Google tries hand at container registry vulnerability scanning in the cloud

Google Cloud

Google Cloud has added automatic scanning of container images built with the company’s CI/CD platform Cloud Build for OS package vulnerabilities. Container Registry vulnerability scanning is still in beta and should help with early detection of security issues.

The feature is part of Google’s efforts to reduce risk exposure by building security into CI/CD systems from the very beginning, Google Cloud team member Nikhil Kaul and product manager Juan Sebastian Oviedo state in a blog post introducing the new offering. Once the Container Analysis API is enabled, Cloud Build built images pushed to the Container Registry are automatically scanned. Feedback on threats and issues is then given to the user.

To ensure only trusted images are deployed on the Kubernetes Engine, vulnerability scanning is also integrated with Binary Authorization – another still in beta security product in the Google Cloud. It lets users require images to be signed during development and enforce signature validation for deploy-time security control.

At the moment known package vulnerabilities for Ubuntu, Debian, and Alpine Linux are identified – support for CentOS and RHEL should land soon though. Kaul and Oviedo say plugging the scanning function into CI/CD tools can be done via Pub/Sub notifications and Cloud Functions. It is also planned to be integrated into the Cloud Security Command Center.

In other news…

Talking about Google Cloud, its Cloud Memorystore for Redis has reached general availability status. It’s compatible with the protocol of open source data structure store Redis to facilitate migrating corresponding applications to the company’s cloud offering. The in-memory data store automates tasks such as provisioning, failover, and monitoring.

Cloud Memorystore is available in the regions Oregon, Iowa, South Carolina, Belgium, Taiwan, and newly added Tokyo, Singapore, and Netherlands. Public beta was announced earlier this year. Feedback from that phase led to the exposure of metrics in the GA release, and some performance improvements. The developers also added a way to create custom roles and improved logging, so that backend issues can be more easily addressed.

Meanwhile, users of the newly revamped GitHub competitor Cloud Source Repositories have now a new user interface with semantic code search capabilities available to them. The underlying infrastructure is supposed to be the one used by Google’s own engineers for code search. According to the blog post announcing the work, the new function is meant to bring developer productivity up, by giving a way to search through different repositories with a single query.