Artifact Analysis overview

Artifact Analysis is a family of services that provide software composition analysis, metadata storage and retrieval. Its detection points are built into a number of Google Cloud products such as Artifact Registry and Google Kubernetes Engine (GKE) for quick enablement. The service works with both Google Cloud's first-party products and also lets you store information from third-party sources. The scanning services leverage a common vulnerability store for matching files against known vulnerabilities.

This service was formerly known as Container Analysis. The new name does not change existing products or APIs, but reflects the product's expanding range of features beyond containers.

Artifact Analysis in CI/CD

Figure 1. Diagram that shows Artifact Analysis creating and interacting with metadata across source, build, storage, deployment and runtime environments.

Scanning and analysis

Automatic scanning

  • The scanning process is triggered automatically every time you push a new image to Artifact Registry or Container Registry (deprecated). The vulnerability information is continuously updated when new vulnerabilities are discovered. Artifact Registry includes application language package scanning. To get started, enable automatic scanning.

GKE workload vulnerability scanning - standard tier

  • As part of GKE security posture dashboard, workload vulnerability scanning provides detection of container image OS vulnerabilities. Scanning is free and can be enabled per cluster. Results are available to view in the security posture dashboard.

GKE workload vulnerability scanning - advanced vulnerability insights

  • In addition to basic container OS scanning, GKE users can upgrade to advanced vulnerability insights to take advantage of continual language package vulnerability detection. You must manually enable this feature on your clusters, after which you'll receive OS and language package vulnerability results. Learn more about vulnerability scanning in GKE workloads.

On-Demand scanning

  • This service is not continual; you must run a command to manually initiate the scan. Scan results are available up to 48 hours after the scan is completed. The vulnerability information is not updated after the scan is finished. You can scan images stored locally, without having to push them to Artifact Registry, Container Registry or GKE runtimes first. To learn more, see on-demand scanning.

Access metadata

  • Artifact Analysis is a Google Cloud infrastructure component that lets you to store and retrieve structured metadata for Google Cloud resources. At various phases of your release process, people or automated systems can add metadata that describes the result of an activity. For example, you can add metadata to your image indicating that it has passed an integration test suite or a vulnerability scan.

  • With Artifact Analysis integrated into your CI/CD pipeline, you can make decisions based on that metadata. For example, you can use Binary Authorization to create deployment policies that only allow deployments for compliant images from trusted registries.

  • Artifact Analysis associates metadata with images through notes and occurrences. To learn more about these concepts, see the metadata management page.

If you are using Artifact Analysis with Container Registry, the same Artifact Analysis APIs and Pub/Sub topics are used by both products. However, the newest Artifact Analysis features are only available for Artifact Registry. Learn how to transition from Container Registry for more information.

To learn about the costs for Artifact Analysis features, see Artifact Analysis pricing.

What's next