// const projectId = 'your-project-id', // Your GCP Project ID
// const noteId = 'my-note-id' // Id of the note

// Import the library and create a client
const {ContainerAnalysisClient} = require('@google-cloud/containeranalysis');
const client = new ContainerAnalysisClient();
// Fetch an instance of a Grafeas client:
// see: https://googleapis.dev/nodejs/grafeas/latest
const grafeasClient = client.getGrafeasClient();

// Construct request
// Associate the Note with a metadata type
// https://cloud.google.com/container-registry/docs/container-analysis#supported_metadata_types
// Here, we use the type "vulnerabiltity"
const formattedParent = grafeasClient.projectPath(projectId);

// Creates and returns a new Note
const [note] = await grafeasClient.createNote({
  parent: formattedParent,
  noteId: noteId,
  note: {
    vulnerability: {
      details: [
        {
          affectedCpeUri: 'foo.uri',
          affectedPackage: 'foo',
          minAffectedVersion: {
            kind: 'MINIMUM',
          },
          fixedVersion: {
            kind: 'MAXIMUM',
          },
        },
      ],
    },
  },
});

console.log(`Note ${note.name} created.`);

Python

Before trying this sample, follow the Python setup instructions in Setting up a Python development environment. For more information, see the Container Analysis Python API reference documentation.

def find_high_severity_vulnerabilities_for_image(resource_url, project_id):
    """Retrieves a list of only high vulnerability occurrences associated
    with a resource."""
    # resource_url = 'https://gcr.io/my-project/my-image@sha256:123'
    # project_id = 'my-gcp-project'

    from grafeas.grafeas_v1 import Severity
    from google.cloud.devtools import containeranalysis_v1

    client = containeranalysis_v1.ContainerAnalysisClient()
    grafeas_client = client.get_grafeas_client()
    project_name = f"projects/{project_id}"

    filter_str = 'kind="VULNERABILITY" AND resourceUrl="{}"'\
        .format(resource_url)
    vulnerabilities = grafeas_client.list_occurrences(parent=project_name, filter=filter_str)
    filtered_list = []
    for v in vulnerabilities:
        if v.vulnerability.effective_severity == Severity.HIGH or v.vulnerability.effective_severity == Severity.CRITICAL:
            filtered_list.append(v)
    return filtered_list

Ruby

Before trying this sample, follow the Ruby setup instructions in Setting up a Ruby development environment. For more information, see the Container Analysis Ruby API reference documentation.

require "google/cloud/container_analysis/v1"

# Create a client object. The client can be reused for multiple calls.
client = Google::Cloud::ContainerAnalysis::V1::ContainerAnalysis::Client.new

# Create a request. To set request fields, pass in keyword arguments.
request = Google::Cloud::ContainerAnalysis::V1::GetVulnerabilityOccurrencesSummaryRequest.new

# Call the get_vulnerability_occurrences_summary method.
result = client.get_vulnerability_occurrences_summary request

# The returned object is of type Google::Cloud::ContainerAnalysis::V1::VulnerabilityOccurrencesSummary.
p result

Additional resources