Stay organized with collections
Save and categorize content based on your preferences.
Build an application and view security insights
This quickstart explains how to build an application and view security insights
for the build in the Security insights panel in the Google Cloud console.
You will:
Build and containerize a Java application using Cloud Build and push
the container image to Artifact Registry Docker repository.
View the following security insights for the build:
Software bill of materials (SBOM) for the build artifacts.
Build provenance, which is a collection of verifiable metadata about
a build. It includes details such as the digests of the built images, the
input source locations, the build toolchain, build steps, and the build
duration.
Before you begin
Sign in to your Google Cloud account. If you're new to
Google Cloud,
create an account to evaluate how our products perform in
real-world scenarios. New customers also get $300 in free credits to
run, test, and deploy workloads.
You should see containers in the list of displayed repositories.
Build the application
Build and containerize the Java application using Cloud Build.
The following command builds and containerizes the Java application and
stores the built container in the Artifact Registry docker repository:
An SBOM is a full inventory of an application, identifying the packages
your software relies on. The contents can include third-party software from
vendors, internal artifacts, and open source libraries.
Generate the SBOM for the image you built in the previous section:
The Cloud Build UI in the Google Cloud console contains the
Security insights panel that displays security information related to the
build such as SLSA level, any vulnerabilities in the dependencies, and build
provenance.
To view the Security insights panel:
Open the Build history page in the Google Cloud console:
In the table with the builds, locate the row with the build you just
executed.
Under the Security insights column click View.
You see the Security insights panel for the build:
This panel displays the following information:
SLSA Level: This build has achieved SLSA Level 3. Click the Learn
more link to learn what this security level means.
Vulnerabilities: Any vulnerabilities found in your artifacts. Click the
image name (java-guestbook-backend) to see the artifacts that have been
scanned for vulnerabilities.
Dependencies for the built container image in Artifact Registry.
Build details: Details of the build such as the builder and the link to
view logs.
Clean up
To avoid incurring charges to your Google Cloud account for
the resources used on this page, delete the Google Cloud project with the
resources.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Quickstart: Build applications and view security insights\n\nBuild an application and view security insights\n===============================================\n\nThis quickstart explains how to build an application and view security insights\nfor the build in the **Security insights** panel in the Google Cloud console.\n\nYou will:\n\n- Build and containerize a Java application using Cloud Build and push the container image to Artifact Registry Docker repository.\n- View the following security insights for the build:\n\n - **[Supply-chain Levels for Software Artifacts (SLSA)\n level](https://slsa.dev/spec/v0.1/levels)**, which identifies the maturity level of your software build process in accordance with the SLSA specification .\n - **Vulnerabilities** in build artifacts.\n - **Software bill of materials (SBOM)** for the build artifacts.\n - **Build provenance**, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.\n\nBefore you begin\n----------------\n\n- Sign in to your Google Cloud account. If you're new to Google Cloud, [create an account](https://console.cloud.google.com/freetrial) to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:\n\n\n ```bash\n gcloud services enable cloudbuild.googleapis.com artifactregistry.googleapis.com containerscanning.googleapis.com\n ```\n\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n- [Create or select a Google Cloud project](https://cloud.google.com/resource-manager/docs/creating-managing-projects).\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n - Create a Google Cloud project:\n\n ```\n gcloud projects create PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with a name for the Google Cloud project you are creating.\n - Select the Google Cloud project that you created:\n\n ```\n gcloud config set project PROJECT_ID\n ```\n\n Replace \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your Google Cloud project name.\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:\n\n\n ```bash\n gcloud services enable cloudbuild.googleapis.com artifactregistry.googleapis.com containerscanning.googleapis.com\n ```\n\n\u003cbr /\u003e\n\nPrepare your environment\n------------------------\n\n1. Set your project ID as an environment variable:\n\n export PROJECT_ID=$(gcloud config get project)\n\n2. Clone the repository that contains the Java code sample to build and\n containerize:\n\n git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git\n cd software-delivery-shield-demo-java/backend\n\nCreate the Artifact Registry repository for your image\n------------------------------------------------------\n\n1. Create a new Docker repository named `containers` in the location\n `us-central1` with the description \"Docker repository\":\n\n gcloud artifacts repositories create containers \\\n --repository-format=docker \\\n --location=us-central1 --description=\"Docker repository\"\n\n2. Verify that your repository was created:\n\n gcloud artifacts repositories list\n\n You should see `containers` in the list of displayed repositories.\n\nBuild the application\n---------------------\n\nBuild and containerize the Java application using Cloud Build.\nThe following command builds and containerizes the Java application and\nstores the built container in the Artifact Registry docker repository: \n\n gcloud builds submit --config=cloudbuild.yaml --region=us-central1\n\nAfter the build completes, you see a success status message similar to the\nfollowing: \n\n \u003cpre class=\"none lang-sh\"\u003e\n DONE\n -----------------------------------------------------------------------------\n ID: 3e08565f-7f57-4449-bc68-51c46cf33d03\n CREATE_TIME: 2022-09-19T15:41:07+00:00\n DURATION: 54S\n SOURCE: gs://sds-docs-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f78055e9.tgz\n IMAGES: us-central1-docker.pkg.dev/sds-docs-project/containers/java-guestbook-backend:quickstart\n STATUS: SUCCESS\n \u003c/pre\u003e\n\nGenerate an SBOM for the built image\n------------------------------------\n\nAn SBOM is a full inventory of an application, identifying the packages\nyour software relies on. The contents can include third-party software from\nvendors, internal artifacts, and open source libraries.\n\nGenerate the SBOM for the image you built in the previous section: \n\n gcloud artifacts sbom export \\\n --uri=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart\n\nView security insights\n----------------------\n\nThe Cloud Build UI in the Google Cloud console contains the\n**Security insights** panel that displays security information related to the\nbuild such as SLSA level, any vulnerabilities in the dependencies, and build\nprovenance.\n\nTo view the **Security insights** panel:\n\n1. Open the **Build history** page in the Google Cloud console:\n\n [Open the Build history page](https://console.cloud.google.com/cloud-build)\n2. Select your project and click **Open**.\n\n3. In the **Region** drop-down menu, select **us-central1**.\n\n4. In the table with the builds, locate the row with the build you just\n executed.\n\n5. Under the **Security insights** column click **View**.\n\nYou see the **Security insights** panel for the build:\n\nThis panel displays the following information:\n\n- **SLSA Level:** This build has achieved SLSA Level 3. Click the **Learn\n more** link to learn what this security level means.\n\n- **Vulnerabilities:** Any vulnerabilities found in your artifacts. Click the\n image name (**java-guestbook-backend**) to see the artifacts that have been\n scanned for vulnerabilities.\n\n- **Dependencies** for the built container image in Artifact Registry.\n\n- **Build details:** Details of the build such as the builder and the link to\n view logs.\n\nClean up\n--------\n\n\nTo avoid incurring charges to your Google Cloud account for\nthe resources used on this page, delete the Google Cloud project with the\nresources.\n\n1. Disable Container Scanning API:\n\n gcloud services disable containerscanning.googleapis.com --force\n\n2. Delete the Artifact Registry repository:\n\n gcloud artifacts repositories delete containers \\\n --location=us-central1 --async\n\n You have now deleted the repository that you created as part of this\n quickstart.\n\nWhat's next\n-----------\n\n- Learn more about the [security insights panel in\n Cloud Build](/build/docs/view-build-security-insights)\n- Learn how to [view security insights when deploying to Cloud Run](/software-supply-chain-security/docs/quickstarts/deploy-run-view-security-insights)\n- Learn how to [view security insights when deploying to GKE](/software-supply-chain-security/docs/quickstarts/deploy-gke-view-security-insights)\n- Learn more about [software supply chain security](/software-supply-chain-security/docs/overview)"]]
