手動掃描 Go 套件

本快速入門導覽課程說明如何提取容器映像檔、使用隨選掃描功能手動掃描,以及擷取系統和 Go 套件中發現的安全漏洞。如要完成本快速入門導覽課程,請使用 Cloud Shell 和 Alpine 範例映像檔。

事前準備

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Enable the API

  5. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  6. Make sure that billing is enabled for your Google Cloud project.

  7. Enable the On-Demand Scanning API.

    Enable the API

    8.

下載及掃描圖片

  1. 在專案中開啟 Cloud Shell。

    開啟 Cloud Shell

    終端機隨即會開啟,並顯示依本指南操作所需的所有工具。

  2. 使用 Docker 提取容器映像檔:

    docker pull golang:1.17.6-alpine

  3. 執行掃描:

    gcloud artifacts docker images scan golang:1.17.6-alpine --additional-package-types=GO

    這會觸發掃描程序,並在完成時傳回掃描名稱:

    ✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/849db1f8-2fb2-4559-9fe0-8720d8cd347c]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2022-01-11T16:58:11.711487Z'
  resourceUri: golang:1.16.13-alpine
name: projects/my-project/locations/us/operations/f4adb1f8-20b2-4579-9fe0-8720d8cd347c
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef

  4. 使用掃描名稱和輸出內容中的 scan 值,擷取掃描結果:

    gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/a54f12b0-ca2d-4d93-8da5-5cf48e9e20ef

    輸出內容包含 Go、Go 標準程式庫和 Linux 套件的安全性漏洞清單。下列標籤表示 Go 語言的弱點類型:

    • packageType:GO_STDLIB. Go 標準程式庫安全漏洞。這表示在用於建構二進位檔的 Go 工具鍊中,或在與工具鍊一併提供的標準程式庫中,發現了安全性漏洞。解決方法可能是升級建構工具鍊。

    • packageType:GO。前往 Go 套件安全漏洞。這表示第三方套件中發現安全漏洞。解決方法可能是升級依附模組。

清除所用資源

如要避免系統向您的 Google Cloud 帳戶收取本頁所用資源的費用,請按照下列步驟操作。

  1. In the Google Cloud console, go to the Manage resources page.

    Go to Manage resources

  2. In the project list, select the project that you want to delete, and then click Delete.
  3. In the dialog, type the project ID, and then click Shut down to delete the project.

後續步驟