Profile applicability: Level 2
 |
NoteGCR is now deprecated, being superseded by Artifact Registry starting 15th May 2024.
Runtime Vulnerability scanning is available via GKE Security Posture.
|
Scan images stored in Google Container Registry (GCR) or Artifact Registry (AR) for
vulnerabilities.
Vulnerabilities in software packages can be exploited by malicious users to obtain
unauthorized access to local cloud resources. GCR Container Analysis API or Artifact
Registry Container Scanning API allow images stored in GCR or AR respectively to be
scanned for known vulnerabilities.
|
NoteBy default, GCR Container Analysis and AR Container Scanning are disabled.
|
Audit
For Images Hosted in GCR:
Using Google Cloud Console:
- Go to the GCR website.
- Select Settings and check if
Vulnerability scanningis Enabled.
Using Command Line:
gcloud services list --enabled
Ensure that the
Container Registry API and Container Analysis API are listed in the output.For Images Hosted in AR:
Using Google Cloud Console:
- Go to the AR website.
- Select Settings and check if
Vulnerability scanningis Enabled.
Using Command Line:
gcloud services list --enabled
Ensure that the
Container Scanning API and Artifact Registry API are listed in the output.Remediation
For Images Hosted in GCR:
Using Google Cloud Console:
- Go to the GCR website.
- Select Settings under the Vulnerability Scanning heading, click the TURN ON button.
Using Command Line:
gcloud services enable containeranalysis.googleapis.com
For Images Hosted in AR:
Using Google Cloud Console:
- Go to the AR website.
- Select Settings and, under the Vulnerability Scanning heading, click the ENABLE button.
Using Command Line:
gcloud services enable containerscanning.googleapis.com