Profile applicability: Level 2
Note: GCR is now deprecated, being superseded by Artifact Registry starting 15th May
2024. Runtime Vulnerability scanning is available via GKE Security Posture Scan images
stored in Google Container Registry (GCR) or Artifact Registry (AR) for vulnerabilities.
Vulnerabilities in software packages can be exploited by malicious users to obtain
unauthorized access to local cloud resources. GCR Container Analysis API or Artifact
Registry Container Scanning API allow images stored in GCR or AR respectively to be
scanned for known vulnerabilities.
 |
NoteBy default, GCR Container Analysis and AR Container Scanning are disabled.
|
Audit
For Images Hosted in GCR:
Using Google Cloud Console:
- Go to GCR by visiting Google Cloud documentation.
- Select Settings and check if Vulnerability scanning is Enabled.
Using Command Line:
gcloud services list --enabled
Ensure that the Container Registry API and Container Analysis API are listed in the
output.
For Images Hosted in AR:
Using Google Cloud Console:
- Go to AR by visiting Google Cloud documentation.
- Select Settings and check if Vulnerability scanning is Enabled.
Using Command Line:
gcloud services list --enabled
Ensure that Container Scanning API and Artifact Registry API are listed in the output.
Remediation
For Images Hosted in GCR:
Using Google Cloud Console:
- Go to GCR by visiting: Google Cloud documentation.
- Select Settings and, under the Vulnerability Scanning heading, click the TURN ON button.
Using Command Line:
gcloud services enable containeranalysis.googleapis.com
For Images Hosted in AR:
Using Google Cloud Console:
- Go to GCR by visiting: Google Cloud documentation.
- Select Settings and, under the Vulnerability Scanning heading, click the ENABLE button.
Using Command Line:
gcloud services enable containerscanning.googleapis.com