{"id":589,"date":"2026-04-14T15:48:06","date_gmt":"2026-04-14T15:48:06","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-artifact-analysis-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-application-development\/"},"modified":"2026-04-14T15:48:06","modified_gmt":"2026-04-14T15:48:06","slug":"google-cloud-artifact-analysis-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-application-development","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-artifact-analysis-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-application-development\/","title":{"rendered":"Google Cloud Artifact Analysis Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Application development"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Application development<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Artifact Analysis is a Google Cloud service for analyzing software artifacts\u2014most commonly container images\u2014to produce and store security and supply-chain metadata such as vulnerability findings. It is commonly used alongside Artifact Registry in modern DevSecOps pipelines.<\/p>\n\n\n\n<p>In simple terms: you push an image to Google Cloud, and Artifact Analysis helps you understand \u201cwhat\u2019s inside\u201d that image (for example, known vulnerabilities) so you can decide whether to deploy it.<\/p>\n\n\n\n<p>Technically, Artifact Analysis relies on Google\u2019s analysis backends and metadata storage APIs (notably the Container Analysis API and, for some workflows, the On-Demand Scanning API). The results are represented as structured metadata (for example, vulnerability occurrences) that can be queried, viewed in the console, and integrated into policy enforcement tools such as Binary Authorization.<\/p>\n\n\n\n<p>It solves a common application development problem: teams ship artifacts quickly, but security teams need reliable, automatable visibility into risks (CVEs, severity, fix availability) and a scalable way to integrate \u201cscan + decide + enforce\u201d into CI\/CD.<\/p>\n\n\n\n<blockquote>\n<p>Naming note (important): You will still see related terms such as <strong>Container Analysis API<\/strong>, <strong>container scanning<\/strong>, and <strong>Grafeas<\/strong> in Google Cloud documentation and tooling. Artifact Analysis is the product\/service name used for artifact scanning and metadata capabilities; Container Analysis API is a core API used to store\/query analysis metadata. If anything in your environment appears under older labels, verify the current recommended workflow in the official docs.<\/p>\n<\/blockquote>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Artifact Analysis?<\/h2>\n\n\n\n<p><strong>Official purpose (what it\u2019s for):<\/strong><br\/>\nArtifact Analysis provides automated analysis of artifacts (especially container images) and stores the resulting metadata\u2014most notably vulnerability findings\u2014so teams can assess risk before deployment and continuously monitor what\u2019s running.<\/p>\n\n\n\n<p><strong>Core capabilities (high level):<\/strong>\n&#8211; Vulnerability discovery for supported artifact types (commonly container images stored in Artifact Registry).\n&#8211; Centralized metadata storage and query (via APIs such as Container Analysis).\n&#8211; Integration paths for security policy and admission control (for example, Binary Authorization).\n&#8211; Visibility in the Google Cloud Console and (depending on workflow) through CLI\/API access.<\/p>\n\n\n\n<p><strong>Major components you should know:<\/strong>\n&#8211; <strong>Artifact Registry<\/strong>: Where artifacts (Docker images, language packages, etc.) are stored. Artifact Analysis is commonly used with Artifact Registry-hosted images.\n&#8211; <strong>Artifact Analysis features\/workflows<\/strong>: Vulnerability analysis and metadata generation for artifacts.\n&#8211; <strong>Container Analysis API<\/strong>: API for storing and retrieving metadata such as occurrences and notes (the data model aligns with the Grafeas approach).\n&#8211; <strong>On-Demand Scanning API<\/strong> (when used): API for requesting scans on demand rather than relying only on automatic scanning flows. Availability and exact behavior can vary\u2014verify in official docs for your artifact type and region.<\/p>\n\n\n\n<p><strong>Service type:<\/strong><br\/>\nA managed analysis + metadata service. You do not manage scanners or databases directly; you manage configuration, IAM, and integrations.<\/p>\n\n\n\n<p><strong>Scope (how it\u2019s organized):<\/strong>\n&#8211; <strong>Project-scoped configuration and billing<\/strong>: You typically enable relevant APIs per Google Cloud project.\n&#8211; <strong>Artifact location matters<\/strong>: Artifacts live in Artifact Registry repositories that are <strong>regional or multi-regional<\/strong> resources. Analysis is tied to those artifacts and your project.\n&#8211; <strong>Metadata is queried per project<\/strong>: Vulnerability occurrences and related metadata are accessed in the context of your project and permissions.<\/p>\n\n\n\n<p><strong>How it fits into the Google Cloud ecosystem:<\/strong>\n&#8211; In <strong>Application development<\/strong>, Artifact Analysis is a key DevSecOps building block: it connects build systems (Cloud Build, GitHub Actions, Jenkins), artifact storage (Artifact Registry), runtime platforms (GKE, Cloud Run), and policy controls (Binary Authorization).\n&#8211; In <strong>security operations<\/strong>, it can feed risk visibility into dashboards and workflows (for example, via Security Command Center integrations\u2014availability depends on your edition and configuration; verify in official docs).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Artifact Analysis?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce breach risk and incident cost<\/strong> by catching known vulnerabilities before production rollout.<\/li>\n<li><strong>Speed up releases without sacrificing governance<\/strong> by replacing manual review with consistent scan + policy checks.<\/li>\n<li><strong>Support audit readiness<\/strong> with a centralized, queryable trail of what was scanned and what was found.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automated vulnerability findings<\/strong> tied directly to immutable artifact digests.<\/li>\n<li><strong>API-driven metadata<\/strong> for integrating into CI\/CD gating, custom dashboards, or ticketing.<\/li>\n<li><strong>Works naturally with Google Cloud artifact storage and runtimes<\/strong> (Artifact Registry, GKE, Cloud Run).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Centralized visibility<\/strong> into image risk across teams and repositories.<\/li>\n<li><strong>Repeatable workflows<\/strong>: scanning results and metadata can be accessed consistently over time.<\/li>\n<li><strong>Easier standardization<\/strong>: a platform team can define baseline policies and configurations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Shift-left security<\/strong>: block or warn on vulnerable artifacts before deployment.<\/li>\n<li><strong>Evidence and traceability<\/strong>: store and query metadata associated with specific digests.<\/li>\n<li><strong>Separation of duties<\/strong>: developers can build; security teams can define thresholds and enforcement.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed scale<\/strong>: you do not manage scanning infrastructure.<\/li>\n<li><strong>Supports large fleets of images<\/strong> across repositories and environments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose Artifact Analysis<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You store container images in <strong>Artifact Registry<\/strong> and want native vulnerability insight.<\/li>\n<li>You need an authoritative metadata store for image findings that CI\/CD and deployment policy can query.<\/li>\n<li>You plan to use (or may later adopt) <strong>Binary Authorization<\/strong> for admission control.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need a scanner with highly customized rules, offline databases, or air-gapped operation that a managed service cannot meet.<\/li>\n<li>Your artifacts live outside supported repositories\/flows and you cannot (or will not) mirror them into Artifact Registry (or use supported APIs).<\/li>\n<li>You require vulnerability results for artifact types not supported by your specific Google Cloud configuration. In that case, consider third-party scanners or self-managed tooling and integrate results into your SDLC in another way.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Artifact Analysis used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and technology companies shipping frequent releases.<\/li>\n<li>Finance, healthcare, and public sector organizations with compliance and audit pressure.<\/li>\n<li>Retail and media companies operating high-scale web\/mobile backends.<\/li>\n<li>Industrial and IoT companies packaging services into containers for edge or hybrid deployments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams standardizing CI\/CD and artifact governance.<\/li>\n<li>DevOps\/SRE teams responsible for reliable delivery and production safety.<\/li>\n<li>Security engineering and AppSec teams building vulnerability management programs.<\/li>\n<li>Development teams that want fast feedback in pull requests and pipelines.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads and architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices on <strong>GKE<\/strong> with GitOps deployments.<\/li>\n<li>Cloud Run services built from container images.<\/li>\n<li>Hybrid pipelines where images are built in multiple CI systems but centralized in Artifact Registry.<\/li>\n<li>Multi-tenant platform projects where each team has its own repository but the org uses shared security policy.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Production<\/strong>: enforce policies for critical services, continuously monitor vulnerabilities, and drive patching.<\/li>\n<li><strong>Dev\/test<\/strong>: detect issues early, validate base images, and reduce noise before production enforcement.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Artifact Analysis is commonly applied.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) CI pipeline vulnerability gate for container images<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Builds succeed even if the resulting image has critical CVEs.<\/li>\n<li><strong>Why Artifact Analysis fits:<\/strong> Provides vulnerability findings tied to the pushed image digest.<\/li>\n<li><strong>Example:<\/strong> A Cloud Build pipeline pushes an image to Artifact Registry, then a step queries vulnerability findings and fails the build if severity \u2265 HIGH.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Base image governance (\u201cgolden images\u201d)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams use inconsistent base images, increasing exposure and patching effort.<\/li>\n<li><strong>Why it fits:<\/strong> Quickly highlights which base images accumulate vulnerabilities and how fast they are patched.<\/li>\n<li><strong>Example:<\/strong> Platform team maintains a hardened base image line; Artifact Analysis verifies the vulnerability posture before publishing new tags.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Pre-deploy admission control with Binary Authorization<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Even if CI checks exist, a vulnerable image can still be deployed manually.<\/li>\n<li><strong>Why it fits:<\/strong> Metadata can be used as an input to enforcement workflows (often via attestation processes).<\/li>\n<li><strong>Example:<\/strong> Only images that pass vulnerability thresholds and have an attestation can be deployed to production GKE clusters.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Vulnerability inventory reporting across repositories<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Security teams need \u201cwhat are our top vulnerable images and where do they run?\u201d<\/li>\n<li><strong>Why it fits:<\/strong> Central metadata store makes it feasible to report across multiple repos\/projects.<\/li>\n<li><strong>Example:<\/strong> Weekly report lists images with CRITICAL findings and \u201cfix available\u201d status for remediation.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Rapid response to newly disclosed CVEs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> When a high-profile CVE is announced, teams must find affected images quickly.<\/li>\n<li><strong>Why it fits:<\/strong> Enables querying vulnerability occurrences by CVE and affected packages (capabilities depend on artifact type and metadata available\u2014verify in docs).<\/li>\n<li><strong>Example:<\/strong> Security team searches for a CVE across image metadata and notifies owning teams.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Environment promotion with policy checks (dev \u2192 staging \u2192 prod)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> An image promoted through environments might age and become vulnerable.<\/li>\n<li><strong>Why it fits:<\/strong> Vulnerability status can be re-checked at promotion time.<\/li>\n<li><strong>Example:<\/strong> A Cloud Deploy pipeline blocks promotion to prod if new CRITICAL findings appear since staging.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Third-party dependency risk management for containers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Containers inherit many OS packages and libraries; unmanaged drift increases risk.<\/li>\n<li><strong>Why it fits:<\/strong> Surfaces vulnerabilities from underlying layers so teams can choose safer dependencies.<\/li>\n<li><strong>Example:<\/strong> A team switches from an older Debian base to a slimmer, updated base after repeated findings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) \u201cFix available\u201d prioritization for patching<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Not all vulnerabilities are equally actionable.<\/li>\n<li><strong>Why it fits:<\/strong> Vulnerability metadata often indicates whether a fix is available and where.<\/li>\n<li><strong>Example:<\/strong> A backlog is generated for images with HIGH\/CRITICAL findings where a fix exists.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Audit evidence for secure SDLC<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Auditors require evidence that images are scanned and reviewed.<\/li>\n<li><strong>Why it fits:<\/strong> Provides a consistent scan trail and queryable metadata.<\/li>\n<li><strong>Example:<\/strong> Exported evidence includes vulnerability findings at release time for the production image digest.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Multi-project platform governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Central security wants consistent controls across many app projects.<\/li>\n<li><strong>Why it fits:<\/strong> Standardized metadata and APIs; IAM can be delegated per project\/repository.<\/li>\n<li><strong>Example:<\/strong> Security team has viewer access to all projects\u2019 analysis findings; app teams have admin rights only in their project.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Container registry modernization (Container Registry \u2192 Artifact Registry)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Teams migrating registries need a clear scanning story.<\/li>\n<li><strong>Why it fits:<\/strong> Artifact Analysis is commonly used with Artifact Registry scanning workflows.<\/li>\n<li><strong>Example:<\/strong> During migration, vulnerability results are compared between old and new storage locations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Supply chain security program foundation (metadata-first)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem:<\/strong> Supply chain controls require trustworthy artifact metadata.<\/li>\n<li><strong>Why it fits:<\/strong> Artifact Analysis provides a structured metadata layer that can be combined with provenance\/attestations (often alongside other services).<\/li>\n<li><strong>Example:<\/strong> A team pairs Artifact Analysis with build provenance generation and admission control to reduce risk.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can vary by artifact type, repository configuration, region, and enabled APIs. Always verify the exact capabilities for your environment in the official docs.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">1) Vulnerability analysis for container images in Artifact Registry<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Identifies known vulnerabilities in components of a container image and records findings.<\/li>\n<li><strong>Why it matters:<\/strong> Containers can inherit vulnerabilities from base images and installed packages.<\/li>\n<li><strong>Practical benefit:<\/strong> Developers get actionable findings (severity, affected package, fix availability when known).<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Results are only as good as the scanner\u2019s visibility and supported ecosystems. Some vulnerabilities may not be detectable in certain images (for example, minimal\/distroless images) or may require specific metadata.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) Centralized metadata model (occurrences\/notes) via Container Analysis API<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Stores analysis results as structured metadata.<\/li>\n<li><strong>Why it matters:<\/strong> Enables automation: CI gating, reporting, integrations.<\/li>\n<li><strong>Practical benefit:<\/strong> Query findings programmatically instead of scraping UIs.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Requires IAM and API enablement; you must understand resource URLs and digest-based identity.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Artifact-to-digest immutability alignment<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Ties analysis to immutable image digests rather than mutable tags.<\/li>\n<li><strong>Why it matters:<\/strong> Tags can move; digests are stable.<\/li>\n<li><strong>Practical benefit:<\/strong> Policies can enforce \u201cdeploy exactly what was scanned.\u201d<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Your deployment tooling must use digests for strong guarantees.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Integration with Artifact Registry UI for visibility<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Shows vulnerability summaries and details in the Google Cloud Console for supported artifacts.<\/li>\n<li><strong>Why it matters:<\/strong> Low friction for developers and operators.<\/li>\n<li><strong>Practical benefit:<\/strong> Quick triage and decision-making without building custom dashboards.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> UI availability and detail levels may differ by artifact type and configuration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) On-demand scanning workflows (where supported)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Allows explicit scan requests for an artifact.<\/li>\n<li><strong>Why it matters:<\/strong> Useful for rescanning after base image updates or urgent CVE response.<\/li>\n<li><strong>Practical benefit:<\/strong> Reduces time-to-signal when you need results immediately.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Requires the correct API and permissions; pricing and quotas may apply. Verify the supported method for your artifact.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Policy enablement (commonly via Binary Authorization patterns)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Makes it possible to build enforceable checks based on vulnerability metadata (often by generating attestations after passing checks).<\/li>\n<li><strong>Why it matters:<\/strong> \u201cScan\u201d without \u201cenforce\u201d is often insufficient.<\/li>\n<li><strong>Practical benefit:<\/strong> Prevents vulnerable images from reaching production.<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Binary Authorization enforcement focuses on attestations; you typically implement the logic that decides whether to attest based on Artifact Analysis results.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Extensibility via Grafeas-compatible concepts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does:<\/strong> Aligns with the Grafeas metadata model (notes\/occurrences) for artifact metadata.<\/li>\n<li><strong>Why it matters:<\/strong> Helps standardize how metadata is represented.<\/li>\n<li><strong>Practical benefit:<\/strong> Easier to reason about \u201cwhat metadata exists and how to query it.\u201d<\/li>\n<li><strong>Limitations\/caveats:<\/strong> Not all ecosystems produce the same metadata richness; some custom metadata may require additional systems.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Artifact Analysis typically sits in the middle of a CI\/CD flow:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>A build system produces an artifact (often a Docker image).<\/li>\n<li>The artifact is pushed to Artifact Registry.<\/li>\n<li>Artifact Analysis performs analysis and stores results as metadata.<\/li>\n<li>Developers\/security tools view results in Console or query via APIs\/CLI.<\/li>\n<li>Deployment systems may enforce policy (directly or indirectly) before allowing rollout.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Data flow:<\/strong> Image layers \u2192 stored in Artifact Registry \u2192 scanner reads metadata\/layers (implementation managed by Google) \u2192 findings stored as vulnerability occurrences.<\/li>\n<li><strong>Control flow:<\/strong> IAM controls who can push\/pull images and who can view analysis results. CI systems query results and decide pass\/fail.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations include:\n&#8211; <strong>Artifact Registry<\/strong> (primary artifact store).\n&#8211; <strong>Cloud Build<\/strong> (build + push + query results).\n&#8211; <strong>GKE \/ Cloud Run<\/strong> (deploy images).\n&#8211; <strong>Binary Authorization<\/strong> (policy enforcement with attestations).\n&#8211; <strong>Cloud Logging \/ Cloud Audit Logs<\/strong> (who changed what; who accessed what).\n&#8211; <strong>Security Command Center<\/strong> (organization-wide security posture; verify integration specifics for your edition).\n&#8211; <strong>Pub\/Sub \/ BigQuery<\/strong> (possible downstream reporting patterns; verify official guidance for exporting vulnerability findings).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry API<\/li>\n<li>Container Analysis API (metadata store)<\/li>\n<li>On-Demand Scanning API (when used)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM<\/strong> governs:<\/li>\n<li>Who can push\/pull artifacts in Artifact Registry.<\/li>\n<li>Who can view vulnerability results and other metadata.<\/li>\n<li>Who can request on-demand scans (if applicable).<\/li>\n<li>Prefer <strong>least privilege<\/strong> and <strong>service accounts<\/strong> for CI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact push\/pull uses standard registry endpoints (regional hostnames like <code>REGION-docker.pkg.dev<\/code>).<\/li>\n<li>CI systems must reach Artifact Registry and relevant APIs over the network. In restricted environments, consider Private Google Access \/ VPC Service Controls (verify compatibility and your org policies).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Cloud Audit Logs<\/strong> to track administrative and data access actions for Artifact Registry and relevant APIs.<\/li>\n<li>Use <strong>Cloud Logging<\/strong> for CI\/CD logs and deployment logs that reference image digests.<\/li>\n<li>Governance patterns:<\/li>\n<li>Standard repository naming, labels, and project separation (dev\/stage\/prod).<\/li>\n<li>Organization Policy constraints and VPC Service Controls where required.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  Dev[Developer \/ CI] --&gt;|docker push| AR[Artifact Registry]\n  AR --&gt; AA[Artifact Analysis]\n  AA --&gt; CA[Container Analysis API\\n(occurrences\/notes)]\n  Dev --&gt;|query findings| CA\n  Dev --&gt;|view| Console[Google Cloud Console]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph CI_CD[\"CI\/CD (Cloud Build \/ GitHub Actions \/ Jenkins)\"]\n    Build[Build Container Image]\n    Test[Run Unit\/Integration Tests]\n    Push[Push to Artifact Registry]\n    Gate[Policy Gate:\\nquery vulnerability metadata]\n    Attest[Create Attestation\\n(if policy passes)]\n  end\n\n  subgraph GCP[\"Google Cloud\"]\n    AR[Artifact Registry\\n(Docker repo)]\n    AA[Artifact Analysis\\n(Vulnerability analysis)]\n    CA[Container Analysis API\\nMetadata store]\n    BA[Binary Authorization\\n(Admission control)]\n    GKE[GKE \/ Cloud Run\\nRuntime]\n    Logs[Cloud Logging &amp; Audit Logs]\n    SCC[Security Command Center\\n(optional)]\n  end\n\n  Build --&gt; Test --&gt; Push --&gt; AR\n  AR --&gt; AA --&gt; CA\n  Gate --&gt;|read findings| CA\n  Gate --&gt; Attest --&gt; BA\n  BA --&gt;|allow\/deny| GKE\n  CI_CD --&gt; Logs\n  AR --&gt; Logs\n  CA --&gt; Logs\n  SCC &lt;--&gt;|findings\/visibility\\nverify setup| CA\n<\/code><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Google Cloud account and project<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A Google Cloud account with a project where you can enable APIs and create Artifact Registry repositories.<\/li>\n<li><strong>Billing enabled<\/strong> on the project.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles (typical)<\/h3>\n\n\n\n<p>You may need combinations of:\n&#8211; Artifact Registry:\n  &#8211; <code>roles\/artifactregistry.admin<\/code> (lab admin) or\n  &#8211; <code>roles\/artifactregistry.writer<\/code> + <code>roles\/artifactregistry.reader<\/code>\n&#8211; Artifact Analysis \/ metadata viewing (commonly through Container Analysis permissions):\n  &#8211; Viewer roles for occurrences\/notes (role names can vary; verify current roles in IAM documentation for Container Analysis \/ Artifact Analysis).\n&#8211; Service usage:\n  &#8211; <code>roles\/serviceusage.serviceUsageAdmin<\/code> (to enable APIs), or have an admin enable APIs for you.<\/p>\n\n\n\n<blockquote>\n<p>Tip: In production, split duties: CI service account can push images and read vulnerability metadata; only security\/platform admins can change scanning settings or repository IAM.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Tools<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>gcloud CLI<\/strong> (Google Cloud SDK) installed and authenticated<br\/>\n  Docs: https:\/\/cloud.google.com\/sdk\/docs\/install<\/li>\n<li><strong>Docker<\/strong> (or compatible tooling) to pull\/tag\/push images.<\/li>\n<li>Optional: <code>jq<\/code> for parsing JSON output in CLI scripts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">APIs to enable (commonly)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry API: <code>artifactregistry.googleapis.com<\/code><\/li>\n<li>Container Analysis API: <code>containeranalysis.googleapis.com<\/code><\/li>\n<li>On-Demand Scanning API (if you use on-demand workflows): verify the correct API name in the API Library (commonly <code>ondemandscanning.googleapis.com<\/code>).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry repositories are regional or multi-regional. Choose a region close to your workloads to reduce latency and egress.<\/li>\n<li>Artifact Analysis capability is tied to supported Artifact Registry locations and artifact formats. <strong>Verify support for your region and artifact type in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry has quotas for storage, requests, and repositories.<\/li>\n<li>Scanning\/analysis may have rate limits or quotas (especially for on-demand scanning). <strong>Verify quotas in official docs<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry repository configured for Docker images (for this tutorial).<\/li>\n<li>(Optional) A runtime such as GKE or Cloud Run if you want to extend the lab into deployment enforcement.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<p>Artifact Analysis cost is best understood as a combination of:\n1. <strong>Artifact storage and access<\/strong> costs (Artifact Registry).\n2. <strong>Analysis\/scanning<\/strong> costs (if billed separately for your workflow).\n3. <strong>Downstream integration<\/strong> costs (logging, exports, CI\/CD, security dashboards).<\/p>\n\n\n\n<p>Because Google Cloud pricing can change by SKU, region, and time, use the official pricing pages and the Pricing Calculator for exact numbers.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Official pricing pages to use<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry pricing: https:\/\/cloud.google.com\/artifact-registry\/pricing  <\/li>\n<li>Google Cloud Pricing Calculator: https:\/\/cloud.google.com\/products\/calculator  <\/li>\n<li>Artifact Analysis \/ scanning documentation (for any pricing notes): https:\/\/cloud.google.com\/artifact-analysis\/docs (verify the current pricing references there)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Pricing dimensions (what you may pay for)<\/h3>\n\n\n\n<p><strong>Direct cost drivers (most common):<\/strong>\n&#8211; <strong>Artifact Registry storage<\/strong> (GB-month) for images and layers.\n&#8211; <strong>Artifact Registry operations<\/strong> (API requests for pushes\/pulls\/listing; pricing varies by operation type and region).\n&#8211; <strong>Network egress<\/strong> when pulling images across regions or out of Google Cloud.<\/p>\n\n\n\n<p><strong>Possible additional cost drivers (verify in official docs for your setup):<\/strong>\n&#8211; <strong>On-demand scanning requests<\/strong> (if you trigger scans explicitly and if that workflow is billable).\n&#8211; <strong>Security Command Center<\/strong> edition and ingestion costs if you integrate findings at org scale.\n&#8211; <strong>Logging volume<\/strong> (Cloud Logging ingestion\/retention) if you export logs heavily.\n&#8211; <strong>CI\/CD compute time<\/strong> (Cloud Build minutes, or your external CI runner cost).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>Artifact Registry has historically had free-tier elements in some contexts, but details vary by region and policy. <strong>Verify current free tier eligibility and quotas on the Artifact Registry pricing page<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs to watch<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pulling large images frequently (especially in multiple regions) can dominate costs.<\/li>\n<li>Keeping many old tags\/layers increases storage costs.<\/li>\n<li>Exporting findings\/logs to BigQuery can introduce query and storage costs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Push\/pull within the same region as compute can reduce egress.<\/li>\n<li>Multi-region teams may unintentionally pull images across regions (cost + latency). Standardize where images live.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep images small (multi-stage builds, minimal base images).<\/li>\n<li>Use digest-pinned deployments and controlled tag retention.<\/li>\n<li>Set retention\/cleanup policies (for example, delete unreferenced tags older than N days).<\/li>\n<li>Co-locate build and runtime with the repository region.<\/li>\n<li>Avoid rescanning unnecessarily if your workflow bills per scan (verify).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (how to calculate)<\/h3>\n\n\n\n<p>A realistic starter setup might be:\n&#8211; 1 regional Docker repository\n&#8211; 5\u201320 images\n&#8211; 1\u20135 GB total stored layers\n&#8211; A few hundred push\/pull operations per month (development\/testing)\n&#8211; Minimal exports<\/p>\n\n\n\n<p>Estimate by plugging into:\n&#8211; Storage GB-month (Artifact Registry)<br\/>\n&#8211; Operations count (push\/pull\/list)<br\/>\n&#8211; Egress (if any)<\/p>\n\n\n\n<p>Use the Pricing Calculator with:\n&#8211; Artifact Registry storage\/operations\n&#8211; Cloud Build (if used)\n&#8211; Cloud Logging (if exporting\/retaining heavily)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations (what changes at scale)<\/h3>\n\n\n\n<p>At production scale, cost drivers often shift to:\n&#8211; High pull volume (autoscaling workloads, many clusters\/regions)\n&#8211; Large fleets of images with long retention\n&#8211; Cross-region replication patterns (if you mirror images)\n&#8211; Organization-wide visibility tooling (SCC, BigQuery exports, SIEM ingestion)<\/p>\n\n\n\n<p>The key practice: treat artifact storage and distribution like any other production platform\u2014measure pull rates, image sizes, and retention.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<p>This lab walks you through storing a container image in Artifact Registry and using Artifact Analysis to view vulnerability findings. It is designed to be low-cost and safe.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Create an Artifact Registry Docker repository.<\/li>\n<li>Push a container image into the repository.<\/li>\n<li>Confirm Artifact Analysis vulnerability results are generated and view\/query them.<\/li>\n<li>Clean up all created resources.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Configure your environment and enable required APIs.\n2. Create an Artifact Registry repository.\n3. Pull a public base image, re-tag it, and push it to your repository.\n4. View vulnerability findings in the Google Cloud Console.\n5. (Optional) Query vulnerability metadata via CLI (if supported in your installed gcloud version).\n6. Clean up.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Set variables and authenticate<\/h3>\n\n\n\n<p>1) Open a terminal and authenticate:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud auth login\ngcloud auth application-default login\n<\/code><\/pre>\n\n\n\n<p>2) Set your project and default region for the lab:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export PROJECT_ID=\"YOUR_PROJECT_ID\"\nexport REGION=\"us-central1\"\nexport REPO=\"aa-lab-docker\"\nexport IMAGE_NAME=\"debian10\"\nexport IMAGE_TAG=\"lab1\"\n\ngcloud config set project \"${PROJECT_ID}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nYour gcloud context points to the correct Google Cloud project.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud config get-value project\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Enable required APIs<\/h3>\n\n\n\n<p>Enable the APIs commonly required for Artifact Registry + analysis:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services enable artifactregistry.googleapis.com\ngcloud services enable containeranalysis.googleapis.com\n<\/code><\/pre>\n\n\n\n<p>If you plan to explore on-demand scanning later, search for and enable the appropriate API in your project. The API is often named similarly to <code>ondemandscanning.googleapis.com<\/code>, but <strong>verify in the API Library<\/strong> before enabling:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>API Library: https:\/\/console.cloud.google.com\/apis\/library<\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nAPIs are enabled without errors.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services list --enabled --filter=\"name:artifactregistry OR name:containeranalysis\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create an Artifact Registry Docker repository<\/h3>\n\n\n\n<p>Create a Docker-format repository in a single region:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud artifacts repositories create \"${REPO}\" \\\n  --repository-format=docker \\\n  --location=\"${REGION}\" \\\n  --description=\"Artifact Analysis lab Docker repository\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nRepository is created.<\/p>\n\n\n\n<p><strong>Verification:<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud artifacts repositories list --location=\"${REGION}\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Configure Docker authentication for Artifact Registry<\/h3>\n\n\n\n<p>Configure Docker to authenticate to the regional Artifact Registry hostname:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud auth configure-docker \"${REGION}-docker.pkg.dev\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nDocker credential helper configuration is updated.<\/p>\n\n\n\n<p><strong>Verification:<\/strong>\n&#8211; Check that <code>~\/.docker\/config.json<\/code> contains an entry for <code>${REGION}-docker.pkg.dev<\/code>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Pull a public image, tag it, and push to Artifact Registry<\/h3>\n\n\n\n<p>1) Pull a known image from Docker Hub:<\/p>\n\n\n\n<pre><code class=\"language-bash\">docker pull debian:10\n<\/code><\/pre>\n\n\n\n<p>2) Tag it for your Artifact Registry repository:<\/p>\n\n\n\n<p>Artifact Registry image path format:<\/p>\n\n\n\n<p><code>REGION-docker.pkg.dev\/PROJECT_ID\/REPOSITORY\/IMAGE:TAG<\/code><\/p>\n\n\n\n<pre><code class=\"language-bash\">export TARGET_IMAGE=\"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\/${IMAGE_NAME}:${IMAGE_TAG}\"\ndocker tag debian:10 \"${TARGET_IMAGE}\"\n<\/code><\/pre>\n\n\n\n<p>3) Push the image:<\/p>\n\n\n\n<pre><code class=\"language-bash\">docker push \"${TARGET_IMAGE}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nThe image is uploaded to Artifact Registry.<\/p>\n\n\n\n<p><strong>Verification (CLI):<\/strong><\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud artifacts docker images list \"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\" --include-tags\n<\/code><\/pre>\n\n\n\n<p><strong>Verification (Console):<\/strong>\n&#8211; Go to Artifact Registry in the console: https:\/\/console.cloud.google.com\/artifacts\n&#8211; Select your repository and confirm the image and tag exist.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: View vulnerability findings (Console-first, most reliable)<\/h3>\n\n\n\n<p>Vulnerability results are not always instantaneous. Give it a few minutes after pushing.<\/p>\n\n\n\n<p>1) In the Google Cloud Console:\n&#8211; Navigate to <strong>Artifact Registry<\/strong> \u2192 your repository \u2192 your image.\n&#8211; Look for a <strong>Vulnerabilities<\/strong> tab or vulnerability summary panel.<\/p>\n\n\n\n<p>2) Open the vulnerability list and inspect:\n&#8211; Severity distribution (CRITICAL\/HIGH\/MEDIUM\/LOW)\n&#8211; Affected packages\n&#8211; Fix availability (if provided)\n&#8211; CVE identifiers (if provided)<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nYou can see vulnerability findings associated with the pushed image (assuming the image contains scannable components and scanning is enabled for your environment).<\/p>\n\n\n\n<p><strong>If you don\u2019t see findings:<\/strong>\n&#8211; Wait 5\u201315 minutes and refresh.\n&#8211; Confirm Artifact Analysis\/scanning is enabled for your project\/repository in the console settings (names and locations can vary\u2014verify in official docs).\n&#8211; Try a different base image (some images may yield fewer findings).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7 (Optional): Query vulnerability findings via gcloud (if supported)<\/h3>\n\n\n\n<p>Some gcloud versions include commands to list vulnerabilities for an Artifact Registry image. Because command availability can vary, confirm your CLI has the feature:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud artifacts docker images --help | sed -n '1,120p'\n<\/code><\/pre>\n\n\n\n<p>Look for a subcommand related to vulnerabilities (for example, <code>list-vulnerabilities<\/code>). If present, run:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud artifacts docker images list-vulnerabilities \"${TARGET_IMAGE}\" --location=\"${REGION}\"\n<\/code><\/pre>\n\n\n\n<p>If your CLI does not include this, use the Console steps (Step 6) and\/or query via the Container Analysis API using official examples from the docs:\n&#8211; Container Analysis docs: https:\/\/cloud.google.com\/container-analysis\/docs<\/p>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nYou can retrieve vulnerability results programmatically.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Add a simple CI \u201cgate script\u201d (local example)<\/h3>\n\n\n\n<p>This step shows the pattern: parse vulnerability results and enforce a policy. The exact JSON shape depends on the CLI\/API you use, so treat this as a template.<\/p>\n\n\n\n<p>If you can get JSON output of vulnerabilities, you can do something like:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># Example only: verify the output format in your environment.\n# The goal: fail if any CRITICAL vulnerabilities are present.\n\ngcloud artifacts docker images list-vulnerabilities \"${TARGET_IMAGE}\" \\\n  --location=\"${REGION}\" \\\n  --format=json &gt; vulns.json\n\ncat vulns.json | jq '.[] | select(.severity==\"CRITICAL\")' &gt;\/dev\/null\n\nif [ $? -eq 0 ]; then\n  echo \"Policy failed: CRITICAL vulnerabilities found.\"\n  exit 1\nelse\n  echo \"Policy passed: no CRITICAL vulnerabilities found.\"\nfi\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome:<\/strong><br\/>\nYou have a repeatable pattern you can port into Cloud Build, GitHub Actions, or another CI system.<\/p>\n\n\n\n<blockquote>\n<p>In production, don\u2019t gate solely on raw severity; consider fix availability, exploitability, and compensating controls. Also define an exception process.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[ ] Image exists in Artifact Registry.<\/li>\n<li>[ ] Vulnerability findings are visible in the Console for the image digest\/tag.<\/li>\n<li>[ ] (Optional) You can query vulnerabilities via CLI or API.<\/li>\n<li>[ ] You understand the digest-based identity of images for enforcement.<\/li>\n<\/ul>\n\n\n\n<p>Useful validation commands:<\/p>\n\n\n\n<pre><code class=\"language-bash\"># List images and tags in the repo\ngcloud artifacts docker images list \"${REGION}-docker.pkg.dev\/${PROJECT_ID}\/${REPO}\" --include-tags\n\n# Show image details (digest, timestamps)\ngcloud artifacts docker images describe \"${TARGET_IMAGE}\" --location=\"${REGION}\"\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Error: <code>denied: Permission ...<\/code> when pushing<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cause: Missing Artifact Registry permissions.<\/li>\n<li>Fix:<\/li>\n<li>Ensure your user (or CI service account) has <code>roles\/artifactregistry.writer<\/code> (or admin for lab).<\/li>\n<li>Verify you are pushing to the correct project\/repo\/region.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Error: <code>unauthorized: authentication required<\/code><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cause: Docker credential helper not configured for <code>${REGION}-docker.pkg.dev<\/code>.<\/li>\n<li>Fix:\n  <code>bash\n  gcloud auth configure-docker \"${REGION}-docker.pkg.dev\"<\/code>\n  Then retry <code>docker push<\/code>.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">No vulnerabilities shown<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Causes:<\/li>\n<li>Scanning not enabled for your environment\/project.<\/li>\n<li>Results not ready yet.<\/li>\n<li>Image contains limited scannable components.<\/li>\n<li>Fixes:<\/li>\n<li>Wait and refresh.<\/li>\n<li>Confirm scanning\/analysis settings in Artifact Registry.<\/li>\n<li>Try another image with more OS packages (for example, Ubuntu\/Debian variants).<\/li>\n<li>Verify required APIs are enabled.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">CLI command not found for vulnerabilities<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cause: gcloud version\/channel differences.<\/li>\n<li>Fix:<\/li>\n<li>Update gcloud:\n    <code>bash\n    gcloud components update<\/code><\/li>\n<li>Prefer the Console or follow official Container Analysis API query examples.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>Delete the repository (this deletes images inside it):<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud artifacts repositories delete \"${REPO}\" --location=\"${REGION}\"\n<\/code><\/pre>\n\n\n\n<p>(Optional) Disable APIs if this project is only for the lab:<\/p>\n\n\n\n<pre><code class=\"language-bash\">gcloud services disable artifactregistry.googleapis.com\ngcloud services disable containeranalysis.googleapis.com\n<\/code><\/pre>\n\n\n\n<p>(Optional) Remove Docker credential helper entries (be careful if you use Artifact Registry regularly). You can edit <code>~\/.docker\/config.json<\/code> manually.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Use digest-based deployments<\/strong> (<code>image@sha256:...<\/code>) for strong integrity and repeatability.<\/li>\n<li><strong>Separate projects\/environments<\/strong> (dev\/stage\/prod) and apply stricter enforcement in prod.<\/li>\n<li>Standardize repository structure:<\/li>\n<li>One repo per domain\/team, or per environment, depending on scale and governance needs.<\/li>\n<li>Keep build, repository, and runtime <strong>region-aligned<\/strong> to reduce latency and egress.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>service accounts<\/strong> for CI\/CD with least privilege:<\/li>\n<li>Push permission only to required repositories.<\/li>\n<li>Read-only access for vulnerability metadata unless modification is required.<\/li>\n<li>Restrict who can change repository settings and IAM policies.<\/li>\n<li>Use <strong>workload identity federation<\/strong> for external CI instead of long-lived keys (where possible).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Minimize image size (multi-stage builds, remove build tools from runtime images).<\/li>\n<li>Configure tag retention and cleanup policies to avoid layer sprawl.<\/li>\n<li>Avoid cross-region pulls; mirror images intentionally only when needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use smaller images to speed up push\/pull and reduce deployment time.<\/li>\n<li>Use regional repositories close to clusters\/services that pull the images.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid single points of failure in CI:<\/li>\n<li>If your policy gate depends on metadata availability, define fallback behavior (for example, retry with backoff, then fail closed for prod).<\/li>\n<li>Use consistent tagging strategy:<\/li>\n<li>Immutable tags (for example, Git SHA) + human-friendly tags (for example, <code>release-2026-04-14<\/code>) if needed.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and monitor <strong>Audit Logs<\/strong> for Artifact Registry and analysis APIs.<\/li>\n<li>Create operational dashboards:<\/li>\n<li>Count of high severity vulnerabilities by repository\/team<\/li>\n<li>Aging of vulnerabilities (time-to-fix)<\/li>\n<li>Define an exception process:<\/li>\n<li>Time-bound waivers with approvals and compensating controls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Naming conventions:<\/li>\n<li><code>team-service-env<\/code> or <code>domain\/service<\/code> patterns (choose one and enforce).<\/li>\n<li>Labels\/tags:<\/li>\n<li>Use labels for cost allocation and ownership.<\/li>\n<li>Ownership:<\/li>\n<li>Each repo should have an owning group and an on-call escalation path.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Analysis data access is governed by <strong>IAM<\/strong>.<\/li>\n<li>Separate concerns:<\/li>\n<li>Artifact Registry access (push\/pull\/list)<\/li>\n<li>Metadata access (view vulnerability occurrences)<\/li>\n<li>Apply least privilege:<\/li>\n<li>Developers often need read access to vulnerability results.<\/li>\n<li>Only a subset should manage scanning configuration and repository policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Google Cloud encrypts data at rest by default. For additional control, evaluate CMEK support for Artifact Registry in your region (verify current support in official docs).<\/li>\n<li>Data in transit is protected via TLS for registry endpoints and APIs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact Registry endpoints are public by default (authenticated), but you can reduce exposure using:<\/li>\n<li>Private Google Access (for private network egress to Google APIs)<\/li>\n<li>VPC Service Controls (for supported services; verify compatibility)<\/li>\n<li>Ensure your CI runners can reach necessary endpoints securely.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Avoid storing registry credentials in plaintext.<\/li>\n<li>Prefer:<\/li>\n<li>gcloud auth in trusted environments<\/li>\n<li>Workload identity federation for third-party CI<\/li>\n<li>Secret Manager for any necessary tokens (and rotate them)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>Cloud Audit Logs<\/strong> to track:<\/li>\n<li>IAM policy changes on repositories<\/li>\n<li>Artifact deletion events<\/li>\n<li>Administrative actions related to APIs<\/li>\n<li>Keep a retention policy appropriate for your compliance needs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact scanning supports secure SDLC controls but does not automatically make you compliant.<\/li>\n<li>Map controls to frameworks (for example, SOC 2, ISO 27001) via:<\/li>\n<li>Evidence of scanning<\/li>\n<li>Policy enforcement records<\/li>\n<li>Vulnerability remediation SLAs<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Relying on tag-based deployment (tags can be retargeted).<\/li>\n<li>Allowing broad push permissions to shared repositories.<\/li>\n<li>Not gating production deployments, assuming \u201cscan visibility\u201d is enough.<\/li>\n<li>Ignoring fix availability and remediation workflows (findings without action don\u2019t reduce risk).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use digest-pinned deployments.<\/li>\n<li>Implement a policy gate in CI for non-prod; require stricter gates + attestations for prod.<\/li>\n<li>Limit manual deployments; centralize through controlled pipelines.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>These points are common in real implementations. Always confirm current limits in official docs for your region and artifact types.<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Not all artifacts have the same analysis depth.<\/strong> Container images are the most common target; other artifact formats may have different support levels.<\/li>\n<li><strong>Results can take time to appear<\/strong> after pushing an image.<\/li>\n<li><strong>Minimal\/distroless images may show fewer vulnerabilities<\/strong> because there are fewer packages to detect.<\/li>\n<li><strong>Tags are mutable<\/strong>: do not equate a \u201cscanned tag\u201d with a \u201cscanned artifact.\u201d Prefer digests.<\/li>\n<li><strong>Cross-project access is non-trivial<\/strong>: central security teams often need organization-wide design (folders, groups, IAM inheritance).<\/li>\n<li><strong>Quotas and rate limits<\/strong> can affect on-demand scanning or large-scale reporting (verify).<\/li>\n<li><strong>False positives\/negatives<\/strong> are possible in any vulnerability system. Create a triage process.<\/li>\n<li><strong>Noise without policy<\/strong>: if you don\u2019t define severity thresholds, exception processes, and SLAs, teams may ignore findings.<\/li>\n<li><strong>Pricing surprises<\/strong> often come from Artifact Registry usage (pull volume, storage growth) more than from scanning itself\u2014measure your usage.<\/li>\n<li><strong>Migration gotchas<\/strong> (Container Registry \u2192 Artifact Registry): image URLs change, and tooling must be updated accordingly.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<p>Artifact Analysis is one part of a broader container security and supply chain ecosystem.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Common alternatives in Google Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Binary Authorization<\/strong>: Enforces admission policies (often based on attestations). Complements Artifact Analysis rather than replacing it.<\/li>\n<li><strong>Security Command Center<\/strong>: Aggregates findings across services; may ingest\/containerize vulnerability signals (depends on edition and configuration).<\/li>\n<li><strong>Third-party scanners integrated into CI<\/strong>: Snyk, Wiz, Aqua, Palo Alto Prisma Cloud, etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Alternatives in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>AWS<\/strong>: Amazon ECR scanning + Amazon Inspector (container vulnerability management).<\/li>\n<li><strong>Azure<\/strong>: Microsoft Defender for Cloud \/ Defender for Containers and registry scanning capabilities.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source \/ self-managed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Trivy<\/strong>, <strong>Grype<\/strong>, <strong>Anchore Engine<\/strong>, <strong>Clair<\/strong>: Run in CI or as a service; you manage updates, scaling, storage, and access controls.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Google Cloud Artifact Analysis<\/td>\n<td>Teams using Artifact Registry who want managed scanning + metadata<\/td>\n<td>Native integration, managed ops, console visibility, API-accessible metadata<\/td>\n<td>Capability depends on supported artifacts\/regions; may not match every custom scanning need<\/td>\n<td>Default choice for Google Cloud-native container artifact analysis<\/td>\n<\/tr>\n<tr>\n<td>Binary Authorization (Google Cloud)<\/td>\n<td>Preventing unsafe deployments<\/td>\n<td>Strong admission control for GKE; integrates with attestations<\/td>\n<td>Doesn\u2019t scan by itself; you must implement attestation logic<\/td>\n<td>Use with Artifact Analysis to enforce \u201conly approved\/scanned images run\u201d<\/td>\n<\/tr>\n<tr>\n<td>Security Command Center<\/td>\n<td>Org-wide security posture<\/td>\n<td>Centralized findings, governance workflows (edition dependent)<\/td>\n<td>Not a registry scanner alone; additional cost\/complexity<\/td>\n<td>When you need centralized security operations and reporting<\/td>\n<\/tr>\n<tr>\n<td>AWS ECR + Inspector<\/td>\n<td>AWS-native container scanning<\/td>\n<td>Integrated with AWS services<\/td>\n<td>Locked into AWS ecosystem<\/td>\n<td>If workloads and images are primarily on AWS<\/td>\n<\/tr>\n<tr>\n<td>Azure Defender for Containers\/Registries<\/td>\n<td>Azure-native container security<\/td>\n<td>Integrated with Azure security stack<\/td>\n<td>Locked into Azure ecosystem<\/td>\n<td>If workloads and images are primarily on Azure<\/td>\n<\/tr>\n<tr>\n<td>Trivy\/Grype (self-managed)<\/td>\n<td>Maximum flexibility and portability<\/td>\n<td>Works anywhere; customizable policies<\/td>\n<td>You manage DB updates, scaling, reporting, and access controls<\/td>\n<td>When you need portable scanning across clouds or air-gapped environments<\/td>\n<\/tr>\n<tr>\n<td>Snyk\/Wiz\/Prisma\/Aqua (vendor)<\/td>\n<td>Advanced enterprise features<\/td>\n<td>Rich dashboards, policies, runtime context<\/td>\n<td>Additional licensing cost; vendor lock-in<\/td>\n<td>When you need advanced governance, prioritization, and multi-cloud coverage<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated financial services platform<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA bank runs hundreds of microservices on GKE. They must prove secure SDLC controls, reduce critical vulnerabilities, and prevent unapproved images from running in production.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; Artifact Registry per environment (dev\/stage\/prod) in aligned regions.\n&#8211; Artifact Analysis enabled to generate vulnerability findings for all images.\n&#8211; Cloud Build pipelines:\n  &#8211; Build \u2192 push \u2192 query vulnerability metadata\n  &#8211; If policy passes, create an attestation\n&#8211; Binary Authorization on prod GKE clusters:\n  &#8211; Only allow images with the required attestation(s)\n&#8211; Central logging and audit:\n  &#8211; Cloud Audit Logs retained to meet compliance\n&#8211; Optional security aggregation:\n  &#8211; Security Command Center for organization-level visibility (verify edition requirements)<\/p>\n\n\n\n<p><strong>Why Artifact Analysis was chosen:<\/strong>\n&#8211; Managed scanning and metadata integrated with Artifact Registry.\n&#8211; Strong alignment with digest-based integrity and admission control patterns.<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Consistent enforcement of vulnerability thresholds before production deployment.\n&#8211; Reduced mean time to identify affected services after new CVE disclosures.\n&#8211; Audit-ready evidence of scanning and enforcement.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: SaaS company shipping daily<\/h3>\n\n\n\n<p><strong>Problem:<\/strong><br\/>\nA 10-person team ships daily to Cloud Run. They want basic vulnerability visibility without operating scanner infrastructure.<\/p>\n\n\n\n<p><strong>Proposed architecture:<\/strong>\n&#8211; Single Artifact Registry repository (regional) for images.\n&#8211; Artifact Analysis used for vulnerability visibility in Console.\n&#8211; A lightweight CI check:\n  &#8211; Fail builds only on CRITICAL vulnerabilities with fixes available (policy definition is team-specific).\n&#8211; Simple operational practice:\n  &#8211; Weekly review of top findings and base image updates.<\/p>\n\n\n\n<p><strong>Why Artifact Analysis was chosen:<\/strong>\n&#8211; Low operational overhead, quick visibility, easy integration with Google Cloud tooling.<\/p>\n\n\n\n<p><strong>Expected outcomes:<\/strong>\n&#8211; Faster feedback during development.\n&#8211; Reduced risk of shipping known critical vulnerabilities.\n&#8211; Minimal extra operational burden.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Artifact Analysis the same as Artifact Registry?<\/strong><br\/>\nNo. Artifact Registry is where artifacts are stored. Artifact Analysis provides analysis (such as vulnerability findings) and metadata related to those artifacts.<\/p>\n\n\n\n<p>2) <strong>Do I need Artifact Registry to use Artifact Analysis?<\/strong><br\/>\nMany common workflows use Artifact Analysis with Artifact Registry-hosted container images. Some APIs can work with broader concepts, but the most straightforward path is Artifact Registry + Artifact Analysis. Verify supported sources in official docs.<\/p>\n\n\n\n<p>3) <strong>How long does it take for vulnerability results to appear after pushing an image?<\/strong><br\/>\nIt can take several minutes. If results don\u2019t appear, confirm scanning is enabled and the required APIs are enabled.<\/p>\n\n\n\n<p>4) <strong>Should I deploy images by tag or digest?<\/strong><br\/>\nUse digests for production enforcement. Tags are convenient but mutable.<\/p>\n\n\n\n<p>5) <strong>Can I block deployments automatically based on Artifact Analysis findings?<\/strong><br\/>\nArtifact Analysis provides findings; enforcement is typically done in CI gates and\/or with Binary Authorization (often using attestations).<\/p>\n\n\n\n<p>6) <strong>Does Artifact Analysis scan my running containers?<\/strong><br\/>\nArtifact Analysis focuses on artifacts (for example, images). Runtime detection is a different capability area and may involve other products\/tools.<\/p>\n\n\n\n<p>7) <strong>What permissions do developers need to view vulnerabilities?<\/strong><br\/>\nThey need permissions to read the relevant metadata and the artifact. Exact roles can vary\u2014verify current IAM roles for Artifact Registry and Container Analysis in official docs.<\/p>\n\n\n\n<p>8) <strong>Can I rescan an image after a new CVE is announced?<\/strong><br\/>\nDepending on your workflow, you may rely on continuous updates of vulnerability data and\/or use on-demand scanning. Verify the recommended approach and supported APIs.<\/p>\n\n\n\n<p>9) <strong>How do I reduce false positives?<\/strong><br\/>\nUse a triage process:\n&#8211; Prefer digest-based identification\n&#8211; Validate affected package presence\/version\n&#8211; Consider compensating controls\n&#8211; Document exceptions with expiry dates<\/p>\n\n\n\n<p>10) <strong>Does Artifact Analysis provide SBOMs?<\/strong><br\/>\nSome Google Cloud supply-chain workflows can generate or store SBOM-related metadata, but availability depends on artifact type and configuration. Verify current SBOM capabilities in the official docs.<\/p>\n\n\n\n<p>11) <strong>How do I see which images are most risky across my organization?<\/strong><br\/>\nAt scale, you typically aggregate metadata via APIs and\/or integrate with security posture tools. Consider organization-level reporting patterns; verify best-practice architectures in Google Cloud\u2019s Architecture Center.<\/p>\n\n\n\n<p>12) <strong>Can I use Artifact Analysis with GitHub Actions?<\/strong><br\/>\nYes. Build and push to Artifact Registry from GitHub Actions using workload identity federation, then query vulnerability metadata via API\/CLI.<\/p>\n\n\n\n<p>13) <strong>What\u2019s the difference between Container Analysis API and Artifact Analysis?<\/strong><br\/>\nArtifact Analysis is the product capability; Container Analysis API is a core API used to store\/query metadata (occurrences\/notes).<\/p>\n\n\n\n<p>14) <strong>Does Artifact Analysis replace third-party scanners like Snyk or Trivy?<\/strong><br\/>\nIt can replace or complement them depending on your requirements. If you need multi-cloud parity, deep language-level analysis, or custom policies, you may still use third-party tools.<\/p>\n\n\n\n<p>15) <strong>What\u2019s the best first step to adopt Artifact Analysis?<\/strong><br\/>\nStart with visibility:\n&#8211; Enable scanning for a non-production repository\n&#8211; Establish severity thresholds\n&#8211; Add a CI gate\nThen evolve toward production enforcement with attestations and Binary Authorization.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Artifact Analysis<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>Artifact Analysis docs \u2014 https:\/\/cloud.google.com\/artifact-analysis\/docs<\/td>\n<td>Canonical overview, setup, concepts, and supported workflows<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Artifact Registry docs \u2014 https:\/\/cloud.google.com\/artifact-registry\/docs<\/td>\n<td>Repository configuration, authentication, formats, and operations<\/td>\n<\/tr>\n<tr>\n<td>Official documentation<\/td>\n<td>Artifact Registry analysis\/scanning docs \u2014 https:\/\/cloud.google.com\/artifact-registry\/docs (search for \u201canalysis\u201d \/ \u201cvulnerability scanning\u201d)<\/td>\n<td>Current guidance for scanning behavior and console workflows<\/td>\n<\/tr>\n<tr>\n<td>Official API documentation<\/td>\n<td>Container Analysis API \u2014 https:\/\/cloud.google.com\/container-analysis\/docs<\/td>\n<td>Metadata model, occurrences\/notes, and programmatic queries<\/td>\n<\/tr>\n<tr>\n<td>Official API documentation<\/td>\n<td>On-Demand Scanning (verify current docs) \u2014 start at https:\/\/cloud.google.com\/ and search \u201cOn-Demand Scanning API\u201d<\/td>\n<td>How to request scans explicitly (where supported)<\/td>\n<\/tr>\n<tr>\n<td>Pricing<\/td>\n<td>Artifact Registry pricing \u2014 https:\/\/cloud.google.com\/artifact-registry\/pricing<\/td>\n<td>Storage\/operations pricing that often dominates total cost<\/td>\n<\/tr>\n<tr>\n<td>Pricing tool<\/td>\n<td>Google Cloud Pricing Calculator \u2014 https:\/\/cloud.google.com\/products\/calculator<\/td>\n<td>Build region-accurate estimates for storage, operations, build minutes, logging<\/td>\n<\/tr>\n<tr>\n<td>Official security service<\/td>\n<td>Binary Authorization \u2014 https:\/\/cloud.google.com\/binary-authorization\/docs<\/td>\n<td>How to enforce deploy-time policy based on attestations<\/td>\n<\/tr>\n<tr>\n<td>Architecture guidance<\/td>\n<td>Google Cloud Architecture Center \u2014 https:\/\/cloud.google.com\/architecture<\/td>\n<td>Reference architectures for secure CI\/CD and supply chain patterns<\/td>\n<\/tr>\n<tr>\n<td>Official samples (trusted)<\/td>\n<td>Grafeas (concept\/model reference) \u2014 https:\/\/github.com\/grafeas\/grafeas<\/td>\n<td>Understand the underlying metadata model used across ecosystems<\/td>\n<\/tr>\n<tr>\n<td>Getting started<\/td>\n<td>Cloud SDK install \u2014 https:\/\/cloud.google.com\/sdk\/docs\/install<\/td>\n<td>Required for CLI-based labs and automation<\/td>\n<\/tr>\n<tr>\n<td>Official videos<\/td>\n<td>Google Cloud Tech (YouTube) \u2014 https:\/\/www.youtube.com\/@googlecloudtech<\/td>\n<td>Practical walkthroughs and product updates (search within channel)<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams, developers<\/td>\n<td>CI\/CD, DevSecOps, Google Cloud foundations, artifact governance<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate DevOps practitioners<\/td>\n<td>SCM, CI\/CD pipelines, DevOps tooling fundamentals<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>Cloud operations and engineering teams<\/td>\n<td>Cloud operations, monitoring, reliability, deployment practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, operations, platform engineering<\/td>\n<td>Reliability engineering, operational readiness, incident response<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops teams exploring automation<\/td>\n<td>AIOps concepts, operational automation, tooling overview<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps \/ cloud training content (verify current offerings)<\/td>\n<td>Students, engineers seeking practical guidance<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps training resources (verify course list)<\/td>\n<td>DevOps engineers, beginners to intermediate<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps guidance and services (verify scope)<\/td>\n<td>Small teams needing targeted help<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support and training resources (verify offerings)<\/td>\n<td>Ops teams and engineers needing hands-on support<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service catalog)<\/td>\n<td>Cloud migrations, CI\/CD design, platform engineering<\/td>\n<td>Artifact Registry rollout, CI policy gates, repository governance<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and enablement (verify service catalog)<\/td>\n<td>DevSecOps implementation, training + delivery support<\/td>\n<td>Implement scan-and-gate pipelines, define promotion policies, IAM hardening<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting services (verify service catalog)<\/td>\n<td>CI\/CD modernization, operational readiness<\/td>\n<td>Set up Artifact Registry structure, automate vulnerability checks, audit logging<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Artifact Analysis<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Container fundamentals: images, layers, registries, tags vs digests.<\/li>\n<li>Basic vulnerability concepts: CVE, severity, patching, fix availability.<\/li>\n<li>Google Cloud essentials:<\/li>\n<li>Projects, IAM, service accounts<\/li>\n<li>Artifact Registry basics<\/li>\n<li>gcloud CLI<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Artifact Analysis<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Binary Authorization<\/strong> for deployment-time enforcement on GKE.<\/li>\n<li>Secure CI\/CD design:<\/li>\n<li>Cloud Build triggers, secure worker pools (if used)<\/li>\n<li>Supply chain controls (provenance\/attestations)<\/li>\n<li>Organization-level governance:<\/li>\n<li>Folder\/project structure, centralized logging, SCC (if used)<\/li>\n<li>Advanced vulnerability management:<\/li>\n<li>SLAs, exception processes, prioritization strategies<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DevOps Engineer<\/li>\n<li>Site Reliability Engineer (SRE)<\/li>\n<li>Platform Engineer<\/li>\n<li>Security Engineer \/ AppSec Engineer<\/li>\n<li>Cloud Architect<\/li>\n<li>Release Engineer<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Google Cloud certifications don\u2019t typically certify a single service, but Artifact Analysis fits well into:\n&#8211; Professional Cloud DevOps Engineer\n&#8211; Professional Cloud Security Engineer\n&#8211; Associate Cloud Engineer<br\/>\nVerify the current exam guides and domains on Google Cloud\u2019s certification site.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Build a CI pipeline that:<\/li>\n<li>Pushes images to Artifact Registry<\/li>\n<li>Queries vulnerability results<\/li>\n<li>Blocks releases above a threshold<\/li>\n<li>Implement digest-based deployments to Cloud Run and track vulnerabilities for deployed digests.<\/li>\n<li>Build a lightweight dashboard:<\/li>\n<li>Pull vulnerability metadata via API<\/li>\n<li>Store in BigQuery<\/li>\n<li>Visualize trends (Looker Studio)<br\/>\n(Verify official guidance for exporting and data modeling.)<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Artifact<\/strong>: A build output such as a container image or a package that can be stored and deployed.<\/li>\n<li><strong>Artifact Registry<\/strong>: Google Cloud service for storing and managing artifacts (Docker images, packages).<\/li>\n<li><strong>Artifact Analysis<\/strong>: Google Cloud service\/capability that analyzes artifacts and stores metadata such as vulnerability findings.<\/li>\n<li><strong>Container image<\/strong>: A packaged filesystem and metadata used to run containers.<\/li>\n<li><strong>Tag<\/strong>: A mutable pointer to an image version (for example, <code>:latest<\/code>).<\/li>\n<li><strong>Digest<\/strong>: An immutable content identifier for an image (for example, <code>@sha256:...<\/code>).<\/li>\n<li><strong>Vulnerability<\/strong>: A known security weakness, often identified by a CVE.<\/li>\n<li><strong>CVE<\/strong>: Common Vulnerabilities and Exposures identifier (for example, <code>CVE-2024-12345<\/code>).<\/li>\n<li><strong>Severity<\/strong>: A rating (CRITICAL\/HIGH\/MEDIUM\/LOW) indicating potential impact.<\/li>\n<li><strong>Fix available<\/strong>: Indicates whether a patched version is known\/available for an affected component.<\/li>\n<li><strong>Container Analysis API<\/strong>: Google Cloud API for storing and querying artifact metadata (occurrences\/notes).<\/li>\n<li><strong>Occurrence\/Note<\/strong>: Metadata objects representing findings (occurrence) and shared definitions (note) in the Grafeas-style model.<\/li>\n<li><strong>Binary Authorization<\/strong>: Google Cloud service for enforcing deploy-time policies on GKE using attestations.<\/li>\n<li><strong>Attestation<\/strong>: A signed statement that an artifact meets certain criteria (for example, passed security checks).<\/li>\n<li><strong>DevSecOps<\/strong>: Integrating security into development and operations through automation and shared practices.<\/li>\n<li><strong>SBOM<\/strong>: Software Bill of Materials\u2014an inventory of components in software (availability depends on tooling\/workflow; verify for your setup).<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Artifact Analysis in Google Cloud helps application development teams understand the security posture of artifacts\u2014especially container images\u2014by generating and storing vulnerability metadata that can be viewed in the console and queried programmatically.<\/p>\n\n\n\n<p>It matters because modern CI\/CD moves fast, and security needs reliable, automatable ways to detect risk, prioritize fixes, and prevent unsafe deployments. Architecturally, Artifact Analysis is commonly paired with Artifact Registry for storage, Container Analysis API for metadata access, and Binary Authorization for production enforcement.<\/p>\n\n\n\n<p>Cost-wise, the biggest drivers are usually Artifact Registry storage\/operations and image pull patterns; verify whether any on-demand scanning workflows introduce additional charges in your environment. Security-wise, least-privilege IAM, digest-based deployments, audit logging, and a clear exception\/remediation process are the foundations of a successful rollout.<\/p>\n\n\n\n<p>Use Artifact Analysis when you want Google Cloud-native artifact scanning and metadata for CI\/CD and governance. As a next step, extend the lab by implementing a CI policy gate and (for GKE) an attestation-based Binary Authorization policy to enforce \u201conly approved artifacts run in production.\u201d<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Application development<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54,51],"tags":[],"class_list":["post-589","post","type-post","status-publish","format-standard","hentry","category-application-development","category-google-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/589","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=589"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/589\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=589"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=589"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=589"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}