Package scanning identifies existing and new vulnerabilities in the open-source dependencies for language-based packages in your Artifact Registry repositories.
See pricing to learn more about the costs associated with scanning packages.
This overview assumes you are already familiar with using Docker repositories in Artifact Registry.
Overview
Artifact Analysis scans the files in a package when the package is pushed to Artifact Registry. After the initial scan, Artifact Registry continues to monitor the metadata of scanned packages for new vulnerabilities.
To evaluate potential areas of risk, Artifact Registry matches the dependencies in a package configuration file against known vulnerabilities. You can review potential vulnerabilities in your package in Artifact Analysis.
Scan packages for vulnerabilities
Artifact Analysis scans packages in your Artifact Registry repositories to identify vulnerabilities, and also to identify dependencies and licenses so that you can understand your package composition.
Artifact Analysis scans new packages when they're pushed to Artifact Registry. This process is called automatic scanning. The scan extracts information about the files in the package. After scanning a package, Artifact Analysis produces a vulnerability report, which shows the vulnerability occurrences for that package. Vulnerabilities are detected only in packages that are publicly monitored for security vulnerabilities.
Continuous analysis
After a package has been scanned, Artifact Analysis continuously monitors the scanned package metadata in Artifact Registry for new vulnerabilities.
Artifact Analysis receives new and updated vulnerability information from vulnerability sources multiple times each day. When new vulnerability data arrives, Artifact Analysis updates existing vulnerability occurrences, creates new vulnerability occurrences for new notes, and deletes vulnerability occurrences that are no longer valid.
Artifact Analysis continues to scan images and packages as long as they have been pulled within the last 30 days. After 30 days, metadata for scanned images and packages will no longer be updated, and the results will be stale.
Artifact Analysis archives metadata that has been stale for more than 90 days. This archived metadata can be evaluated only by using the API. You can re-scan an image with stale or archived metadata by pulling that image. Refreshing metadata can take up to 24 hours. Packages with stale or archived metadata can't be rescanned.
Supported package types
When you push packages to Artifact Registry, Artifact Analysis can scan for vulnerabilities.
The following table shows the types of packages that Artifact Analysis can scan:
| Automatic scanning with Artifact Registry | On-demand scanning | |
|---|---|---|
| Java packages | ||
| Python packages | ||
| Node.js packages |
Artifact Analysis interfaces
In the Google Cloud console, you can view vulnerabilities and metadata for packages in Artifact Registry.
You can use the gcloud CLI to view vulnerabilities and metadata.
You can also use the Artifact Analysis REST API to perform any of these actions. As with other Cloud Platform APIs, you must authenticate access using OAuth2.
The Artifact Analysis API supports both gRPC and REST/JSON. You can make calls to the API either using the client libraries or using curl for REST/JSON.
Vulnerability sources
The following section lists the vulnerability sources that Artifact Analysis uses to obtain CVE data.
Language package scans
Artifact Analysis supports vulnerability scanning for files within a package. The vulnerability data is obtained from the GitHub Advisory Database.
In most cases, each vulnerability is assigned a CVE ID and this ID becomes the main identifier for that vulnerability. In cases where there is no CVE ID assigned to a vulnerability, a GHSA ID is assigned as identifier instead. If later on that vulnerability gets a CVE ID, then the vulnerability ID is updated to match the CVE. See Check for a specific vulnerability in a project for more information.
Package managers and semantic versioning
- Java - Artifact Analysis supports Maven packages that follow the Maven naming conventions. If the package version includes spaces, it won't be scanned.
- Node.js - Package version matching follows the semantic versioning specification.
- Python - Python version matching follows PEP 440 semantics.
Limitations
Artifact Analysis scans only packages with 100 or fewer files.
If you push the same package to multiple repositories, then you are charged for each push. For more information, see Artifact Analysis pricing.
What's next
- For information about viewing package vulnerabilities and filtering vulnerability occurrences, see Scan packages automatically.