Container Registry is deprecated. Effective March 18, 2025, Container Registry is shut down and writing images to Container Registry is unavailable. For more information about the Container Registry deprecation and how to migrate to Artifact Registry, see Container Registry deprecation.
Stay organized with collections
Save and categorize content based on your preferences.
Artifact Analysis provides vulnerability scanning and metadata storage for
containers through Artifact Analysis. The scanning service
performs vulnerability scans on images in Artifact Registry and
Container Registry, then stores the resulting metadata and makes it available for
consumption through an API. Metadata storage allows storing information from
different sources, including vulnerability scanning, other Cloud services, and
third-party providers.
Artifact Analysis as a strategic information API
In the context of your CI/CD pipeline, Artifact Analysis can be
integrated to store metadata about your deployment process and make decisions
based on that metadata.
At various phases of your release process, people or automated systems can add
metadata that describes the result of an activity. For example, you might add
metadata to your image indicating that it has passed an integration test suite
or a vulnerability scan.
Figure 1. Diagram that shows Container Analysis as CI/CD pipeline component
that interacts with metadata across source, build, storage, and deployment
stages as well as runtime environments.
Vulnerability scanning can occur automatically or on-demand:
When automatic scanning is
enabled, scanning triggers automatically every time you push a new image to
Artifact Registry or Container Registry. Vulnerability information is
continuously updated when new vulnerabilities are discovered.
When On-Demand Scanning is enabled,
you must run a command to scan a local image or an image in
Artifact Registry or Container Registry. On-Demand Scanning gives you
more flexibility around when you scan containers. For example, you can scan a
locally-built image and remediate vulnerabilities before storing it in a
registry.
Scanning results are available for up to 48 hours after the scan is
completed, and vulnerability information is not updated after the scan.
With Artifact Analysis integrated into your CI/CD pipeline, you can
make decisions based on that metadata. For example, you can use
Binary Authorization to create deployment policies that
only allow deployments for compliant images from trusted registries.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eArtifact Analysis provides vulnerability scanning for container images in Artifact Registry and Container Registry, storing and making the resulting metadata available via an API.\u003c/p\u003e\n"],["\u003cp\u003eIt can integrate into CI/CD pipelines, allowing metadata storage about the deployment process to inform decision-making.\u003c/p\u003e\n"],["\u003cp\u003eMetadata can be added at different stages of the release process, like indicating if an image passed integration tests or a vulnerability scan.\u003c/p\u003e\n"],["\u003cp\u003eVulnerability scanning can be automatic upon pushing new images or on-demand for more control over the scanning process, offering flexibility.\u003c/p\u003e\n"],["\u003cp\u003eIntegration with tools like Binary Authorization allows creating policies that permit deployments only for compliant images from trusted sources.\u003c/p\u003e\n"]]],[],null,["# Container analysis and vulnerability scanning\n\n\u003cbr /\u003e\n\nArtifact Analysis provides vulnerability scanning and metadata storage for\ncontainers through Artifact Analysis. The scanning service\nperforms vulnerability scans on images in Artifact Registry and\nContainer Registry, then stores the resulting metadata and makes it available for\nconsumption through an API. Metadata storage allows storing information from\ndifferent sources, including vulnerability scanning, other Cloud services, and\nthird-party providers.\n\nArtifact Analysis as a strategic information API\n------------------------------------------------\n\nIn the context of your CI/CD pipeline, Artifact Analysis can be\nintegrated to store metadata about your deployment process and make decisions\nbased on that metadata.\n\nAt various phases of your release process, people or automated systems can add\nmetadata that describes the result of an activity. For example, you might add\nmetadata to your image indicating that it has passed an integration test suite\nor a vulnerability scan.\n\n**Figure 1.** Diagram that shows Container Analysis as CI/CD pipeline component\nthat interacts with metadata across source, build, storage, and deployment\nstages as well as runtime environments.\n\nVulnerability scanning can occur automatically or on-demand:\n\n- When [automatic scanning](/container-analysis/docs/vulnerability-scanning) is\n enabled, scanning triggers automatically every time you push a new image to\n Artifact Registry or Container Registry. Vulnerability information is\n continuously updated when new vulnerabilities are discovered.\n\n- When [On-Demand Scanning](/container-analysis/docs/on-demand-scanning) is enabled,\n you must run a command to scan a local image or an image in\n Artifact Registry or Container Registry. On-Demand Scanning gives you\n more flexibility around when you scan containers. For example, you can scan a\n locally-built image and remediate vulnerabilities before storing it in a\n registry.\n\n Scanning results are available for up to 48 hours after the scan is\n completed, and vulnerability information is not updated after the scan.\n\nWith Artifact Analysis integrated into your CI/CD pipeline, you can\nmake decisions based on that metadata. For example, you can use\n[Binary Authorization](/binary-authorization/docs) to create deployment policies that\nonly allow deployments for compliant images from trusted registries.\n\nTo learn about using Artifact Analysis see the\n[Artifact Analysis documentation](/container-analysis/docs)."]]
