Google Cloud helps build Container Security in CICD pipeline

Google Cloud has announced the beta release of Container Registry Vulnerability Scanning.

This will help users of Google Cloud Build to automatically detect known security vulnerabilities as a part of their CICD (Continuous Improvement and Continuous Delivery/Deployment) process, giving them the opportunity to take appropriate actions using Pub/Sub notifications and Cloud Functions.

As soon as Cloud Build creates an image and stores the image in Container Registry, developers can identify security threats with the help of a simple API call, the gcloud command line, or the Cloud Console UI.  Ubuntu, Debian, and Alpine OS package vulnerabilities can be identified as of now and CentOS and Red Hat Enterprise Linux (RHEL) support to follow. Container Registry vulnerability scanning provides detailed insights such as severity, CVSS score, packages, and whether a fix is available, as per the Google Cloud blog post.

Vulnerability scanning continuously monitors security databases. The security database consists of all supported OS distributions for new or updated vulnerabilities. This ensures vulnerability scans and results reflect the most up-to-date information.

Container images built using Code build can be scanned for OS package vulnerabilities when pushed to container registry. To activate vulnerability scanning, Container Analysis API needs to be enabled.
Vulnerability scanning is also integrated with Binary Authorization, a deploy-time security control that ensures only trusted container images are deployed on Kubernetes Engine without any manual intervention.

The announcement also lists ThoughtWorks as one of the early adopters of Container Registry vulnerability scanning. ThoughtWorks is integrating vulnerability scanning into all of their app project pipelines. This will help them prevent vulnerable components from making it into production. It will also help development teams to receive automated vulnerability scanning report.