Google today announced an important update to its Cloud Build CI/CD platform that brings vulnerability scanning to all container images built using the service. Container Registry vulnerability scanning, which is now in beta, is meant to ensure that as businesses adopt modern DevOps practices, the container they eventually deploy are free of known vulnerabilities.
As Google rightly notes, the only way to ensure that security protocols are always followed is by automating the process. In this case, all new Cloud Build images are automatically scanned when Cloud Build creates an image and stores it in the Container Registry.
The service uses the standard security databases to find new issues. Currently, the service can identify package vulnerabilities for Ubuntu, Debian, and Alpine, with CentOS and RHEL support coming soon.
When it finds an issue, the service will notify the user, but businesses can also set up automatic rules (using Pub/Sub notifications and Cloud Functions) to take actions automatically. Users also get detailed reports about the severity of the vulnerability, VCSS scores, which packages were affected and whether there’s a fix available already.