Scan Google Container Registry (GCR) Images with cnspec
Scan Google Container Registry images for security vulnerabilities and misconfigurations with cnspec.
Google has deprecated Container Registry
in favor of Artifact Registry. New projects should host images in Artifact Registry; existing
projects should plan a migration. cnspec scans Artifact Registry images using the same
cnspec scan container registry and cnspec scan docker commands shown below. Substitute the
Artifact Registry hostname (for example, <region>-docker.pkg.dev/<project>/<repo>).
The legacy Container Registry stores container images within Google Cloud.
If you install cnspec on machines that can't download and install updates (because they're air-gapped or don't give cnspec write access), you must deploy cnspec providers. To learn more, read Manage cnspec Providers.
Prerequisites
Install the gcloud CLI and log in:
gcloud auth loginSet your project:
gcloud config set project <projectID>List available container repositories:
gcloud container images listAuthenticate Docker against the registry:
gcloud auth configure-dockerScan Container Registry
Scan a repository:
cnspec scan container registry gcr.io/<projectID>/<repoName>cnspec resolves each tag, applies the OS security policies that match its platform, and reports vulnerabilities and misconfigurations:
Start the vulnerability scan:
→ resolve asset connections
→ detected ubuntu 22.04
→ gather platform packages for vulnerability scan
→ found 96 packages
✔ completed analysis for <imageId>
Advisory Reports Overview
■ SCORE NAME SCORE
■ 4.6 <imageId-1> ══════════
■ 0.0 <imageId-2> ══════════Google Cloud also offers project-level discovery extensions through the gcp gcr provider:
cnspec scan gcp gcr <projectID>Learn more
- Secure Google Cloud with cnspec: scan Google Cloud projects
- Secure Docker Images with cnspec: scan a specific image from any registry
- Write Effective MQL: guide to authoring checks and queries