Enable or disable automatic scanning

This document tells you how to enable and disable automatic scanning.

Artifact Analysis provides automated vulnerability scanning forcontainer images in Artifact Registry through the Container Scanning API.Platform administrators and application developers canuse the scan results to identify and mitigate risks to their software supplychain.

By default, Artifact Analysis scans all supported package types in yourproject when you enable the Container Scanning API. To lower costs andreduce noise in scanning findings, you can disable scanning on individualrepositories. For more information, seeControl scanning settings for an individual repository.

See thePricing page for pricinginformation.

Limitations

Scanning isn't supported in Artifact Registry virtual repositories.

Enable the Container Scanning API

Important: When you enable the Artifact Analysis API,Artifact Analysis automatically begins scanningeach new image as they are pushed to Artifact Registry repositories in yourproject. However, scanning is disabled by default for packages pushed toArtifact Registry repositories. To enable scanning in a repository,seeControl scanning settings for an individual repository.

You can enable the Container Scanning API for an existing project, or create anew project and then enable the API. Enabling the Container Scanning API alsoenables the Container Analysis API for metadata storage and retrieval.

To enable vulnerability scanning for your project in Artifact Registry,complete the following steps:

In the Google Cloud console, open theEnable access to API page:

Enable the Container Scanning API

Control scanning settings for an individual repository

This section explains how to control the scanning settings for individualrepositories. This feature is only supported in Artifact Registry.

By default, enabling the Container Scanning API activates scanning for allimages you push to standard and remote Docker repositories in Artifact Registry.The following repository formats also support automatic scanning; however,scanning is disabled by default and must be enabled manually:

  • Maven
  • Npm
  • Python

Scanning with Artifact Analysis provides comprehensive information aboutpotential threats to your software supply chain. You can also disable scanningon individual repositories if needed.

You can disable scanning on repositories to:

  • Manage your scanning costs within a project. You don't need to turn offscanning for an entire project, or create a new project to isolaterepositories.
  • Reduce the number of vulnerability findings you receive. You can focus onremediating vulnerabilities in specific repositories.

To change scanning settings for existing Artifact Registry repositories, do thefollowing:

Console

  1. Open theRepositories page in the Google Cloud console.

    Open the Repositories page

  2. In the repository list, select the repository and clickEdit Repository.

  3. Enable ordisable vulnerability scanning.

  4. ClickSave.

gcloud

To disable scanning on the repository:

gcloudartifactsrepositoriesupdateREPOSITORY\--project=PROJECT-ID\--location=LOCATION\--disable-vulnerability-scanning

To allow scanning on the repository:

gcloudartifactsrepositoriesupdateREPOSITORY\--project=PROJECT-ID\--location=LOCATION\--allow-vulnerability-scanning

Where:

  • REPOSITORY: The name of the repository. If you configured adefault repository,then you can omit this flag to use the default.
  • PROJECT-ID: The Google Cloud project ID. If this flag is omitted, then the current or default project is used.
  • LOCATION: Use this flag to view repositories in a specific location. If you configured adefault location,then you can omit this flag to use the default.

To configure scanning settings for a new Artifact Registry repository, seeCreate standard repositoriesorCreate remote repositories.

Disable the Container Scanning API

This section explains how to disable vulnerability scanning for your projectin Artifact Registry.

When you disable the Container Scanning API, scanning stops for all repositoriesin your project. Scanning settings for individual repositories are preserved. Ifyou previously disabled scanning on some repositories, and later re-enable theAPI for your project, those repositories will remain excluded from scanning.

To update scanning settings for individual repositories, seeUpdate repositories.

Console

  1. Open theSettings page for Artifact Registry:

    Open the Settings page

  2. In theVulnerability Scanning section, clickDisable.

gcloud

Run the following command:

gcloudservicesdisablecontainerscanning.googleapis.com

Extend your monitoring time window

Artifact Analysis continuously monitors the vulnerabilitymetadata for scanned images in Artifact Registry.The default time window for continuous monitoring is 30 days. After this periodyour images are stale and the vulnerability scanning results are no longerupdated.

To extend the monitoring window, you must pull or push the image within the30-day period. We recommend creating a scheduled task to re-push containers thatdon't require frequent updating, for example, your Istio and proxy images.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.