手動掃描 OS 套件

On-Demand Scanning API 可讓您掃描儲存在電腦本機或遠端 Artifact Registry 中的映像檔。如此一來便能精細控管要掃描哪些容器的安全漏洞。您可以使用 On-Demand Scanning 掃描 CI/CD 管道中的映像檔,再決定是否要儲存在註冊資料庫中。如需價格資訊,請參閱定價頁面

本頁說明如何使用隨選掃描功能手動掃描容器映像檔。

事前準備

  1. 登入 Google Cloud 帳戶。如果您是 Google Cloud新手,歡迎 建立帳戶,親自評估產品在實際工作環境中的成效。新客戶還能獲得價值 $300 美元的免費抵免額,可用於執行、測試及部署工作負載。
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  3. Verify that billing is enabled for your Google Cloud project.

  4. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the serviceusage.services.enable permission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.

    Enable the API

  5. 安裝 Google Cloud CLI。

  6. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  7. 執行下列指令,初始化 gcloud CLI:

    gcloud init
  8. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Roles required to select or create a project

    • Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
    • Create a project: To create a project, you need the Project Creator role (roles/resourcemanager.projectCreator), which contains the resourcemanager.projects.create permission. Learn how to grant roles.

    Go to project selector

  9. Verify that billing is enabled for your Google Cloud project.

  10. Enable the On-Demand Scanning API.

    Roles required to enable APIs

    To enable APIs, you need the serviceusage.services.enable permission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.

    Enable the API

  11. 安裝 Google Cloud CLI。

  12. 若您採用的是外部識別資訊提供者 (IdP),請先使用聯合身分登入 gcloud CLI

  13. 執行下列指令,初始化 gcloud CLI:

    gcloud init
  14. local-extract 元件新增至 Google Cloud CLI 安裝項目

    使用 Google Cloud CLI 元件管理服務

    第一次執行掃描指令時,元件管理工具會提示您安裝必要元件。

    使用系統套件管理工具

    • Debian/Ubuntu:
      sudo apt install google-cloud-sdk-local-extract
          
    • Red Hat/Fedora/CentOS:
      sudo dnf install google-cloud-sdk-local-extract
          

      或者,您也可以在上一個指令中將 dnf 替換為 yum

  15. 授予 IAM 角色隨選掃描管理員角色授予要搭配隨選掃描功能使用的使用者或服務帳戶。如果您使用專案的擁有者帳戶執行掃描,可以略過這個步驟。

掃描容器映像檔

  • 掃描本機:

    gcloud artifacts docker images scan IMAGE_URI \
        [--location=(us,europe,asia)] [--async]
    

    如果是本機圖片,請使用下列其中一種格式:IMAGE_URI

    • REPOSITORY:TAG
    • REPOSITORY
  • 遠端掃描:

    gcloud artifacts docker images scan IMAGE_URI \
        --remote [--location=(us,europe,asia)] [--async]
    

    如果是遠端圖片,請使用下列其中一種格式:IMAGE_URI

    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASH
    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASH
    • HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID
    • HOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASH
    • HOSTNAME/PROJECT_ID/IMAGE_ID:HASH
    • HOSTNAME/PROJECT_ID/IMAGE_ID

    如果是 Artifact Registry 中的映像檔,IMAGE_URI 必須包含 REPOSITORY_ID

無論是本機或遠端掃描,您都可以使用下列選用旗標:

  • --location 旗標可手動選取掃描作業執行的多區域。選擇距離實際位置較近的多區域,可盡量縮短延遲時間。可用的位置包括:useuropeasia。預設位置為 us

  • --async 是以非同步方式執行掃描程序的標記。 如果省略這個標記,終端機就會封鎖,直到掃描程序完成為止。

同步掃描

以下範例顯示同步掃描的輸出內容,沒有 --async 標記:

$ gcloud artifacts docker images scan ubuntu:latest


✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
  ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7]
Done.
done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:03:04.185261Z'
  resourceUri: ubuntu:latest
name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

使用掃描名稱擷取安全漏洞結果。 掃描名稱是輸出訊息最後一行中的 scan 值。

非同步掃描

以下範例顯示執行非同步掃描的輸出內容:

$ gcloud artifacts docker images scan ubuntu:latest --async


✓ Scanning container image
  ✓ Locally extracting packages and versions from local container image
  ✓ Remotely initiating analysis of packages and versions
Done.
Check operation [projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status.
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:04:54.393510Z'
  resourceUri: ubuntu:latest
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

這會啟動長時間執行的作業,並傳回其 ID,不會封鎖終端機。使用作業 ID (輸出訊息最後一行中的 name 值) 輪詢作業

輪詢長時間執行的作業

使用非同步掃描指令輸出內容中的作業 ID,檢查作業狀態。

gcloud artifacts docker images get-operation LRO_ID

其中 LRO_ID 是長時間執行的作業 ID。

繼續使用非同步掃描部分的範例,如要檢查作業狀態,請執行下列操作:

$ gcloud artifacts docker images get-operation \
  projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16

done: true
metadata:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata
  createTime: '2021-01-05T23:04:54.393510Z'
  resourceUri: ubuntu:latest
name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
response:
  '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse
  scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

如果輸出內容包含 done: true 這一行,表示掃描作業已完成。使用掃描名稱擷取安全性弱點結果。名稱是輸出訊息最後一行中的 scan

擷取掃描結果

掃描作業完成後,如要擷取掃描結果,請使用下列指令:

gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]

其中:

  • SCAN_NAME 是掃描名稱。掃描完成後,輪詢長時間執行作業時,輸出內容底部會顯示這項資訊。
  • --limit=X 是選用旗標,可限制輸出內容中顯示的出現次數。X 是數值。

例如:

gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a

createTime: '2021-01-05T23:05:42.956227Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/f82a1efd-a261-4973-acbd-f9854d8b8135
noteName: projects/goog-vulnz/notes/CVE-2018-1000654
resourceUri: ubuntu:latest
updateTime: '2021-01-05T23:05:42.956227Z'
vulnerability:
  cvssScore: 7.1
  cvssv3:
    attackComplexity: ATTACK_COMPLEXITY_LOW
    attackVector: ATTACK_VECTOR_NETWORK
    availabilityImpact: IMPACT_HIGH
    baseScore: 7.2
    confidentialityImpact: IMPACT_HIGH
    exploitabilityScore: 1.2
    impactScore: 5.9
    integrityImpact: IMPACT_HIGH
    privilegesRequired: PRIVILEGES_REQUIRED_HIGH
    scope: SCOPE_UNCHANGED
    userInteraction: USER_INTERACTION_NONE
  effectiveSeverity: MEDIUM

這個指令的輸出內容是以 Grafeas 格式列出的發生項目。在本例中,系統在映像檔中發現中等嚴重程度的安全漏洞。

掃描作業完成後,掃描結果會保留 48 小時。

後續步驟