Automatically scan workloads for known vulnerabilities

Caution: Starting on July 23, 2024, container OS vulnerability scanning is deprecated and is scheduled for shutdown on July 31, 2025. Starting on June 16, 2025, Advanced Vulnerability Insights is deprecated and is scheduled for shutdown on June 16, 2026. For more information about deprecation and shutdown dates, seeVulnerability scanning removal from GKE.

This page helps you get started and guides you in using thesecurity posture dashboard to detect vulnerabilities.Check requirements, select from the available tiers, and learn how to enablevulnerability scanning, deploy a test workload, view results and recommendations,and disable the scanning.

This page is for Security specialists who monitor clusters for securityissues. To learn more about common roles and example tasks that we reference inGoogle Cloud content, seeCommon GKE user roles and tasks.

Before reading this page, ensure that you're familiar with the general overviewofworkload vulnerability scanning.

Pricing

For pricing information, seeGKE security posture dashboard pricing.

Before you begin

Before you start, make sure that you have performed the following tasks:

  • Enable the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • If you want to use the Google Cloud CLI for this task,install and theninitialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running thegcloud components update command. Earlier gcloud CLI versions might not support running the commands in this document.Note: For existing gcloud CLI installations, make sure to set thecompute/regionproperty. If you use primarily zonal clusters, set thecompute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following:One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Requirements

  • To get the permissions that you need to use workload vulnerability scanning, ask your administrator to grant you theSecurity Posture Viewer (roles/containersecurity.viewer) IAM role on your Google Cloud project. For more information about granting roles, seeManage access to projects, folders, and organizations.

    This predefined role contains the permissions required to use workload vulnerability scanning. To see the exact permissions that are required, expand theRequired permissions section:

    Required permissions

    The following permissions are required to use workload vulnerability scanning:

    • resourcemanager.projects.get
    • resourcemanager.projects.list
    • containersecurity.locations.list
    • containersecurity.locations.get
    • containersecurity.clusterSummaries.list
    • containersecurity.findings.list

    You might also be able to get these permissions withcustom roles or otherpredefined roles.

  • Advanced vulnerability insights requires GKE version 1.27 orlater.

Workload vulnerability scanning tiers

You enable vulnerability scanning in tiers, each of which adds scanningcapabilities as follows. If you use Google Kubernetes Engine (GKE) Enterprise edition to manage fleets ofclusters, you can also configure fleet-level vulnerability scanning settingsthat apply to all member clusters. For instructions, seeConfigure GKE security posture dashboard features at fleet-level.

TierEnabled capabilitiesGKE version requirement
Standard
standard		Container OS vulnerability scanning
  • GKE Enterprise edition: Enabled by default in all new clusters running version 1.27 and later
Advanced vulnerability insights
enterprise
  • Container OS vulnerability scanning
  • Language package vulnerability scanning
  • GKE Enterprise edition: Enabled by default in all new clusters running version 1.27 and later
  • GKE Standard edition: Disabled by default in all new clusters.

For more information, about each capability, seeAbout workload vulnerability scanning.

Enable container OS vulnerability scanning

Container OS vulnerability scanning is enabled by default in new Autopilot clustersrunning version 1.27 and later. This section shows you how to enable this feature in new existingStandard clusters and in Autopilot clusters running versions prior to 1.27.

Enable container OS scanning on an existing cluster

gcloud

Update the cluster:

gcloudcontainerclustersupdateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--workload-vulnerability-scanning=standard

Replace the following:

  • CLUSTER_NAME: the name of your cluster.
  • CONTROL_PLANE_LOCATION: thelocation of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.

Console

  1. Go to theSecurity Posture page in the Google Cloud console.

    Go to Security Posture
  2. Click theSettings tab.
  3. In theVulnerability scan enabled clusters section, clickSelect clusters.
  4. Select the checkboxes for the clusters that you want to add.
  5. In theSelect action drop-down menu, selectSet to Basic.
  6. ClickApply.

Enable advanced vulnerability insights

Advanced vulnerability insights enables continuous scanning of your running applications for thefollowing vulnerability types:

  • Container OS vulnerabilities
  • Language package vulnerabilities

When you enable advanced vulnerability insights, the container OS vulnerability scanningcapability is automatically enabled and can't be separately disabled.

Requirements

Enable advanced vulnerability insights on an existing cluster

gcloud

Update the cluster:

gcloudcontainerclustersupdateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--workload-vulnerability-scanning=enterprise

Replace the following:

  • CLUSTER_NAME: the name of your cluster.
  • CONTROL_PLANE_LOCATION: thelocation of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.

Console

  1. Go to theSecurity Posture page in the Google Cloud console.

    Go to Security Posture
  2. Click theSettings tab.
  3. In theVulnerability scan enabled clusters section, clickSelect clusters.
  4. Select the checkboxes for the clusters that you want to add.
  5. In theSelect action drop-down menu, selectSet to Advanced.
  6. ClickApply.

Deploy a test workload

In the following section, you use example Deployment manifests.ADeployment is a Kubernetes API object that lets you run multiple replicas of Pods that are distributed among the nodes in a cluster..

The following manifests have known vulnerabilitiesfor demonstration purposes. In practice, if you know an application isvulnerable, you probably shouldn't run it.

  1. Save the following manifest asos-vuln-sample.yaml:

    apiVersion:apps/v1kind:Deploymentmetadata:name:frontendspec:replicas:1selector:matchLabels:app:guestbooktier:frontendtemplate:metadata:labels:app:guestbooktier:frontendspec:containers:-name:php-redisimage:us-docker.pkg.dev/google-samples/containers/gke/gb-frontend:v5env:-name:GET_HOSTS_FROMvalue:"dns"resources:requests:cpu:100mmemory:100Miports:-containerPort:80

  2. Review the following manifest, which contains a known Maven vulnerability:

    apiVersion:apps/v1kind:Deploymentmetadata:name:maven-vulnsspec:replicas:1selector:matchLabels:app:mavenvulnstemplate:metadata:labels:app:mavenvulnsspec:containers:-name:maven-vulns-appimage:us-docker.pkg.dev/google-samples/containers/gke/security/maven-vulns# This app listens on port 8080 for web traffic by default.ports:-containerPort:8080env:-name:PORTvalue:"8080"resources:requests:memory:"1Gi"cpu:"500m"ephemeral-storage:"1Gi"limits:memory:"1Gi"cpu:"500m"ephemeral-storage:"1Gi"

  3. Optionally, get credentials for your cluster:

    gcloudcontainerclustersget-credentialsCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION

  4. Deploy the applications to your cluster:

    kubectlapply-fos-vuln-sample.yamlkubectlapply-fhttps://raw.githubusercontent.com/GoogleCloudPlatform/kubernetes-engine-samples/main/security/language-vulns/maven/deployment.yaml

To test other vulnerabilities, try deploying earlier versions of images such asnginx in staging environments.

View and action the results

The initial scan takes at least 15 minutes to return results, depending on howmany workloads are scanned. GKE displays the results on thesecurity posture dashboard and automatically adds entries toLogging.

View results

To see an overview of discovered concerns across your project's clusters andworkloads, do the following:

  1. Go to theSecurity Posture page in the Google Cloud console.

    Go to Security Posture

  2. Click theConcerns tab.

  3. In theFilter concerns pane, in theConcern type section, select theVulnerability checkbox.

View concern details and recommendations

To view detailed information about a specific vulnerability, click the rowcontaining that concern.

TheVulnerability Concern pane shows the following information:

  • Description: a description of the concern including a CVE number ifapplicable and a detailed description of the vulnerability and its potentialimpact.
  • Recommended action: actions that you can take to address thevulnerability, such as fixed package versions and where to apply the fix.

View logs for discovered concerns

GKE adds entries to the_Default log bucket in Logging for each discovered concern. These logs are only retained for a specific period. For details, seeLogs retention periods.

  1. In the Google Cloud console, go to theLogs Explorer:

    Go to Logs Explorer

  2. In theQuery field, specify the following query:

    resource.type="k8s_cluster"jsonPayload.@type="type.googleapis.com/cloud.kubernetes.security.containersecurity_logging.Finding"jsonPayload.type="FINDING_TYPE_VULNERABILITY"

  3. ClickRun query.

To receive notifications when GKE adds new findings to Logging, set up log-based alerts for this query. For more information, seeConfigure log-based alerts.

Clean up

  1. Delete the sample workload that you deployed:

    kubectldeletedeploymentfrontend

  2. Optionally, delete the cluster that you used:

    gcloudcontainerclustersdeleteCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION

Disable workload vulnerability scanning

You can disable workload vulnerability scanning using either the gcloud CLI or the Google Cloud console.

gcloud

Run the following command:

gcloudcontainerclustersupdateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--workload-vulnerability-scanning=disabled

Replace the following:

  • CLUSTER_NAME: the name of your cluster.
  • CONTROL_PLANE_LOCATION: thelocation of the control plane of your cluster. Provide a region for regional Standard and Autopilot clusters, or a zone for zonal Standard clusters.

Console

  1. Go to theSecurity Posture page in the Google Cloud console.

    Go to Security Posture
  2. Click theSettings tab.
  3. In theVulnerability scan enabled clusters section, clickSelect clusters.
  4. Select the checkboxes for the clusters that you want to remove.
  5. In theSelect action drop-down menu, selectSet to Disabled.
  6. ClickApply.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.