5.1.1 Ensure Image Vulnerability Scanning is enabled

Information

Note: GCR is now deprecated, being superseded by Artifact Registry starting 15th May 2024. Runtime Vulnerability scanning is available via GKE Security Posture

Scan images stored in Google Container Registry (GCR) or Artifact Registry (AR) for vulnerabilities.

Vulnerabilities in software packages can be exploited by malicious users to obtain unauthorized access to local cloud resources. GCR Container Analysis API or Artifact Registry Container Scanning API allow images stored in GCR or AR respectively to be scanned for known vulnerabilities.

Solution

For Images Hosted in GCR:

Using Google Cloud Console

- Go to GCR by visiting:

https://console.cloud.google.com/gcr

- Select Settings and, under the Vulnerability Scanning heading, click the TURN ON button.

Using Command Line

gcloud services enable containeranalysis.googleapis.com

For Images Hosted in AR:

Using Google Cloud Console

- Go to GCR by visiting:

https://console.cloud.google.com/artifacts

- Select Settings and, under the Vulnerability Scanning heading, click the ENABLE button.

Using Command Line

gcloud services enable containerscanning.googleapis.com

Impact:

None.

See Also

https://workbench.cisecurity.org/benchmarks/19166