Build an application and view security insights

Prepare your environment

1. Set your project ID as an environment variable:

   export PROJECT_ID=$(gcloud config get project)
   

2. Clone the repository that contains the Java code sample to build and containerize:

   git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git
   cd software-delivery-shield-demo-java/backend
   

Create the Artifact Registry repository for your image

1. Create a new Docker repository named containers in the location us-central1 with the description "Docker repository":

   gcloud artifacts repositories create containers \
       --repository-format=docker \
       --location=us-central1 --description="Docker repository"
   

2. Verify that your repository was created:

   gcloud artifacts repositories list
   

   You should see containers in the list of displayed repositories.

Build the application

Build and containerize the Java application using Cloud Build. The following command builds and containerizes the Java application and stores the built container in the Artifact Registry docker repository:

gcloud builds submit --config=cloudbuild.yaml --region=us-central1

After the build completes, you see a success status message similar to the following:

<pre class="none lang-sh">
DONE
-----------------------------------------------------------------------------
ID: 3e08565f-7f57-4449-bc68-51c46cf33d03
CREATE_TIME: 2022-09-19T15:41:07+00:00
DURATION: 54S
SOURCE: gs://sds-docs-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f78055e9.tgz
IMAGES: us-central1-docker.pkg.dev/sds-docs-project/containers/java-guestbook-backend:quickstart
STATUS: SUCCESS
</pre>

Generate an SBOM for the built image

An SBOM is a full inventory of an application, identifying the packages your software relies on. The contents can include third-party software from vendors, internal artifacts, and open source libraries.

Generate the SBOM for the image you built in the previous section:

gcloud artifacts sbom export
    --uri=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart

View security insights

The Cloud Build UI in the Google Cloud console contains the Software Delivery Shield Security insights panel that displays security information related to the build such as SLSA level, any vulnerabilities in the dependencies, and build provenance.

To view the Software Delivery Shield Security insights panel:

1. Open the Build history page in the Google Cloud console:

   Open the Build history page

2. Select your project and click Open.

3. In the Region drop-down menu, select us-central1.

4. In the table with the builds, locate the row with the build you just executed.

5. Under the Security insights column click View.

You see the Security insights panel for the build:

This panel displays the following information:

• SLSA Level: This build has achieved SLSA Level 3. Click the Learn more link to learn what this security level means.

• Vulnerabilities: Any vulnerabilities found in your artifacts. Click the image name (java-guestbook-backend) to see the artifacts that have been scanned for vulnerabilities.

• Dependencies for the built container image in Artifact Registry.

• Build details: Details of the build such as the builder and the link to view logs.