|
1 | 1 | { |
2 | 2 | "Provider": "gcp", |
3 | 3 | "CheckID": "artifacts_container_analysis_enabled", |
4 | | - "CheckTitle": "Ensure Image Vulnerability Analysis using AR Container Analysis or a third-party provider", |
5 | | - "CheckType": [ |
6 | | - "Security", |
7 | | - "Configuration" |
8 | | - ], |
| 4 | + "CheckTitle": "GCP project has Artifact Registry Container Analysis API enabled", |
| 5 | + "CheckType": [], |
9 | 6 | "ServiceName": "artifacts", |
10 | | - "SubServiceName": "Container Analysis", |
| 7 | + "SubServiceName": "", |
11 | 8 | "ResourceIdTemplate": "", |
12 | 9 | "Severity": "medium", |
13 | | - "ResourceType": "Service", |
14 | | - "Description": "Scan images stored in Google Container Registry (GCR) for vulnerabilities using AR Container Analysis or a third-party provider. This helps identify and mitigate security risks associated with known vulnerabilities in container images.", |
15 | | - "Risk": "Without image vulnerability scanning, container images stored in Artifact Registry may contain known vulnerabilities, increasing the risk of exploitation by malicious actors.", |
16 | | - "RelatedUrl": "https://cloud.google.com/artifact-analysis/docs", |
| 10 | + "ResourceType": "serviceusage.googleapis.com/Service", |
| 11 | + "Description": "Evaluates whether **Artifact Analysis** (`containeranalysis.googleapis.com`) is enabled at the project level to support **vulnerability scanning** and metadata for container images in Artifact Registry or Container Registry.", |
| 12 | + "Risk": "Absent this service, images aren't continuously scanned, leaving known CVEs unnoticed. Attackers can run vulnerable containers, gain code execution, move laterally, and exfiltrate data, eroding the **integrity** and **confidentiality** of workloads and the software supply chain.", |
| 13 | + "RelatedUrl": "", |
| 14 | + "AdditionalURLs": [ |
| 15 | + "https://cloud.google.com/artifact-analysis/docs", |
| 16 | + "https://cloud.google.com/artifact-analysis/docs/container-scanning-overview" |
| 17 | + ], |
17 | 18 | "Remediation": { |
18 | 19 | "Code": { |
19 | | - "CLI": "gcloud services enable containeranalysis.googleapis.com", |
| 20 | + "CLI": "gcloud services enable containeranalysis.googleapis.com --project <PROJECT_ID>", |
20 | 21 | "NativeIaC": "", |
21 | | - "Other": "", |
22 | | - "Terraform": "" |
| 22 | + "Other": "1. In Google Cloud Console, ensure the correct project is selected\n2. Go to APIs & Services > Library\n3. Search for \"Container Analysis API\"\n4. Click the API, then click \"Enable\"", |
| 23 | + "Terraform": "```hcl\nresource \"google_project_service\" \"<example_resource_name>\" {\n project = \"<example_project_id>\"\n service = \"containeranalysis.googleapis.com\" # Enables Artifact Analysis (Container Analysis) API to pass the check\n}\n```" |
23 | 24 | }, |
24 | 25 | "Recommendation": { |
25 | | - "Text": "Enable vulnerability scanning for images stored in Artifact Registry using AR Container Analysis or a third-party provider.", |
26 | | - "Url": "https://cloud.google.com/artifact-analysis/docs/container-scanning-overview" |
| 26 | + "Text": "Enable **Artifact Analysis** (`containeranalysis.googleapis.com`) for projects hosting container images. Integrate scan results into CI/CD policy gates, apply **least privilege** to findings access, and rebuild images promptly to maintain **defense in depth**.", |
| 27 | + "Url": "https://hub.prowler.com/check/artifacts_container_analysis_enabled" |
27 | 28 | } |
28 | 29 | }, |
29 | 30 | "Categories": [], |
|
0 commit comments