This page describes workload vulnerability scanning, a feature of the Google Kubernetes Engine (GKE) security posture dashboard. This feature helps you improve the security of your deployments by automatically scanning for vulnerabilities in your container images and language packages during runtime. You can view identified vulnerability issues and recommended actions in the security posture dashboard.
This page is for Security specialists with information for making informed decisions and details about using workload vulnerability scanning when implementing a first-party vulnerability detection solution within Google Cloud. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
Before reading this page, ensure that you're familiar with information about how the security posture dashboard fits into your security strategy by reading Usage as part of a broad security strategy.
Types of vulnerability scanning
Workload vulnerability scanning includes the following capabilities:
- Container operating system (OS) vulnerability scanning
- Language package vulnerability scanning
If a vulnerability is found in your container images or language packages, GKE displays the results in the security posture dashboard in the Google Cloud console. GKE also adds entries to Cloud Logging for auditing and traceability.
Container OS vulnerability scanning
GKE continuously scans container images that run on enrolled GKE clusters. GKE uses vulnerability data from public CVE databases such as NIST. The images can come from any image registry. The OS version must be supported for scanning. For a list of supported operating systems, see Supported Linux versions.
For instructions, see Enable container OS vulnerability scanning.
Language package vulnerability scanning
GKE continuously scans containers for known vulnerabilities in language packages, such as Go or Maven packages. We get vulnerability data from public sources such as the GitHub Advisory Database. The scanner is the Artifact Analysis scanner, which you can separately implement to safeguard your Artifact Registry repositories. In the security posture dashboard, the container images can come from any image registry because GKE scans the images while the workloads run. For information about Artifact Analysis scanning, see Types of scanning.
GKE provides continuous scanning of your language packages instead of only scanning on-demand or when your workflows push changes to your container images. Continuous scanning ensures that you're notified of new vulnerabilities as soon as fixes are available, which reduces your time to discovery and remediation.
GKE scans the following language packages:
- Go
- Maven
- Javascript
- Python
Only vulnerabilities that have an associated CVE number are displayed in the security posture dashboard.
Enable vulnerability scanning in GKE
You can enable vulnerability scanning for GKE clusters as follows:
Tier | Enabled capabilities | GKE version requirement |
---|---|---|
Standard
standard |
Container OS vulnerability scanning |
|
Advanced vulnerability insights
enterprise |
|
|
For enablement instructions, see Automatically scan workloads for known vulnerabilities.
Pricing
For pricing information, see GKE security posture dashboard pricing
What actions does GKE suggest?
Each vulnerability in the security posture dashboard has detailed information such as the following:
- A full description of the vulnerability, including potential impact, attack pathways, and severity.
- Fixed packages and version numbers.
- Links to the relevant entries in public CVE databases.
GKE doesn't show a vulnerability if there is no corresponding CVE with an actionable mitigation.
For an overview of the security posture dashboard interface, see About the security posture dashboard.
Limitations
- GKE doesn't support scanning of proprietary packages and their dependencies.
- GKE only displays results for vulnerabilities that have an available fix and an available CVE number in the security posture dashboard. You might see more results, such as vulnerabilities without an available fix, if you scan the same container images in a container registry.
- GKE uses the following memory on each worker node for
workload vulnerability scanning:
- Container OS scanning: 50 MiB
- Advanced vulnerability insights: 100 MiB
- GKE has the following limitations on the size of each file that
contains package data in your images. GKE won't scan files that
exceed the size limit.
- Container OS scanning: 30 MiB
- Advanced vulnerability insights: 60 MiB
- Windows Server containers aren't supported.
- Workload vulnerability scanning is only available for clusters with less than 1000 nodes.
- GKE doesn't scan nodes that use Arm architecture, such as the T2A machine type.
The security posture dashboard supports up to 150,000 active workload vulnerability scanning findings for each cluster. When the number of findings for a cluster exceeds this maximum, the security posture dashboard stops showing vulnerability findings for that cluster.
To resolve this issue, use a scanning mechanism at the registry level to identify vulnerabilities in images and apply patches. Alternatively, in a new cluster, deploy your workloads in batches to identify and mitigate vulnerabilities. When the number of vulnerability findings is less than 150,000, the security posture dashboard starts displaying findings for the cluster.
What's next
- Enable and use workload vulnerability scanning
- Learn about other scanning capabilities in the security posture dashboard