手動掃描 OS 套件
本快速入門導覽課程說明如何提取容器映像檔,使用 On-Demand Scanning API 手動掃描作業系統安全漏洞,以及擷取已識別的安全漏洞。如要完成本快速入門導覽課程,請使用 Cloud Shell 和 Ubuntu 範例映像檔。
事前準備
- 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.
下載及掃描圖片
在專案中開啟 Cloud Shell。
終端機隨即會開啟,其中包含依本指南操作所需的所有工具。
使用 Docker 提取最新的 Ubuntu 映像檔。
docker pull ubuntu:latest執行掃描。
gcloud artifacts docker images scan ubuntu:latest這會觸發掃描程序,並在完成時傳回掃描名稱:
✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/OPERATION_ID] Done. done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-26T13:43:53.112123Z' resourceUri: ubuntu:latest name: projects/my-project/locations/us/operations/OPERATION_ID response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/SCAN_ID
使用掃描名稱和輸出內容中的
scan值,擷取掃描結果。gcloud artifacts docker images list-vulnerabilities \ projects/my-project/locations/us/scans/SCAN_ID
清除所用資源
為了避免系統向您的 Google Cloud 帳戶收取本頁面所用資源的費用,請按照下列步驟操作。
如果您是為了本指南建立新專案,現在可以刪除該專案。