For more information about the Container Registry deprecation and how to migrate to Artifact Registry, seeContainer Registry deprecation.
Container analysis and vulnerability scanning
Artifact Analysis provides vulnerability scanning and metadata storage forcontainers through Artifact Analysis. The scanning serviceperforms vulnerability scans on images in Artifact Registry andContainer Registry, then stores the resulting metadata and makes it available forconsumption through an API. Metadata storage allows storing information fromdifferent sources, including vulnerability scanning, other Cloud services, andthird-party providers.
Artifact Analysis as a strategic information API
In the context of your CI/CD pipeline, Artifact Analysis can beintegrated to store metadata about your deployment process and make decisionsbased on that metadata.
At various phases of your release process, people or automated systems can addmetadata that describes the result of an activity. For example, you might addmetadata to your image indicating that it has passed an integration test suiteor a vulnerability scan.
Figure 1. Diagram that shows Container Analysis as CI/CD pipeline componentthat interacts with metadata across source, build, storage, and deploymentstages as well as runtime environments.
Vulnerability scanning can occur automatically or on-demand:
Whenautomatic scanning isenabled, scanning triggers automatically every time you push a new image toArtifact Registry or Container Registry. Vulnerability information iscontinuously updated when new vulnerabilities are discovered.
WhenOn-Demand Scanning is enabled,you must run a command to scan a local image or an image inArtifact Registry or Container Registry. On-Demand Scanning gives youmore flexibility around when you scan containers. For example, you can scan alocally-built image and remediate vulnerabilities before storing it in aregistry.
Scanning results are available for up to 48 hours after the scan iscompleted, and vulnerability information is not updated after the scan.
With Artifact Analysis integrated into your CI/CD pipeline, you canmake decisions based on that metadata. For example, you can useBinary Authorization to create deployment policies thatonly allow deployments for compliant images from trusted registries.
To learn about using Artifact Analysis see theArtifact Analysis documentation.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.