Teams involved in enhancing the security of their supply chains and forecasting potential risks are continually confronted with new challenges. Fortunately, they can enhance their reputation and container security by utilizing top-notch vulnerability scanning offered by Google, which presents expanded coverage of open-source vulnerabilities. One of the key advantages of using Google Cloud Platform is its built-in security tools, including Artifact Analysis. This scanning facility utilizes the same infrastructure relied upon by Google to monitor vulnerabilities in its internal systems and software supply chains.

Artifact Analysis has recently broadened its scanning scope to include eight more language packages, four different operating systems, and two commonly used base images, making it a more powerful and adaptable tool than ever.  

This increased coverage was made possible by merging Artifact Analysis with the Open Source Vulnerabilities (OSV) platform and repository. This integration delivers leading-edge insights into vulnerabilities in open source projects, a crucial function as cyber-attacks on software supply chains continue to rise in frequency and sophistication, affecting organizations that heavily rely on open source software.

With these latest enhancements, clients can now effectively scan the majority of the images they upload to Artifact Registry. These successful scans guarantee the detection and reporting of any known vulnerabilities, which can then be incorporated into a broader vulnerability management scheme, enabling teams to take swift action.

Amplifying reach of open source vulnerabilities 

Artifact Analysis retrieves vulnerability data directly from OSV, which stands out as the sole open source, decentralized vulnerability repository gathering inputs directly from open source practitioners. The database maintained by OSV delivers a reliable, high-quality compilation of vulnerabilities sourced from recognized authorities who have embraced the OSV blueprint. This guarantees the database contains precise data to consistently match software dependencies to acknowledged vulnerabilities—a previously challenging process depending on imprecise mechanisms like CPEs (Common Platform Enumerations).

Throughout the last three years, OSV has broadened its overall coverage to involve 28 language and OS environments. For instance, top players in the industry such as GitHub, Chainguard, and Ubuntu, along with open-source environments like Rust and Python, are now sharing their vulnerability discoveries in the OSV Blueprint. This enhanced coverage additionally integrates Chainguard’s Wolfi images and Google’s Distroless images, which are favored options for minimal container images utilized by numerous developers and organizations. Clients depending on distroless images can have confidence in Artifact Analysis scanning to endorse their minimal container image initiatives. Each expansion in OSV’s coverage is integrated into scanning tools that combine with the OSV database.

Wider vulnerability detection with Artifact Analysis 

As a consequence of OSV’s extension, tools like Artifact Analysis that derive from OSV now notify users about higher-quality vulnerability details throughout a broader array of ecosystems—meaning GCP project proprietors will be notified of a more comprehensive set of vulnerability discoveries and potential security threats.

Current Artifact Registry examination consumers do not need to undertake any actions to benefit from this enhancement. Projects with examination activated will promptly gain from this extended coverage, and vulnerability discoveries will continue to be accessible in the Artifact Registry UI, Container Examination API, and through publish/subscribe (for workflows).

Current On-Demand scanning users will also benefit from this extended vulnerability coverage. The exact same Operating Systems and Language package coverage available to Registry Scanning clients can be found in On-Demand Scan. 

Expanding Beyond Artifact Registry 

We understand that detection marks the initial stage in risk management. We are continuously enhancing Artifact Analysis capabilities and by 2025, we will merge Artifact Registry vulnerability discoveries with Google Cloud’s Security Command Center. By using Security Command Center, clients can maintain a more thorough vulnerability management initiative and prioritize risks across various dimensions.