View vulnerability reports
Software vulnerabilities are weaknesses that can either cause an accidentalsystem failure or result in malicious activity. For more information, seeVulnerability reports.
This document describes how to set up your VMs using VM Manager andview the vulnerability reports for your operating systems.
Before you begin
- ReviewOS Config quotas.
- Set upVM Manager.
- If you haven't already, set upauthentication. Authentication verifies your identity for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
Select the tab for how you plan to use the samples on this page:
Console
When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.
gcloud
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.- Set a default region and zone.
REST
To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.
Install the Google Cloud CLI. After installation,initialize the Google Cloud CLI by running the following command:
gcloudinit
If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
Note: If you installed the gcloud CLI previously, make sure you have the latest version by runninggcloud components update.For more information, seeAuthenticate for using REST in the Google Cloud authentication documentation.
Supported operating systems
For the full list of operating systems and versions for which you can getvulnerability reports using VM Manager, seeOperating system details.
Required roles and permissions
To get the permissions that you need to view vulnerability reports, ask your administrator to grant you the following IAM roles on the project:
- To view vulnerability reports using the gcloud CLI or API:OS Config Vulnerability Report Viewer (
roles/osconfig.vulnerabilityReportViewer) - To view vulnerability reports using the Google Cloud console:
- OS Config Vulnerability Report Viewer (
roles/osconfig.vulnerabilityReportViewer) - OS Inventory Viewer (
roles/osconfig.inventoryViewer)
- OS Config Vulnerability Report Viewer (
- To view CVE information in theVM instance details dialog on the Patch page:
- Patch Deployment Viewer (
roles/osconfig.patchDeploymentViewer) - Patch Job Viewer (
roles/osconfig.patchJobViewer)
- Patch Deployment Viewer (
For more information about granting roles, seeManage access to projects, folders, and organizations.
You might also be able to get the required permissions throughcustom roles or otherpredefined roles.
In addition to these roles, to access Compute Engine resources by usingthe Google Cloud console, you must have a role that contains thecompute.projects.get permission on the project.
View vulnerability reports
To view vulnerability reports, you can use any of the following options:
- Use theGoogle Cloud console, gcloud CLI or API.
- If you are a Security Command Center premium tier user, use theSecurity Command Center dashboard.
- UseCloud Asset Inventory.
View vulnerability report using the gcloud CLI or API
Use one of the following methods to view vulnerability reports for your VMs.
Console
To view OS vulnerability reports for a VMby using the Google Cloud console, perform the following steps:
- In the Google Cloud console, go to theVM instances page.
- Click the name of the instance for which you want to view the OSinformation.TheInstance details page appears.
- Click theOS info tab.
To view OS inventory data, you must enable VM Manager.If Google Cloud console prompts you to enable VM Manager,select one of the following options:- Enable for current project: enables VM Manager for allVMs in the selected project
- Enable for this VM: enables VM Manager only for theselected VM
- Review the list of OS vulnerabilities in theOS info tab.
gcloud
To view vulnerability reports for VMs in a specific zone, use the
os-config vulnerability-reports listcommand.For example, to list all the VMs that have inventory data, run thefollowing command:
gcloud compute os-config vulnerability-reports list \ --location=ZONE
Replace
ZONEwith the zone where the VM is located.Example
gcloud compute os-config vulnerability-reports list \ --location=us-west2-a
Example output
INSTANCE_ID VULNERABILITY_COUNT UPDATE_TIME29255009728795105 2 2021-04-13T19:10:10.303046Z307058717116242358 1 2021-04-13T19:10:10.303046Z
To view vulnerability report for a specific VM, run the
os-config vulnerability-reports describecommandspecifying theINSTANCE_IDreturned from the previous step or theINSTANCE_NAME.gcloud compute os-config vulnerability-reports describeVM_NAME \ --location=ZONE
Replace the following:
VM_NAME: the name for your VMZONE: the zone where the VM instance is located
Example
gcloud compute os-config vulnerability-reports describe vm1-centos \ --location=us-west2-a
Example output
┌───────────────────────────────────────────────────────────────────┐│ Vulnerabilities │├──────────────────┬──────────┬───────────────┬─────────────────────┤│ CVE │ SEVERITY │ CVSS_V3_SCORE │ CREATE_TIME │├──────────────────┼──────────┼───────────────┼─────────────────────┤│ CVE-2012-6655 │ LOW │ 3.3 │ 2021-04-29T22:19:53 ││ CVE-2016-1585 │ MEDIUM │ 9.8 │ 2021-04-29T22:19:53 ││ CVE-2016-2781 │ LOW │ 6.5 │ 2021-04-29T22:19:53 ││ CVE-2019-7306 │ LOW │ 7.5 │ 2021-04-29T22:19:53 ││ CVE-2020-13776 │ LOW │ 6.7 │ 2021-04-29T22:19:53 ││ CVE-2021-31879 │ MEDIUM │ 6.1 │ 2021-05-05T06:11:53 │└──────────────────┴──────────┴───────────────┴─────────────────────┘name: projects/384587888288/locations/us-west2-a/instances/29255009728795105/vulnerabilityReportupdateTime: '2021-05-11T22:29:50'
REST
To view vulnerability reports for VMs in a specific zone,create a
GETrequest to theprojects.locations.instances.vulnerabilityReportsmethod.GET https://osconfig.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/–/vulnerabilityReports
Replace the following:
PROJECT_ID: your project IDZONE: the zone where the VMsare located
To view vulnerability report for a specific VM, createa
GETrequest to theprojects.locations.instances.getVulnerabilityReportmethod.GET https://osconfig.googleapis.com/v1/projects/PROJECT_ID/locations/ZONE/instances/INSTANCE/vulnerabilityReport
Replace the following:
PROJECT_ID: your project IDZONE: the zone where the VM instance is locatedINSTANCE: specify either the instanceID or the name for your VM
View vulnerability reports using the Security Command Center dashboard
Preview
This feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.
Security Command Center is Google Cloud's centralized vulnerability and threat reportingservice.
If you are a Security Command Centerpremium tier user, you canaccess vulnerability report data for the operating systems that arerunning on VMs across your organization. On theFindings page in theSecurity Command Center dashboard, you can review theCommon Vulnerabilities and Exposures (CVE) IDs for vulnerabilities that areclassified asHIGH orCRITICAL severity.
For information about using the Security Command Center dashboard to access and reviewoperating system vulnerability data, seeVM Manager.
View vulnerability reports data from Cloud Asset Inventory
OS inventory management stores and forwards inventory and vulnerability report data toCloud Asset Inventory. Cloud Asset Inventory is ametadata inventory service that allows you to view, monitor, and analyze assetsacross Google Cloud.From Cloud Asset Inventory, you can poll the information and view changes in the data.
To access OS inventory and vulnerability report data from Cloud Asset Inventory, you need tocomplete the following setup:
- Set upVM Manager.
- On your Google Cloud project, enable theCloud Asset Inventory API, the Google Cloud CLI, andassign permissions.
For more information, seeViewing VM Manager data.
What's next
- Learn more aboutOS inventory management.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.