Artifact Analysis provides two features for scanning your containers: on-demand scanning and automatic scanning. This document introduces the benefits of each. Artifact Analysis also provides metadata management. To learn more about how you can leverage scanning and metadata storage together to secure your CI/CD pipeline from end to end, see the Artifact Analysis overview.
On-demand and automatic scanning can identify vulnerabilities in your operating system, and language packages (Java, and Go). However, automatic language package scanning is only available for Artifact Registry.
For a list of supported scanning types for each registry product, view the comparison chart. If you are using Container Registry, learn how to transition to Artifact Registry.
See pricing to learn more about the costs associated with scanning container images.
On-demand scanning
On-demand scanning lets you scan container images locally on your computer or in your registry, using the gcloud CLI. This gives you the flexibility to customize your CI/CD pipeline, depending on when you need to access the vulnerability results.
Automatic scanning
Artifact Analysis performs vulnerability scans on your artifacts in Artifact Registry or Container Registry. Artifact Analysis also monitors the vulnerability information to keep it up to date. This process comprises two main tasks: on-push scanning and continuous analysis.
On-push scanning
Artifact Analysis scans new images when they're uploaded to Artifact Registry or Container Registry. This scan extracts information about the system packages in the container. The images are scanned only once, based on the image's digest. This means that adding or modifying tags won't trigger new scans, only changing the contents of the image will.
Artifact Analysis only detects packages publicly monitored for security vulnerabilities.
When the scan of an image is completed, the produced vulnerability result is the collection of vulnerability occurrences for that image.
Continuous analysis
Artifact Analysis creates occurrences for vulnerabilities found when you upload the image. After the initial scan, it continuously monitors the metadata for scanned images in Artifact Registry and Container Registry for new vulnerabilities.
Artifact Analysis receives new and updated vulnerability information from vulnerability sources multiple times each day. When new vulnerability data arrives, Artifact Analysis updates the metadata of the scanned images to keep it up-to-date. Artifact Analysis updates existing vulnerability occurrences, creates new vulnerability occurrences for new notes, and deletes vulnerability occurrences that are no longer valid.
Artifact Analysis only updates the metadata for images that were pushed or pulled in the last 30 days. After 30 days, the metadata will no longer be updated, and the results will be stale. Furthermore, Artifact Analysis archives metadata that is stale for more than 90 days, and the metadata won't be available in the Google Cloud console, gcloud, or by using the API. To re-scan an image with stale or archived metadata, pull that image. Refreshing metadata can take up to 24 hours.
Manifest lists
You can also use vulnerability scanning with manifest lists. A manifest list is a list of pointers to manifests for several platforms. They allow a single image to work with multiple architectures or variations of an operating system.
Artifact Analysis vulnerability scanning only supports Linux amd64 images. If your manifest list points to more than one Linux amd64 image, only the first one will be scanned; if there are no pointers to Linux amd64 images, you won't get any scanning results.