借助 On-Demand Scanning API,您可以扫描本地计算机上存储的映像,也可以扫描 Artifact Registry 中远程存储的映像。这样,您就可以精细地控制要进行漏洞扫描的容器。您可以在 CI/CD 流水线中使用 On-Demand Scanning 扫描映像,然后再决定是否将其存储在注册数据库中。如需了解价格信息,请参阅价格页面 。
本页面介绍如何使用 On-Demand Scanning API 手动扫描容器映像。
准备工作
- 登录您的 Google Cloud 账号。如果您是 Google Cloud的新用户, 请创建账号,以评估我们的产品在 实际场景中的表现。新客户还可获享 $300 赠金,用于 运行、测试和部署工作负载。
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.-
安装 Google Cloud CLI。
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
Roles required to select or create a project
- Select a project: Selecting a project doesn't require a specific IAM role—you can select any project that you've been granted a role on.
-
Create a project: To create a project, you need the Project Creator role
(
roles/resourcemanager.projectCreator), which contains theresourcemanager.projects.createpermission. Learn how to grant roles.
-
Verify that billing is enabled for your Google Cloud project.
Enable the On-Demand Scanning API.
Roles required to enable APIs
To enable APIs, you need the
serviceusage.services.enablepermission. If you created the project, then you likely already have this permission through the Owner role (roles/owner). Otherwise, you can get this permission through the Service Usage Admin role (roles/serviceusage.serviceUsageAdmin). Learn how to grant roles.-
安装 Google Cloud CLI。
-
如果您使用的是外部身份提供方 (IdP),则必须先使用联合身份登录 gcloud CLI。
-
如需初始化 gcloud CLI,请运行以下命令:
gcloud init -
将 local-extract 组件添加到您的 Google Cloud CLI 安装
使用 Google Cloud CLI 组件管理器
首次运行扫描命令时,组件管理器会提示您安装所需组件。
使用系统软件包管理器
-
对于 Debian/Ubuntu:
sudo apt install google-cloud-sdk-local-extract
-
对于 Red Hat/Fedora/CentOS:
sudo dnf install google-cloud-sdk-local-extract
或者,您也可以将上述命令中的
dnf替换为yum。
-
对于 Debian/Ubuntu:
- 向您将与 On-Demand Scanning 搭配使用的用户或服务帐号授予 IAM 角色 On-Demand Scanning Admin。如果您使用项目的所有者账号运行扫描,则可以跳过此步骤。
扫描容器映像
本地扫描:
gcloud artifacts docker images scan IMAGE_URI \ [--location=(us,europe,asia)] [--async]对于本地映像,请使用以下某种格式作为 IMAGE_URI:
REPOSITORY:TAGREPOSITORY
远程扫描:
gcloud artifacts docker images scan IMAGE_URI \ --remote [--location=(us,europe,asia)] [--async]对于远程映像,请使用以下某种格式作为 IMAGE_URI:
HOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID@sha256:HASHHOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_ID:HASHHOSTNAME/PROJECT_ID/REPOSITORY_ID/IMAGE_IDHOSTNAME/PROJECT_ID/IMAGE_ID@sha256:HASHHOSTNAME/PROJECT_ID/IMAGE_ID:HASHHOSTNAME/PROJECT_ID/IMAGE_ID
对于 Artifact Registry 中的映像,IMAGE_URI 必须包含
REPOSITORY_ID。
对于本地扫描和远程扫描,您都可以使用以下可选标志:
--location是一个标志,用于手动选择执行扫描的多区域。选择离您的实际位置较近的多区域可以最大限度地缩短延迟时间。可用的位置包括:us、europe和asia。默认位置为us。--async是一个标志,用于以异步方式运行扫描过程。 如果您省略此标志,终端将处于阻塞状态,直到扫描过程完成。
同步扫描
以下示例展示了同步扫描的输出,其中不包含 --async 标志:
$ gcloud artifacts docker images scan ubuntu:latest ✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions ✓ Waiting for analysis operation to complete [projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7] Done. done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-05T23:03:04.185261Z' resourceUri: ubuntu:latest name: projects/my-project/locations/us/operations/87d2e137-1d1c-4790-8e5e-daf6c96ae7d7 response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a
使用扫描名称检索漏洞结果。
扫描名称是输出消息最后一行的 scan 值。
异步扫描
以下示例展示了执行异步扫描的输出:
$ gcloud artifacts docker images scan ubuntu:latest --async ✓ Scanning container image ✓ Locally extracting packages and versions from local container image ✓ Remotely initiating analysis of packages and versions Done. Check operation [projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16] for status. metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-05T23:04:54.393510Z' resourceUri: ubuntu:latest name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16
这会启动一个长时间运行的操作并返回其 ID,而不会阻塞您的终端。使用操作 ID(name 在
输出消息最后一行的值)轮询该操作。
轮询长时间运行的操作
使用异步扫描命令输出中的操作 ID 检查操作状态。
gcloud artifacts docker images get-operation LRO_ID
其中,LRO_ID 是长时间运行的操作 ID。
继续使用异步扫描部分中的示例, 检查操作的状态:
$ gcloud artifacts docker images get-operation \ projects/cloud-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16 done: true metadata: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesMetadata createTime: '2021-01-05T23:04:54.393510Z' resourceUri: ubuntu:latest name: projects/my-project/locations/us/operations/2e1a6b1f-16e5-4427-ac86-72c998a3dd16 response: '@type': type.googleapis.com/google.cloud.ondemandscanning.v1.AnalyzePackagesResponse scan: projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a
如果输出包含 done: true 行,则表示扫描操作已完成。使用扫描名称检索漏洞结果。该名称是输出消息最后一行的 scan 值。
检索扫描结果
如需在扫描操作完成后检索扫描结果,请使用以下命令:
gcloud artifacts docker images list-vulnerabilities SCAN_NAME [--limit=X]
其中:
- SCAN_NAME 是扫描名称。您可以在轮询长时间运行的操作时在 输出底部找到它(扫描完成后)。
--limit=X是一个可选标志,用于限制输出中显示的发生次数。X是一个数值。
例如:
gcloud artifacts docker images list-vulnerabilities \
projects/my-project/locations/us/scans/2fe2bfb8-f0c5-4dd6-a8c8-38961869767a
createTime: '2021-01-05T23:05:42.956227Z'
kind: VULNERABILITY
name: projects/my-project/locations/us/occurrences/f82a1efd-a261-4973-acbd-f9854d8b8135
noteName: projects/goog-vulnz/notes/CVE-2018-1000654
resourceUri: ubuntu:latest
updateTime: '2021-01-05T23:05:42.956227Z'
vulnerability:
cvssScore: 7.1
cvssv3:
attackComplexity: ATTACK_COMPLEXITY_LOW
attackVector: ATTACK_VECTOR_NETWORK
availabilityImpact: IMPACT_HIGH
baseScore: 7.2
confidentialityImpact: IMPACT_HIGH
exploitabilityScore: 1.2
impactScore: 5.9
integrityImpact: IMPACT_HIGH
privilegesRequired: PRIVILEGES_REQUIRED_HIGH
scope: SCOPE_UNCHANGED
userInteraction: USER_INTERACTION_NONE
effectiveSeverity: MEDIUM
此命令的输出是 Grafeas 格式的发生次数列表。 在本例中,它显示了在映像中发现的中等严重程度的漏洞。
扫描操作完成后,扫描结果将保留 48 小时。
后续步骤
- 在 Cloud Build 流水线中使用 On-Demand Scanning API。
- 使用 Artifact Analysis 扫描 存储在 Artifact Registry 中的映像,并持续更新其漏洞信息。