In part one of this two part article we looked at how we could use Pub/Sub and Cloud Functions to aggregate container image vulnerabilities from Artifact/Container Registry across multiple projects and write them to a centralized location. The purpose of this was to provide a way to centrally manage all image vulnerabilities across an organization without the need to have access into every project using container images.

In our demonstration we used a Google Cloud Storage bucket for the storage location. …


Both Artifact Registry and its predecessor, Container Registry provide image scanning to detect vulnerabilities within the image. The results of these scans are stored with the associated container image at the project level. As such, any security engineers responsible for managing vulnerabilities in an organization require access to each project. This can be in conflict with an organizations security policies regarding separation of duties and least privilege.

Many enterprise organizations will have a centralized solution such as Security Command Center, or their own on-premise SIEM, for centrally managing all of their threats, vulnerabilities and security incidents. …

Dan Peachey

Strategic Cloud Engineer at Google Cloud

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store