GCPcloud~30 mins

Container vulnerability scanning in GCP - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Container Vulnerability Scanning on Google Cloud Platform

📖 Scenario: You are working as a cloud engineer for a company that deploys containerized applications on Google Cloud Platform (GCP). To keep the applications secure, you need to set up container vulnerability scanning using Google Container Registry (GCR) and Google Cloud Build.This project will guide you step-by-step to configure vulnerability scanning for your container images stored in GCR.

🎯 Goal: By the end of this project, you will have configured a Google Cloud Build trigger that automatically scans container images pushed to Google Container Registry for vulnerabilities.

📋 What You'll Learn

Create a Google Cloud Build trigger configuration file in YAML format

Specify the container image repository to scan

Enable vulnerability scanning in the build trigger

Add the final configuration to deploy the trigger

💡 Why This Matters

🌍 Real World

Container vulnerability scanning helps prevent deploying insecure container images by automatically checking for known security issues before deployment.

💼 Career

Cloud engineers and DevOps professionals use container vulnerability scanning to maintain secure cloud-native applications and comply with security best practices.

Progress0 / 4 steps

Create the initial Cloud Build trigger configuration

Create a YAML file named cloudbuild.yaml with a steps list containing one step. The step should have a name field set to gcr.io/cloud-builders/gcloud and an args list with the single string "container images list-tags gcr.io/my-project/my-app".

GCP

# Create a YAML file named cloudbuild.yaml with the initial step
# Your code here

Need a hint?

Start by defining the steps key with a list containing one step. Use the exact image name and args as specified.

Add a substitution variable for the image repository

Add a substitutions section to the YAML file with a key _IMAGE_REPO set to gcr.io/my-project/my-app.

GCP

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['container images list-tags gcr.io/my-project/my-app']
# Add substitutions section below
# Your code here

Need a hint?

Add the substitutions key at the root level with the exact variable name and value.

Add the vulnerability scanning step using the substitution variable

Add a new step to the steps list. This step should have name set to gcr.io/cloud-builders/gcloud and args set to a list with these strings exactly: "container images describe $_IMAGE_REPO --show-package-vulnerability".

GCP

steps:
- name: 'gcr.io/cloud-builders/gcloud'
  args: ['container images list-tags gcr.io/my-project/my-app']
# Add vulnerability scanning step below
# Your code here
substitutions:
  _IMAGE_REPO: 'gcr.io/my-project/my-app'

Need a hint?

Add the new step exactly as shown, using the substitution variable $_IMAGE_REPO in the args list.

Add the trigger configuration to deploy the build trigger

Create a YAML file named trigger.yaml with a triggerTemplate section that has projectId set to my-project and repoName set to my-repo. Also add filename set to cloudbuild.yaml and name set to vulnerability-scan-trigger.

GCP

# Create trigger.yaml with triggerTemplate and other fields
# Your code here

Need a hint?

Define the trigger configuration exactly as specified to deploy the Cloud Build trigger.