Container scanning overview

Artifact Analysis provides two features for scanning your containers: on-demand scanning and automatic scanning. This document introduces the benefits of each.

Artifact Analysis also provides metadata management. To learn more about how you can leverage scanning and metadata storage together to secure your CI/CD pipeline from end to end, see the Artifact Analysis overview.

See pricing to learn more about the costs associated with scanning container images.

Feature support

The following table outlines which types of scanning you can use with each type of registry. You can also use on-demand scanning with packages stored locally on your computer.

Automatic scanning On-demand scanning
OS packages Available for Artifact Registry and Container Registry (Deprecated)[deprecated] Available for Artifact Registry and Container Registry (Deprecated)[deprecated]
Go packages Available in Artifact Registry Available in Artifact Registry and Container Registry (Deprecated)[deprecated]
Java packages Available in Artifact Registry Available in Artifact Registry and Container Registry (Deprecated)[deprecated]
Python packages Available in Artifact Registry Not available
Node.js packages Available in Artifact Registry Not available

For more information on the features available for each registry product, view the comparison chart. If you are using Container Registry, learn how to transition to Artifact Registry.

Automatic scanning

Artifact Analysis performs vulnerability scans on your artifacts in Artifact Registry or Container Registry (Deprecated). Artifact Analysis also identifies dependencies and licenses to help you understand your software composition.

Automatic scanning comprises two main tasks: on-push scanning and continuous analysis.

On-push scanning

Artifact Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. This scan extracts information about the packages in the container. The images are scanned only once, based on the image's digest. This means that adding or modifying tags won't trigger new scans.

Artifact Analysis only detects vulnerabilities in packages that are publicly monitored for security vulnerabilities.

When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.

Artifact Analysis does not automatically scan existing images. To scan an existing image, you must push it again.

Continuous analysis

Artifact Analysis creates occurrences for vulnerabilities found when you upload the image. After the initial scan, it continuously monitors the metadata for scanned images in Artifact Registry and Container Registry for new vulnerabilities.

Artifact Analysis receives new and updated vulnerability information from vulnerability sources multiple times each day. When new vulnerability data arrives, Artifact Analysis updates the metadata of the scanned images to keep it up-to-date. Artifact Analysis updates existing vulnerability occurrences, creates new vulnerability occurrences for new notes, and deletes vulnerability occurrences that are no longer valid.

Artifact Analysis only updates the metadata for images that were pushed or pulled in the last 30 days. Artifact Analysis archives metadata that is older than 30 days. To re-scan an image with archived metadata, pull that image to refresh the metadata.

Manifest lists

You can also use vulnerability scanning with manifest lists. A manifest list is a list of pointers to manifests for several platforms. They allow a single image to work with multiple architectures or variations of an operating system.

Artifact Analysis vulnerability scanning only supports Linux amd64 images. If your manifest list points to more than one Linux amd64 image, only the first one will be scanned; if there are no pointers to Linux amd64 images, you won't get any scanning results.

On-demand scanning

On-demand scanning lets you scan container images locally on your computer or in your registry, using the gcloud CLI. This gives you the flexibility to customize your CI/CD pipeline, depending on when you need to access the vulnerability results.

Artifact Analysis interfaces

In the Google Cloud console, you can view image vulnerabilities and image metadata for containers in Artifact Registry.

You can use the gcloud CLI to view vulnerabilities and image metadata.

You can also use the Artifact Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2. After you have authenticated, you can use also the API to create custom notes and occurrences and view vulnerability occurrences.

The Artifact Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using cURL for REST/JSON.

Control deployment of vulnerable images

You can use Binary Authorization to create a vulnerability allowlist based on the vulnerability information provided by Artifact Analysis as part of your Cloud Build pipeline. If the vulnerabilities violate the policy in the allowlist, the build fails.

You can also integrate Artifact Analysis with Binary Authorization to create attestations, which can prevent container images with known security issues from running in your deployment environment.

Vulnerability sources

The following section lists the vulnerability sources that Artifact Analysis uses to obtain CVE data.

OS package scans

Both automated and on-demand scanning support OS package vulnerability scanning for Linux distributions. Artifact Analysis uses the following sources:

Language package scans

Artifact Analysis supports vulnerability scanning for language packages within a container image. The vulnerability data is obtained from the GitHub Advisory Database.

In most cases, each vulnerability is assigned a CVE ID and this ID becomes the main identifier for that vulnerability. In cases where there is no CVE ID assigned to a vulnerability, a GHSA ID is assigned as identifier instead. If later on that vulnerability gets a CVE ID, then the vulnerability ID is updated to match the CVE. See Check for a specific vulnerability in a project for more information.

Supported versions

Artifact Analysis supports vulnerability scanning for the following OS versions:

  • Debian GNU/Linux - Versions: 9, 10, 11, 12
  • Ubuntu - Versions: 12.04, 12.10, 13.04, 14.04, 14.10, 15.04, 15.10, 16.04, 16.10, 17.04, 17.10, 18.04, 18.10, 20.04, 20.10, 21.04, 21.10, 22.04, 22.10, 23.04, 23.10
  • Alpine Linux - Versions: 3.3, 3.4, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19
  • CentOS - Versions: 6, 7, 8 and minor versions
  • Red Hat Enterprise Linux (RHEL) - Versions: 6, 7, 8, 9 and minor versions are supported for automatic registry scans.
  • Go - Artifact Analysis reports vulnerabilities for packages in the Go standard library, and external Go packages not included in the standard library. The vulnerabilities are reported with a different label for each type of package.
  • Java - Artifact Analysis supports Maven packages that follow the Maven naming conventions. If the package version includes spaces, it won't be scanned.
  • Python - Python version matching follows PEP 440 semantics.
  • Node.js - Package version matching follows the semantic versioning specification.

Limitations

  • Artifact Analysis delivers vulnerability scanning results for RHEL based on the latest minor version for each major version released. There may be inaccuracies in scanning results for older minor versions of RHEL.
  • RHEL Version 9 isn't supported for on-demand scanning.

What's next