This document describes how to set up notifications for updates to notes and occurrences.
Artifact Analysis provides notifications via Pub/Sub for vulnerabilities found by automated scanning and for other metadata. When a note or occurrence is created or updated, a message is published to the corresponding topic for each API version. Use the topic for the API version you are using.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Enable the Container Analysis API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Enable the Container Analysis API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
- Learn how to set up access control for metadata in your project. Skip this step if you only consume metadata from vulnerability occurrences created by Artifact Analysis container scanning.
Create Pub/Sub topics
After you activate the Artifact Analysis API, Artifact Analysis automatically creates Pub/Sub topics with the following topic IDs:
container-analysis-notes-v1
container-analysis-occurrences-v1
If the topics were accidentally deleted or are missing, you can add them yourself. For example, the topics might be missing if your Google Cloud organization has an organization policy constraint that requires encryption with customer-managed encryption keys (CMEK). When the Pub/Sub API is in the deny list of this constraint, services cannot automatically create topics with Google-owned and Google-managed encryption keys.
To create the topics with Google-owned and Google-managed encryption keys:
Console
Go to the Pub/Sub topics page in the Google Cloud console.
Click Create Topic.
Enter a Topic ID:
container-analysis-notes-v1
so that the name matches URI:
projects/PROJECT_ID/topics/container-analysis-notes-v1
where PROJECT_ID is your Google Cloud project ID.
Click Create.
Enter a Topic ID:
container-analysis-occurrences-v1
so that the name matches URI:
projects/PROJECT_ID/topics/container-analysis-occurrences-v1
gcloud
Run the following commands in your shell or terminal window:
gcloud pubsub topics create projects/PROJECT_ID/topics/container-analysis-notes-v1
gcloud pubsub topics create projects/PROJECT_ID/topics/container-analysis-occurrences-v1
To learn more about the gcloud pubsub topics
command, see the
topics
documentation.
To create the topics with CMEK encryption, see the Pub/Sub instructions for encrypting topics.
Anytime a note or an occurrence is created or updated, a message is published to the respective topic, though you must also create a Pub/Sub subscription to listen for events and receive messages from the Pub/Sub service.
Create Pub/Sub subscriptions
To listen to events, create a Pub/Sub subscription associated with the topic:
Console
Go to the Pub/Sub subscriptions page in the Google Cloud console.
Click Create Subscription.
Type a name for the subscription. For example, notes.
Enter the URI of the topic for notes:
projects/PROJECT_ID/topics/container-analysis-notes-v1
where PROJECT_ID is your Google Cloud project ID.
Click Create.
Create another subscription for occurrences with the URI:
projects/PROJECT_ID/topics/container-analysis-occurrences-v1
gcloud
To receive Pub/Sub events, you must first create a subscription
associated with the container-analysis-occurrences-v1
topic:
gcloud pubsub subscriptions create \
--topic container-analysis-occurrences-v1 occurrences
Going forward, you can pull messages concerning your occurrences using your new subscription:
gcloud pubsub subscriptions pull \
--auto-ack occurrences
Java
To learn how to install and use the client library for Artifact Analysis, see Artifact Analysis client libraries. For more information, see the Artifact Analysis Java API reference documentation.
To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Go
To learn how to install and use the client library for Artifact Analysis, see Artifact Analysis client libraries. For more information, see the Artifact Analysis Go API reference documentation.
To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Node.js
To learn how to install and use the client library for Artifact Analysis, see Artifact Analysis client libraries. For more information, see the Artifact Analysis Node.js API reference documentation.
To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Ruby
To learn how to install and use the client library for Artifact Analysis, see Artifact Analysis client libraries. For more information, see the Artifact Analysis Ruby API reference documentation.
To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Python
To learn how to install and use the client library for Artifact Analysis, see Artifact Analysis client libraries. For more information, see the Artifact Analysis Python API reference documentation.
To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, see Set up authentication for a local development environment.
Subscriber applications only receive messages that are published to the topic after the subscription is created.
Pub/Sub payloads are in JSON and their schema is as follows:
Notes:
{ "name": "projects/PROJECT_ID/notes/NOTE_ID", "kind": "NOTE_KIND", "notificationTime": "NOTIFICATION_TIME", }
Occurrences:
{ "name": "projects/PROJECT_ID/occurrences/OCCURRENCE_ID", "kind": "NOTE_KIND", "notificationTime": "NOTIFICATION_TIME", }
where:
- NOTE_KIND is one of the values in
NoteKind
- NOTIFICATION_TIME is a timestamp in RFC 3339 UTC "Zulu" format, accurate to nanoseconds.
View details
To learn more about a note or occurrence, you can access metadata stored in Artifact Analysis. For example, you can request all the details for a specific occurrence. See instructions in Investigating Vulnerabilities.
What's next
For instructions on how to use Artifact Analysis to store and manage your custom metadata, see Create custom notes and occurrences.
You can use attestations with vulnerability scanning to prevent images with known security issues from running in your deployment environment. For instructions on doing this see, Create attestations with Kritis Signer.