Build an application and view security insights

This quickstart explains how to build an application and view security insights for the build in the Security insights panel in the Google Cloud console.

You will:

  • Build and containerize a Java application using Cloud Build and push the container image to Artifact Registry Docker repository.
  • View the following security insights for the build:

    • Supply-chain Levels for Software Artifacts (SLSA) level, which identifies the maturity level of your software build process in accordance with the SLSA specification .
    • Vulnerabilities in build artifacts.
    • Software bill of materials (SBOM) for the build artifacts.
    • Build provenance, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install the Google Cloud CLI.
  3. To initialize the gcloud CLI, run the following command:

    gcloud init
  4. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  5. Make sure that billing is enabled for your Google Cloud project.

  6. Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:

    gcloud services enable cloudbuild.googleapis.com  artifactregistry.googleapis.com  containerscanning.googleapis.com
  7. Install the Google Cloud CLI.
  8. To initialize the gcloud CLI, run the following command:

    gcloud init
  9. Create or select a Google Cloud project.

    • Create a Google Cloud project:

      gcloud projects create PROJECT_ID

      Replace PROJECT_ID with a name for the Google Cloud project you are creating.

    • Select the Google Cloud project that you created:

      gcloud config set project PROJECT_ID

      Replace PROJECT_ID with your Google Cloud project name.

  10. Make sure that billing is enabled for your Google Cloud project.

  11. Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:

    gcloud services enable cloudbuild.googleapis.com  artifactregistry.googleapis.com  containerscanning.googleapis.com

Prepare your environment

  1. Set your project ID as an environment variable:

    export PROJECT_ID=$(gcloud config get project)
    
  2. Clone the repository that contains the Java code sample to build and containerize:

    git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git
    cd software-delivery-shield-demo-java/backend
    

Create the Artifact Registry repository for your image

  1. Create a new Docker repository named containers in the location us-central1 with the description "Docker repository":

    gcloud artifacts repositories create containers \
        --repository-format=docker \
        --location=us-central1 --description="Docker repository"
    
  2. Verify that your repository was created:

    gcloud artifacts repositories list
    

    You should see containers in the list of displayed repositories.

Build the application

Build and containerize the Java application using Cloud Build. The following command builds and containerizes the Java application and stores the built container in the Artifact Registry docker repository:

gcloud builds submit --config=cloudbuild.yaml --region=us-central1

After the build completes, you see a success status message similar to the following:

<pre class="none lang-sh">
DONE
-----------------------------------------------------------------------------
ID: 3e08565f-7f57-4449-bc68-51c46cf33d03
CREATE_TIME: 2022-09-19T15:41:07+00:00
DURATION: 54S
SOURCE: gs://sds-docs-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f78055e9.tgz
IMAGES: us-central1-docker.pkg.dev/sds-docs-project/containers/java-guestbook-backend:quickstart
STATUS: SUCCESS
</pre>

Generate an SBOM for the built image

An SBOM is a full inventory of an application, identifying the packages your software relies on. The contents can include third-party software from vendors, internal artifacts, and open source libraries.

Generate the SBOM for the image you built in the previous section:

gcloud artifacts sbom export
    --uri=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart

View security insights

The Cloud Build UI in the Google Cloud console contains the Security insights panel that displays security information related to the build such as SLSA level, any vulnerabilities in the dependencies, and build provenance.

To view the Security insights panel:

  1. Open the Build history page in the Google Cloud console:

    Open the Build history page

  2. Select your project and click Open.

  3. In the Region drop-down menu, select us-central1.

  4. In the table with the builds, locate the row with the build you just executed.

  5. Under the Security insights column click View.

You see the Security insights panel for the build:

This panel displays the following information:

  • SLSA Level: This build has achieved SLSA Level 3. Click the Learn more link to learn what this security level means.

  • Vulnerabilities: Any vulnerabilities found in your artifacts. Click the image name (java-guestbook-backend) to see the artifacts that have been scanned for vulnerabilities.

  • Dependencies for the built container image in Artifact Registry.

  • Build details: Details of the build such as the builder and the link to view logs.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.

  1. Disable Container Scanning API:

    gcloud services disable containerscanning.googleapis.com --force
    
  2. Delete the Artifact Registry repository:

    gcloud artifacts repositories delete containers \
        --location=us-central1 --async
    

    You have now deleted the repository that you created as part of this quickstart.

What's next