Types of scanning

Stay organized with collections Save and categorize content based on your preferences.

Container Analysis provides two features for scanning your containers: on-demand scanning and automatic scanning. This document introduces the benefits of each. Container Analysis also provides metadata management. To learn more about how you can leverage scanning and metadata storage together to secure your CI/CD pipeline from end to end, see the Container Analysis overview.

On-demand and automatic scanning can identify vulnerabilities in your operating system, and language packages (Java, and Go). However, automatic language package scanning is only available for Artifact Registry (Preview).

For a list of supported scanning types for each registry product, view the comparison chart. If you are using Container Registry, learn how to transition to Artifact Registry.

See pricing to learn more about the costs associated with scanning container images.

On-demand scanning

On-demand scanning lets you scan container images locally on your computer or in your registry, using the gcloud CLI. This gives you the flexibility to customize your CI/CD pipeline, depending on when you need to access the vulnerability results.

Automatic scanning

Container Analysis performs OS vulnerability scans on your container images in Artifact Registry and Container Registry.Container Analysis also monitors the vulnerability information to keep it up to date. This process comprises two main tasks: on-push scanning and continuous analysis.

On-push scanning

Container Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. This scan extracts information about the system packages in the container. The images are scanned only once, based on the image's digest. This means that adding or modifying tags won't trigger new scans, only changing the contents of the image will.

Container Analysis only detects packages publicly monitored for security vulnerabilities.

When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.

Continuous analysis

Container Analysis creates occurrences for vulnerabilities found when you upload the image. After the initial scan, it continuously monitors the metadata for scanned images in Artifact Registry and Container Registry for new vulnerabilities.

Container Analysis receives new and updated vulnerability information from vulnerability sources multiple times each day. When new vulnerability data arrives, Container Analysis updates the metadata of the scanned images to keep it up-to-date. Container Analysis updates existing vulnerability occurrences, creates new vulnerability occurrences for new notes, and deletes vulnerability occurrences that are no longer valid.

Container Analysis only updates the vulnerability metadata for images that were pushed or pulled in the last 30 days. Container Analysis archives vulnerability metadata that is older than 30 days. To re-scan an image with archived vulnerability metadata, push or pull that image.

Manifest lists

You can also use vulnerability scanning with manifest lists. A manifest list is a list of pointers to manifests for several platforms. They allow a single image to work with multiple architectures or variations of an operating system.

Container Analysis vulnerability scanning only supports Linux amd64 images. If your manifest list points to more than one Linux amd64 image, only the first one will be scanned; if there are no pointers to Linux amd64 images, you won't get any scanning results.

What's next