View security insights in Google Cloud Deploy

This page explains how to view security information about the container images you deploy. You can view this information in the Security insights side panel for Google Cloud Deploy in Google Cloud console.

The Security insights side panel provides a high-level overview of multiple security metrics. You can use this panel to identify and mitigate risks in the images you deploy.

This panel displays the following information:

The security insights panel in Google Cloud console

Requirements

Security insights are available only for container images that meet the following requirements:

  • Vulnerability scanning must be enabled.

  • The required Identity and Access Management roles must be granted, in the project where Container Analysis is running.

  • The name of the image, as part of release creation, must be SHA qualified.

    If the image is shown in the Artifacts tab in Google Cloud Deploy without the SHA256 hash, you might need to rebuild that image.

Enable vulnerability scanning

The information shown in the Security Insights panel comes from Container Analysis and potentially from Cloud Build. Container Analysis is a service that provides integrated on-demand or automated scanning for base container images, Maven, and Go packages in containers, and for non-containerized Maven packages.

To receive all of the security insights available, you must enable vulnerability scanning:

  1. To turn on vulnerability scanning, enable the required APIs.

    Enable the APIs

  2. Build your container image, and store it in Artifact Registry. Container Analysis automatically scans the build artifacts.

    Vulnerability scanning may take a few minutes, depending on the size of your container image.

For more information on vulnerability scanning, see On-push scanning.

There is a cost for scanning. See the Pricing page for pricing information.

Grant permissions to view insights

To view security insights in Google Cloud Deploy, you need the IAM roles described here, or a role with equivalent permissions. If Artifact Registry and Container Analysis are running in different projects, you must add the Container Analysis Occurrences Viewer role, or equivalent permissions, in the project where Container Analysis is running.

View security insights in Google Cloud Deploy

  1. Open the Google Cloud Deploy Delivery pipelines page in the Google Cloud console:

    Open the delivery pipelines page

  2. If necessary, select the project that includes the pipeline and release that delivered the container image for which you want to view security insights.

  3. Click the name of the delivery pipeline.

    The delivery pipeline details are shown.

  4. From the Delivery pipeline details page, select a release that delivered the container image.

  5. On the Release details page, select the Artifacts tab.

    Containers that were delivered by the selected release are listed under Build artifacts. For each container, the Security insights column includes a View link.

    Release details artifacts tab, with link to view security insights.

  6. Click the View link next to the name of the artifact whose security details you want to view.

    The Security insights panel is displayed, showing available security information for this artifact. The following sections describe this information in more detail.

SLSA level

SLSA is an industry-standard set security guidelines for producers and consumers of software. This standard establishes four levels of confidence in the security of your software.

Vulnerabilities

The Security insights panel shows how many vulnerabilities, if any, were found for the selected image. This information is organized by severity and by whether or not a fix is available.

You can click the image name to view vulnerability details in Artifact Registry.

Build details

The build details include the following:

  • A link to the Cloud Build logs

  • The name of the builder that built the image

  • The build date/time

  • Build provenance, in JSON format

What's next