Which GCP service is primarily used to automatically scan container images for vulnerabilities when they are pushed to Container Registry or Artifact Registry?
Think about the service that stores metadata and security findings about container images.
Container Analysis is the GCP service that automatically scans container images stored in Container Registry or Artifact Registry and provides vulnerability reports.
You want to ensure that all container images pushed to Artifact Registry are scanned for vulnerabilities automatically. Which configuration step is required?
Automatic scanning requires enabling a specific API and integration with Artifact Registry.
Enabling the Container Analysis API and configuring Artifact Registry to trigger scans on image push ensures automatic vulnerability scanning.
You are designing a CI/CD pipeline on GCP that builds container images, scans them for vulnerabilities, and only deploys images that pass the scan. Which architecture best enforces this security requirement?
Think about integrating scanning results into deployment gating.
Cloud Build builds images, Container Analysis scans them, and Cloud Deploy can enforce policies to block deployment of vulnerable images, ensuring security in the pipeline.
After scanning a container image with Container Analysis, you receive a report showing vulnerabilities with severity levels: HIGH, MEDIUM, and LOW. Which action aligns best with security best practices?
Consider risk levels and practical deployment constraints.
Blocking deployment on HIGH severity vulnerabilities while reviewing MEDIUM and LOW is a balanced security approach that reduces risk without blocking all deployments.
When a new version of a container image is pushed to Artifact Registry, how does Container Analysis handle vulnerability scanning and reporting?
Think about how scanning is version-specific and automated.
Container Analysis automatically scans each new image version independently and maintains separate vulnerability reports per version.