Learn how to enable automatic scanning, push a container image on Artifact Registry,and see a list of any vulnerabilities found in the image.

Artifact Analysis scans for vulnerabilities each time an image ispushed to Artifact Registry. Platform administrators and application developers canuse this automatic scanning feature to help identify risks in their softwaredelivery pipeline.

This quickstart uses a simple publicly available package to demonstrate one typeof package scanning. By default, Artifact Analysis scans forvulnerabilities in multiple package types once you enable the scanning API.Supported package types include: OS, Go, Java (Maven), Python and Node.js (npm).

Before you begin

Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

Create or select a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

• Create a Google Cloud project:

  gcloud projects createPROJECT_ID

  ReplacePROJECT_ID with a name for the Google Cloud project you are creating.

• Select the Google Cloud project that you created:

  gcloud config set projectPROJECT_ID

  ReplacePROJECT_ID with your Google Cloud project name.

Verify that billing is enabled for your Google Cloud project.

Enable the Artifact Registry and Container Scanning APIs:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

gcloudservicesenablecontainerscanning.googleapis.com  artifactregistry.googleapis.com

Install the Google Cloud CLI.

If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.

Toinitialize the gcloud CLI, run the following command:

gcloudinit

Create or select a Google Cloud project.

Roles required to select or create a project

• Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
• Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.create permission.Learn how to grant roles.

Note: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.

• Create a Google Cloud project:

  gcloud projects createPROJECT_ID

  ReplacePROJECT_ID with a name for the Google Cloud project you are creating.

• Select the Google Cloud project that you created:

  gcloud config set projectPROJECT_ID

  ReplacePROJECT_ID with your Google Cloud project name.

Verify that billing is enabled for your Google Cloud project.

Enable the Artifact Registry and Container Scanning APIs:

Roles required to enable APIs

To enable APIs, you need the Service Usage Admin IAM role (roles/serviceusage.serviceUsageAdmin), which contains theserviceusage.services.enable permission.Learn how to grant roles.

gcloudservicesenablecontainerscanning.googleapis.com  artifactregistry.googleapis.com

Create a Docker repository in Artifact Registry

Create a Docker repository to store the sample image for this quickstart.

1. Open theRepositories page in the Google Cloud console.

   Open the Repositories page

2. ClickCreate Repository.

3. On theCreate Repository page, input the following settings:

   • Name:quickstart-docker-repo
   • Format: Docker
   • Mode: Standard
   • Location type: Region
   • Region:us-central1

4. ClickCreate.

You see theRepositories page. Yourquickstart-docker-repo repository is added to the repository list.

Configure authentication

Before you can push or pull images with Artifact Registry, you must configure Docker to use the Google Cloud CLI to authenticate requests to Artifact Registry.

In the Cloud Shell or your local shell, set up authentication for Docker repositories in the regionus-central1:

gcloudauthconfigure-dockerus-central1-docker.pkg.dev

Obtain a package

1. Change to a directory where you want to save your container image.

2. Copy an image into your local directory. For example, you can use Docker to pull the latest Jenkins image fromDocker Hub.

   dockerpulljenkins:2.60.3-alpine

Tag your package with a repository name

When you want to push a package to Artifact Registry, you need to configure thedocker push command to push the image to a specific location.

Run the following command to tag the image asquickstart-image:tag1:

dockertagjenkins:2.60.3-alpine\us-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1

Where

• PROJECT is your Google Cloudproject ID.If your project ID contains a colon (:), seeDomain-scoped projects.
• us-central1 is the Artifact Registry repository region.
• docker.pkg.dev is the hostname for Docker repositories.
• quickstart-image is the image name you want to use in the repository.The image name can be different than the local image name.
• tag1 is a tag you're adding to the Docker image. If you didn't specifya tag, Docker will apply the default taglatest.

Push the image to Artifact Registry

Artifact Analysis automatically scans new images when they're uploaded toArtifact Registry.

To push the image to your Docker repository in Artifact Registry, run the following command:

dockerpushus-central1-docker.pkg.dev/PROJECT/quickstart-docker-repo/quickstart-image:tag1

ReplacePROJECT with your Google Cloudproject ID.If your project ID contains a colon (:), seeDomain-scoped projects.

View vulnerability scanning results

Clean up

To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.

Caution: Deleting a project has the following effects:
• Everything in the project is deleted. If you used an existing project for the tasks in this document, when you delete it, you also delete any other work you've done in the project.
• Custom project IDs are lost. When you created this project, you might have created a custom project ID that you want to use in the future. To preserve the URLs that use the project ID, such as anappspot.com URL, delete selected resources inside the project instead of deleting the whole project.

If you plan to explore multiple architectures, tutorials, or quickstarts, reusing projects can help you avoid exceeding project quota limits.

Delete a Google Cloud project:

gcloud projects deletePROJECT_ID

What's next

• Explore on-demand scanning options.
• Understand container scanning concepts.