Enabling and disabling Container Analysis

Container Analysis provides metadata storage and vulnerability scanning for images in Container Registry through two APIs:

  • Container Analysis API - This enables metadata storage in your project. You won't incur additional charges for using this API.

  • Container Scanning API - This enables vulnerability scanning in your project. You get billed for every scanned image, see pricing.

This page describes how to enable and disable both APIs for an existing project.

Enabling the Container Analysis API

  1. Enable the Container Analysis API if you are only using Container Analysis for managing metadata and you are not using vulnerability scanning in your project. You can enable the API for an existing project, or create a new project and then enable the API.

    Enable the Container Analysis API

  2. Enable the required IAM permissions. If you are the project owner, skip this step.

    To view occurrences, you must grant the following predefined IAM role, which will automatically provide the necessary permissions: Container Analysis Occurrences Viewer

Disabling the Container Analysis API

To disable vulnerability scanning follow the instructions to disable services.

Enabling the Container Scanning API

  1. Enable the Container Scanning API. This enables vulnerability scanning as well as the Container Analysis API. You can enable the API for an existing project, or create a new project and then enable the API.

    Enable the Container Scanning API

  2. Enable the required IAM permissions. If you are the project owner, skip this step.

    To view occurrences, you must grant the following predefined IAM role, which will automatically provide the necessary permissions: Container Analysis Occurrences Viewer

Disabling the Container Scanning API

To disable vulnerability scanning, do the following:

  1. Open the Container Registry Settings page in the Cloud Console.

    Open the Settings page

  2. Click Disable Vulnerability Scanning.

Extending your monitoring time window

Container Analysis continuously monitors the vulnerability metadata for scanned images in Container Registry. The default time window for continuous monitoring is 30 days, after this period your images are stale and the metadata is no longer updated.

To extend the monitoring window, you must pull or push the image within the 30-day period. We recommend creating a scheduled task to re-push containers that don't require frequent updating, for example, your Istio and proxy images.

What's next