Vulnerability scanning

Container Analysis provides vulnerability scanning and metadata storage for containers. This page describes vulnerability scanning.

Vulnerability scanning

Software vulnerabilities are weaknesses that can either cause an accidental system failure or be intentionally exploited.

Container Analysis performs vulnerability scans on images in Container Registry and monitors the vulnerability information to keep it up to date. This process comprises two main tasks:

  • Incremental scanning: Container Analysis scans new images when they're uploaded to Container Registry. The scan gathers metadata based on the container manifest and updates this metadata every time you re-upload (re-push) the image.

  • Continuous analysis: Container Analysis continuously monitors the metadata of scanned images in Container Registry for new vulnerabilities. As Container Analysis receives new and updated vulnerability information from vulnerability sources, it re-analyzes the containers to keep the list of vulnerability occurrences for already scanned images up-to-date. It creates new occurrences for new notes, and deletes occurrences that are no longer valid. This type of analysis pertains only to package vulnerabilities and does not include other kinds of metadata.

When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.

Vulnerability source

Container Analysis API supports package vulnerability scanning for Linux distributions and obtains CVE data from the following sources:

Severity levels for vulnerabilities

Container Analysis uses the following severity levels:

  • Critical
  • High
  • Medium
  • Low
  • Minimal

The severity levels are qualitative labels that reflect factors such as exploitability, scope, impact, and maturity of the vulnerability. For example, if a vulnerability enables a remote user to easily access a system and run arbitrary code without authentication or user interaction, that vulnerability would be classified as Critical.

Two types of severity are associated with each vulnerability:

  • Effective severity - The severity level assigned by the Linux distribution. If distribution-specific severity levels are unavailable, Container Analysis uses the severity level assigned by the note provider.

  • CVSS score - The Common Vulnerability Scoring System score and associated severity level. Refer to the CVSS 3.0 specification for details on how CVSS scores are calculated.

For a given vulnerability, the severity derived from a calculated CVSS score might not match the effective severity. Linux distributions that assign severity levels use their own criteria to assess the specific impacts of a vulnerability on their distributions.

Default Container Analysis service account

Container Analysis analyzes your container images using a service account, a special Google account that collects information about your images on your behalf. The email for the Container Analysis service account is service-[PROJECT_NUMBER]@container-analysis.iam.gserviceaccount.com. This account uses the Container Analysis Service Agent role.

If you enable Vulnerability Scanning, the Container Scanning API used by this feature also uses a special Google account. The email for that service account is service-[PROJECT_NUMBER]@gcp-sa-containerscanning.iam.gserviceaccount.com. The account uses the Container Scanner Service Agent role.

You can view your project's service accounts via the IAM menu of the Cloud Console.

Container Analysis interfaces

In the Cloud Console, you can view image vulnerabilities and image metadata for containers in Container Registry.

You can use the gcloud tool to view vulnerabilities and image metadata.

You can also use the Container Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use the API to create new notes and occurrences, view vulnerability occurrences, etc.

The Container Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.

Controlling deployment of vulnerable images

You can integrate Container Analysis with Binary Authorization to prevent container images with known security issues from running in your deployment environment.

Learn how to use the vulnerability information as part of a Cloud Build build pipeline, see Allowlist-based vulnerability scanning with Container Analysis.

What's next