Stay organized with collections Save and categorize content based on your preferences.

Deploy on Cloud Run and view security insights

This quickstart explains how to deploy a container image to Cloud Run and view security insights for the deployment in the Software Delivery Shield Security panel in the Google Cloud console. You will:

  • Deploy an image to Cloud Run using Google Cloud Deploy. Google Cloud Deploy is a Google Cloud service that automates delivery of your applications to a series of target environments in a defined promotion sequence.
  • View the following security insights for the deployment:

    • Identity and encryption information for the deployment.
    • Supply-chain Levels for Software Artifacts (SLSA) level, which identifies the level of assurance for the deployment.
    • Vulnerabilities in build artifacts.
    • Build provenance, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.

Before you begin

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. Install and initialize the Google Cloud CLI.
  3. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  4. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  5. Enable the Cloud Build, Artifact Registry, Google Cloud Deploy, Cloud Run, and Container Scanning APIs:

    gcloud services enable cloudbuild.googleapis.com  artifactregistry.googleapis.com  clouddeploy.googleapis.com  run.googleapis.com  containerscanning.googleapis.com
  6. Install and initialize the Google Cloud CLI.
  7. Create or select a Google Cloud project.

    • Create a Cloud project:

      gcloud projects create PROJECT_ID
    • Select the Cloud project that you created:

      gcloud config set project PROJECT_ID
  8. Make sure that billing is enabled for your Cloud project. Learn how to check if billing is enabled on a project.

  9. Enable the Cloud Build, Artifact Registry, Google Cloud Deploy, Cloud Run, and Container Scanning APIs:

    gcloud services enable cloudbuild.googleapis.com  artifactregistry.googleapis.com  clouddeploy.googleapis.com  run.googleapis.com  containerscanning.googleapis.com

Set default settings

  1. Set an environment variable for project ID:

    export PROJECT_ID=$(gcloud config get project)
    
  2. Set the default region for Google Cloud Deploy:

    gcloud config set deploy/region us-central1
    

Grant access

Grant IAM roles to the default Compute Engine service account. This is required for Google Cloud Deploy to deploy workloads into Cloud Run.

 gcloud projects add-iam-policy-binding $PROJECT_ID \
     --member=serviceAccount:$(gcloud projects describe $PROJECT_ID \
     --format="value(projectNumber)")-compute@developer.gserviceaccount.com \
     --role="roles/clouddeploy.jobRunner"
 gcloud iam service-accounts add-iam-policy-binding $(gcloud projects describe $PROJECT_ID \
     --format="value(projectNumber)")-compute@developer.gserviceaccount.com \
     --member=serviceAccount:$(gcloud projects describe $PROJECT_ID \
     --format="value(projectNumber)")-compute@developer.gserviceaccount.com \
     --role="roles/iam.serviceAccountUser" \
     --project=$PROJECT_ID
 gcloud projects add-iam-policy-binding $PROJECT_ID \
     --member=serviceAccount:$(gcloud projects describe $PROJECT_ID \
     --format="value(projectNumber)")-compute@developer.gserviceaccount.com \
     --role="roles/run.developer"

If you have trouble adding either of these roles, contact your project administrator.

Create a Docker repository in Artifact Registry

  1. Create a new Docker repository named containers in the location us-central1 with the description "Docker repository":

    gcloud artifacts repositories create containers --repository-format=docker \
        --location=us-central1 --description="Docker repository"
    
  2. Verify that your repository was created:

    gcloud artifacts repositories list
    

    You should see containers in the list of displayed repositories.

Prepare sample application

You'll need some sample source code to build and deploy. In this section, you'll clone an existing source repository containing a Java code sample.

  1. Clone the repository that contains the Java code sample:

    git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git
    cd software-delivery-shield-demo-java/backend
    
  2. Update cloudrun.clouddeploy.yaml to replace PROJECT_ID with your project ID:

    sed -i "s/PROJECT_ID/${PROJECT_ID}/g" cloudrun.clouddeploy.yaml
    

Build the application

  1. Build and containerize the Java application using Cloud Build. The following command builds and containerizes the Java application and stores the built container in the Artifact Registry docker repository:

    gcloud builds submit --config=cloudbuild.yaml --region=us-central1
    

    After the build completes, you see a success status message similar to the following:

    DONE
    -----------------------------------------------------------------------------
    ID: 3e08565f-7f57-4449-bc68-51c46cf33d03
    CREATE_TIME: 2022-09-19T15:41:07+00:00
    DURATION: 54S
    SOURCE: gs://sds-docs-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f78055e9.tgz
    IMAGES: us-central1-docker.pkg.dev/sds-docs-project/containers/java-guestbook-backend:quickstart
    STATUS: SUCCESS
    

Deploy the container on Cloud Run using Google Cloud Deploy

  1. Register your pipeline and targets with the Google Cloud Deploy service:

    gcloud deploy apply --file cloudrun.clouddeploy.yaml
    

    You now have a pipeline, with targets, ready to deploy your application to your first target.

  2. To verify that your pipeline exists, go to the Delivery pipelines page in the Google Cloud console:

    Open the Delivery pipelines page

    The delivery pipeline you just created, cloudrun-guestbook-backend-delivery is displayed.

  3. Click cloudrun-guestbook-backend-delivery to monitor progress. The Delivery pipeline details page opens.

  4. In Cloud Shell, create a release in Google Cloud Deploy:

    gcloud deploy releases create test-release-007 \
        --delivery-pipeline=cloudrun-guestbook-backend-delivery \
        --skaffold-file=cloudrun.skaffold.yaml \
        --images=java-guestbook-backend=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart
    

    The new release appears in the Releases section on the Delivery pipeline details page.

  5. Monitor the Pipeline visualization view on the Delivery pipeline details page until the Promote button displays for dev-cluster. You might need to refresh the page.

  6. On the first target in the delivery pipeline visualization, cloudrun-dev, click Promote.

    The Promote release dialog is shown. It shows the details of the target you're promoting to.

  7. Click Promote.

    The release is now queued for deployment into cloudrun-prod. When deployment is complete, the delivery pipeline visualization shows it as deployed:

    Screenshot of deployment

View security insights for the deployment

  1. Open the Software supply chain security Cloud Run Services page.

    Open the Cloud Run Services page

  2. In the Cloud Run Services table, click guestbook-backend-prod.

  3. In the Service details page, click Revisions.

  4. In the Revisions panel, click Security.

You see the Software Delivery Shield Security panel for deployment.

Screenshot of the security panel

This panel displays the following information:

  • Identity and encryption: The email address of the default Compute Engine service account and the encryption key used for the deployment.

  • SLSA Level: This build is at SLSA Level 3. Click the Learn more link to learn about what this security level means.

  • Vulnerabilities: Any vulnerabilities found in your dependencies. Click the image name (java-guestbook-backend) to see the artifacts that have been scanned for dependencies. Software Delivery Shield shows details for identified vulnerabilities so that you can assess the impact on your application and steps you want to take to address them.

  • Build details: Details of the build such as the builder and the link to view logs.

  • Build provenance: Provenance for the build.

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Cloud project with the resources.

  1. Disable Container Scanning API:

    gcloud services disable containerscanning.googleapis.com --force
    
  2. Delete the guestbook-backend-dev Cloud Run service:

    gcloud run services delete guestbook-backend-dev --region=us-central1 \
        --project=${PROJECT_ID}
    
  3. Delete the guestbook-backend-prod service:

    gcloud run services delete guestbook-backend-prod --region=us-central1 \
        --project=${PROJECT_ID}
    
  4. Delete the delivery pipeline, including the release and rollouts:

    gcloud deploy delivery-pipelines delete cloudrun-guestbook-backend-delivery \
        --force --region=us-central1 --project=${PROJECT_ID}
    

    This command deletes the delivery pipeline itself, plus all release and rollout resources Software supply chain security created for that pipeline.

  5. Delete the Artifact Registry repository:

    gcloud artifacts repositories delete containers \
        --location=us-central1 --async
    

That's it, you completed this quickstart!

What's next