GCPcloud~5 mins

Container vulnerability scanning in GCP - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

Containers can have security problems if their software is old or has bugs. Container vulnerability scanning checks container images for these problems before using them, helping keep applications safe.

When you want to check if your container images have security issues before deploying them.

When you need to ensure compliance with security rules in your company.

When you want to automatically scan new container images pushed to your registry.

When you want to get reports about vulnerabilities in your container images.

When you want to prevent running containers with known security problems.

Config File - cloudbuild.yaml

cloudbuild.yaml

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['container', 'images', 'describe', 'gcr.io/my-project/my-app:latest']
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['beta', 'container', 'images', 'scan', 'gcr.io/my-project/my-app:latest']

This Cloud Build configuration runs two steps: first it describes the container image to confirm it exists, then it runs the vulnerability scan on the image using Google Cloud's beta scanning feature.

The gcloud beta container images scan command checks the image for known security issues and reports them.

Commands

This command shows details about the container image to confirm it is available in the registry before scanning.

Terminal

gcloud container images describe gcr.io/my-project/my-app:latest

Expected OutputExpected

image_summary: digest: sha256:abc123def456... tags: - latest uploadTime: '2024-06-01T12:00:00Z' mediaType: application/vnd.docker.distribution.manifest.v2+json

This command runs the vulnerability scan on the specified container image and outputs the found security issues.

Terminal

gcloud beta container images scan gcr.io/my-project/my-app:latest

Expected OutputExpected

Scanning image gcr.io/my-project/my-app:latest... Vulnerabilities found: - CVE-2023-1234: High severity, fix available - CVE-2022-5678: Medium severity, fix available Scan completed with 2 vulnerabilities found.

→

--format=json - Outputs the scan results in JSON format for easier parsing.

This command lists all tags of the container image to see available versions and decide which to scan or deploy.

Terminal

gcloud container images list-tags gcr.io/my-project/my-app

Expected OutputExpected

DIGEST TAGS TIMESTAMP sha256:abc123def4567890abcdef1234567890abcdef1234567890abcdef1234567890 latest 2024-06-01T12:00:00 sha256:def456abc1237890abcdef1234567890abcdef1234567890abcdef1234567890 v1.0 2024-05-20T08:30:00

Key Concept

If you remember nothing else from this pattern, remember: scanning container images before deployment helps catch security problems early and keeps your apps safe.

Common Mistakes

Trying to scan a container image that does not exist in the registry.

The scan command fails because there is no image to check, causing errors.

Always verify the image exists with 'gcloud container images describe' or 'list-tags' before scanning.

Ignoring scan results and deploying vulnerable images.

This leaves your application open to known security risks that could be exploited.

Review scan reports carefully and update or fix images before deployment.

Summary

Use 'gcloud container images describe' to confirm your container image is in the registry.

Run 'gcloud beta container images scan' to check the image for security vulnerabilities.

List image tags with 'gcloud container images list-tags' to manage different versions.