This page explains how to view security information about the container images you deploy. You can view this information in the Security insights side panel for Google Cloud Deploy in Google Cloud console.
The Security insights side panel provides a high-level overview of multiple security metrics. You can use this panel to identify and mitigate risks in the images you deploy.
This panel displays the following information:
SLSA build level
Identifies the maturity level of your software build process in accordance with the Supply-chain Levels for Software Artifacts (SLSA) specification.
Vulnerabilities
Lists any vulnerabilities found in your artifact or artifacts.
Build details
Includes information about the build.
Requirements
Security insights are available only for container images that meet the following requirements:
Vulnerability scanning must be enabled.
The required Identity and Access Management roles must be granted, in the project where Container Analysis is running.
The name of the image, as part of release creation, must be SHA qualified.
If the image is shown in the Artifacts tab in Google Cloud Deploy without the SHA256 hash, you might need to rebuild that image.
Enable vulnerability scanning
The information shown in the Security Insights panel comes from Container Analysis and potentially from Cloud Build. Container Analysis is a service that provides integrated on-demand or automated scanning for base container images, Maven, and Go packages in containers, and for non-containerized Maven packages.
To receive all of the security insights available, you must enable vulnerability scanning:
To turn on vulnerability scanning, enable the required APIs.
Build your container image, and store it in Artifact Registry. Container Analysis automatically scans the build artifacts.
Vulnerability scanning may take a few minutes, depending on the size of your container image.
For more information on vulnerability scanning, see On-push scanning.
There is a cost for scanning. See the Pricing page for pricing information.
Grant permissions to view insights
To view security insights in Google Cloud Deploy, you need the IAM roles described here, or a role with equivalent permissions. If Artifact Registry and Container Analysis are running in different projects, you must add the Container Analysis Occurrences Viewer role, or equivalent permissions, in the project where Container Analysis is running.
Cloud Build Viewer (
roles/cloudbuild.builds.viewer
)View insights for a build.
Container Analysis Viewer (
roles/containeranalysis.occurrences.viewer
)View vulnerabilities and other dependency information.
View security insights in Google Cloud Deploy
Open the Google Cloud Deploy Delivery pipelines page in the Google Cloud console:
If necessary, select the project that includes the pipeline and release that delivered the container image for which you want to view security insights.
Click the name of the delivery pipeline.
The delivery pipeline details are shown.
From the Delivery pipeline details page, select a release that delivered the container image.
On the Release details page, select the Artifacts tab.
Containers that were delivered by the selected release are listed under Build artifacts. For each container, the Security insights column includes a View link.
Click the View link next to the name of the artifact whose security details you want to view.
The Security insights panel is displayed, showing available security information for this artifact. The following sections describe this information in more detail.
SLSA level
SLSA is an industry-standard set security guidelines for producers and consumers of software. This standard establishes four levels of confidence in the security of your software.
Vulnerabilities
The Security insights panel shows how many vulnerabilities, if any, were found for the selected image. This information is organized by severity and by whether or not a fix is available.
You can click the image name to view vulnerability details in Artifact Registry.
Build details
The build details include the following:
A link to the Cloud Build logs
The name of the builder that built the image
The build date/time
Build provenance, in JSON format
What's next
Learn more about Software Delivery Shield
Try the quickstart Deploy an app to GKE and view security insights
Try the quickstart Deploy an app to Cloud Run and view security insights
Learn how to store and view build logs.