K8s image vulnerability scanning remediation

Using Console

Using CLI

To remediate the misconfiguration of not having image vulnerability scanning enabled in GCP using GCP CLI, you can follow the below steps:

Open the Cloud Shell in your GCP console.
Run the following command to enable the Container Analysis API:

gcloud services enable containeranalysis.googleapis.com

Run the following command to create a new vulnerability scan for a specific image:

gcloud container images describe [IMAGE_NAME] --format='get(vulnerabilityReport)'

Note: Replace [IMAGE_NAME] with the name of the image you want to scan.

Run the following command to get a list of images that have vulnerability scanning enabled:

gcloud container images list --filter='vulnerabilityReport != null'

This will return a list of all the images that have vulnerability scanning enabled.

Run the following command to enable vulnerability scanning for all images in a specific project:

gcloud projects set-iam-policy [PROJECT_ID] \
--member=serviceAccount:service-[PROJECT_NUMBER]@container-analysis.iam.gserviceaccount.com \
--role=roles/containeranalysis.occurrenceViewer

Note: Replace [PROJECT_ID] with the ID of the project you want to enable vulnerability scanning for, and [PROJECT_NUMBER] with the number of the project.

Finally, run the following command to verify that vulnerability scanning is enabled for all images in the project:

gcloud container images list --project=[PROJECT_ID] --filter='vulnerabilityReport != null'

This will return a list of all the images in the project that have vulnerability scanning enabled.By following these steps, you can remediate the misconfiguration of not having image vulnerability scanning enabled in GCP using GCP CLI.

Using Python

To remediate the misconfiguration “Ensure Image Vulnerability Scanning Is Performed” in GCP, you can follow the below steps using Python:

Install the Google Cloud Client Library for Python using the below command:

pip install google-cloud-storage

Create a new project in GCP and enable the Container Analysis API.
Create a service account and download the JSON key.
Set the environment variable for the service account key:

export GOOGLE_APPLICATION_CREDENTIALS="[PATH]"

Use the below Python code to enable the Container Analysis API for all images in the project:

from google.cloud import containeranalysis_v1
from google.cloud.containeranalysis_v1.proto import grafeas_pb2
from google.protobuf import json_format

client = containeranalysis_v1.ContainerAnalysisClient()

project_id = 'YOUR_PROJECT_ID'

parent = client.project_path(project_id)

for image in client.list_note_occurrences(parent):
    note_name = image.note_name
    occ_name = image.name
    occ = client.get_occurrence(occ_name)
    if not occ.vulnerability:
        continue
    vulnerability = occ.vulnerability
    if vulnerability.effective_severity == grafeas_pb2.Severity.SEVERITY_UNSPECIFIED:
        continue
    print(f'Image {note_name} has vulnerability {vulnerability.effective_severity.name}')

This code will list all the images with vulnerabilities in the specified project.
You can use the above code as a starting point to build your own tool to scan images for vulnerabilities and ensure that image vulnerability scanning is performed.
You can also set up a continuous integration and delivery (CI/CD) pipeline to automatically scan images for vulnerabilities before deploying them to production.

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

K8s image vulnerability scanning remediation

Triage and Remediation

Remediation

GCP Introduction

GCP Pricing

GCP Threats

GCP Misconfigurations

Resources

GCP Threats

​Triage and Remediation

​Remediation

Triage and Remediation

Remediation