Shape the future of software delivery and make your voice heard by taking the 2021 State of DevOps survey.

Container analysis and vulnerability scanning

Container Analysis provides vulnerability scanning and metadata storage for containers through Container Analysis. The scanning service performs vulnerability scans on images in Artifact Registry and Container Registry, then stores the resulting metadata and makes it available for consumption through an API. Metadata storage allows storing information from different sources, including vulnerability scanning, other Cloud services, and third-party providers.

Container Analysis as a strategic information API

In the context of your CI/CD pipeline, Container Analysis can be integrated to store metadata about your deployment process and make decisions based on that metadata.

At various phases of your release process, people or automated systems can add metadata that describes the result of an activity. For example, you might add metadata to your image indicating that it has passed an integration test suite or a vulnerability scan.

Container Analysis in
CI/CD

Figure 1. Diagram that shows Container Analysis as CI/CD pipeline component that interacts with metadata across source, build, storage, and deployment stages as well as runtime environments.

Vulnerability scanning can occur automatically or on-demand:

  • When automatic scanning is enabled, scanning triggers automatically every time you push a new image to Artifact Registry or Container Registry. Vulnerability information is continuously updated when new vulnerabilities are discovered.

  • When On-Demand Scanning is enabled, you must run a command to scan a local image or an image in Artifact Registry or Container Registry. On-Demand Scanning gives you more flexibility around when you scan containers. For example, you can scan a locally-built image and remediate vulnerabilities before storing it in a registry.

    Scanning results are available for up to 48 hours after the scan is completed, and vulnerability information is not updated after the scan.

With Container Analysis integrated into your CI/CD pipeline, you can make decisions based on that metadata. For example, you can use Binary Authorization to create deployment policies the only allow deployments for compliant images from trusted registries.

To learn about using Container Analysis see the Container Analysis documentation.