Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Enable Artifact Registry Vulnerability Scanning

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: High (act today)

Ensure that vulnerability scanning for Google Cloud Artifact Registry repositories is enabled in order to find security weaknesses in your container images before deploying them and help prevent security breaches.

Security

In Google Cloud Artifact Registry, automated vulnerability scanning conducts thorough checks on images upon their registry upload to detect any known security weaknesses or exposures. It continuously monitors for newly identified vulnerabilities, ensuring images stored within the Artifact Registry repositories remain secure. Powered by the Container Scanning API, this feature currently covers a range of image types including Alpine, CentOS, Debian, Go, Java (Maven), RedHat, and Ubuntu.

Audit

To determine if vulnerability scanning for your Artifact Registry repositories is enabled, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to examine from the console top navigation bar.

03 Navigate to Artifact Registry console available at https://console.cloud.google.com/artifacts.

04 In the navigation panel, choose Settings to access the Artifact Registry settings for the selected project.

05 In the Vulnerability scanning section, check the Scanning configuration attribute value to determine the Vulnerability Scanning feature status. If the Scanning value is set to Off, the Vulnerability Scanning feature is not enabled for the Artifact Registry repositories available within the selected GCP project.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run projects list command (Windows/macOS/Linux) with custom query filters to list the IDs of all the Google Cloud Platform (GCP) projects available in your cloud account: 

gcloud projects list
  --format="table(projectId)"

02 The command output should return the requested GCP project IDs: 

PROJECT_ID
cc-web-project-112233
cc-mobile-project-111222

03 Run services list command (Windows/macOS/Linux) to list the Google Cloud APIs and services that have been enabled for consumption, for the selected GCP project: 

gcloud services list
  --enabled
  --project cc-main-project-123123

04 The command output should return the name and title for each enabled API/service: 

NAME: analyticshub.googleapis.com
TITLE: Analytics Hub API

NAME: apigateway.googleapis.com
TITLE: API Gateway API

NAME: appengine.googleapis.com
TITLE: App Engine Admin API

NAME: artifactregistry.googleapis.com
TITLE: Artifact Registry API

...

NAME: storage-component.googleapis.com
TITLE: Cloud Storage

NAME: storage.googleapis.com
TITLE: Cloud Storage API

NAME: testing.googleapis.com
TITLE: Cloud Testing API

NAME: vpcaccess.googleapis.com
TITLE: Serverless VPC Access API

Check the API/service list returned by the services list command for the Container Scanning API (i.e. containerscanning.googleapis.com). If the Container Scanning API is not returned by the command output, the Vulnerability Scanning feature is not enabled for the Artifact Registry repositories available in the selected GCP project.

05 Repeat steps no. 3 – 7 for each GCP project available within your Google Cloud account.

Remediation / Resolution

To ensure that vulnerability scanning is enabled for all your Artifact Registry repositories, perform the following operations:

Using GCP Console

01 Sign in to Google Cloud Management Console.

02 Select the Google Cloud Platform (GCP) project that you want to access from the console top navigation bar.

03 Navigate to Artifact Registry console available at https://console.cloud.google.com/artifacts.

04 In the navigation panel, choose Settings to access the Artifact Registry settings for the selected project.

05 In the Vulnerability scanning section, choose ENABLE under Scanning, to enable the Vulnerability Scanning feature for all the Artifact Registry repositories available within the selected GCP project. Once the feature is enable, Artifact Analysis automatically scans each newly pushed image to Artifact Registry in the selected project.

06 Repeat steps no. 2 – 5 for each GCP project deployed in your Google Cloud account.

Using GCP CLI

01 Run services enable command (Windows/macOS/Linux) to enable the Vulnerability Scanning feature for the Artifact Registry repositories available in the selected GCP project by switching on the Container Scanning API (i.e. containerscanning.googleapis.com). Once you enable the Container Scanning API, the Artifact Analysis service automatically scans each newly pushed image to Artifact Registry in the selected project: 

gcloud services enable containerscanning.googleapis.com 
  --project cc-main-project-123123

02 The command output should return the ID of the performed operation: 

Operation "operations/acf.p2-abcd1234abcd-1234abcd-abcd-abcd-abcd-abcd1234abcd" finished successfully.

03 Repeat steps no. 1 and 2 for each GCP project created within your Google Cloud account.

References

Publication date May 1, 2024

Related ArtifactRegistry rules