Artifact Analysis is a family of services that provide softwarecomposition analysis, metadata storage and retrieval. Its detection points arebuilt into a number of Google Cloud products such as Artifact Registry andGoogle Kubernetes Engine (GKE) for quick enablement. The service works withboth Google Cloud's first-party products and also lets you storeinformation from third-party sources. The scanning services use a commonvulnerability store for matching files against known vulnerabilities.

This service was formerly known as Container Analysis. The new name does notchange existing products or APIs, but reflects the product's expanding range offeatures beyond containers.

Figure 1. Diagram that shows Artifact Analysis creating and interactingwith metadata across source, build, storage, deployment and runtimeenvironments.

Registry scanning

This section outlines Artifact Analysis vulnerability scanningfeatures based in Artifact Registry, and lists related Google Cloudproducts where you can enable complementary capabilities to support yoursecurity posture.

Automatic scanning in Artifact Registry

• The scanning process is triggered automatically every time you push a newimage to Artifact Registry.The vulnerability information is continuously updated when newvulnerabilities are discovered. Artifact Registry includes application languagepackage scanning. To get started, enableautomatic scanning.

Centralized risk management with Security Command Center

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

• Security Command Center centralizes your cloud security, offering vulnerabilityscanning, threat detection, posture monitoring, and data management.Security Command Center aggregates vulnerability findings from Artifact Registryscans, allowing you to view container image vulnerabilities within yourrunning workloads, across all projects alongside your other security risksin Security Command Center. You can also export these findings toBigQuery for in-depth analysis and long-term storage.For more information, seeArtifact Registry vulnerability assessment.

GKE workload vulnerability scanning - standard tier

Caution: Starting on July 23, 2024, standard tier/container OS vulnerability scanning is deprecated and is scheduled for shutdown on July 31, 2025. For more information about deprecation and shutdown dates, see Vulnerability scanning removal from GKE.

• As part of GKE security posture dashboard, workloadvulnerability scanning provides detection of container image OSvulnerabilities. Scanning is free and can be enabled per cluster. Resultsare available to view in thesecurity posture dashboard.

GKE workload vulnerability scanning - advanced vulnerability insights

Caution: Starting on June 16, 2025 Advanced Vulnerability Insights is deprecated and is scheduled for shutdown on June 16, 2026 as part of the deprecation of various GKE security posture dashboard features. For more information about deprecation and shutdown dates, seeVulnerability scanning removal from GKE.

• In addition to basic container OS scanning, GKE userscan upgrade toadvanced vulnerability insights to take advantage ofcontinual language package vulnerability detection. You must manually enablethis feature on your clusters, after which you'll receive OS and languagepackage vulnerability results. Learn more aboutvulnerability scanning in GKE workloads.

On-Demand scanning

• This service is not continual; you must run a command to manually initiatethe scan. Scan results are available up to 48 hours after the scan iscompleted. The vulnerability information is not updated after the scan isfinished. You can scan images stored locally, without having to push them toArtifact Registry or GKE runtimes first. Tolearn more, seeon-demand scanning.

Access metadata

• Artifact Analysis is a Google Cloud infrastructurecomponent that lets youstore and retrieve structured metadata for Google Cloudresources. At various phases of your release process, people or automatedsystems can add metadata that describes the result of an activity. Forexample, you can add metadata to your image indicating that the image haspassed an integration test suite or a vulnerability scan.

• With Artifact Analysis integrated into your CI/CD pipeline, youcan make decisions based on metadata. For example, you can useBinary Authorization to create deployment policiesthat only allow deployments for compliant images from trusted registries.

• Artifact Analysis associates metadata with images throughnotes andoccurrences. To learn more about these concepts, see themetadata management page.

To learn about the costs for Artifact Analysis features, seeArtifact Analysis pricing.

What's next

• Get started with automatic scanning.
• Get started with On-Demand Scanning.
• Learn more aboutscanning concepts.
• Learn more aboutsupported metadata types.