-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable Vulnerability Scanning for container_registry #7644
Comments
Hey @claywd! This one is a bit of an unusual resource. Instead of provisioning it through the GCP API, it works by making a handshake with an api, which causes the resource to get provisioned. What API would enable the vulnerability scanning feature? Modifying the GCR GCS bucket? |
We also need this feature. |
I keep getting stumbled by this when I create a new Artifact Registry. It would great to enable this somehow. |
I've been researching this today as I need to enable this feature. There are 2 types of scanning:
@rileykarson it's unusual also in this setting, as each of them is enabled by enabling the corresponding API. Given the structure Is possible overcome this limitation today by enabling the corresponding service using resource "google_project_service" "project" {
# enabling this API enables automated GCR scanning
# https://cloud.google.com/container-analysis/docs/enable-container-scanning
# https://cloud.google.com/container-analysis/docs/automated-scanning-howto
# https://cloud.google.com/container-analysis/docs/controlling-costs
service = "containerscanning.googleapis.com"
disable_dependent_services = true
disable_on_destroy = true
} resource "google_project_service" "project" {
# enabling this API enables on demand image scanning on GCR
# https://cloud.google.com/container-analysis/docs/enable-ods
# https://cloud.google.com/container-analysis/docs/on-demand-scanning-howto
# https://cloud.google.com/container-analysis/docs/controlling-costs
service = "ondemandscanning.googleapis.com"
disable_dependent_services = false
disable_on_destroy = true
} (I've yet to test this, but I plan doing it in the next week or so) |
Based on that + the linked cloud docs it seems to me that we don't need a new resource at all, and that this workflow is possible with existing resources? Performing individual on-demand scans and browsing results don't seem like they obviously fit into a Terraform workflow, so they likely don't need to be added. |
@endorama Any update on this issue? |
@claudio-vellage I can confirm that enabling |
Signed-off-by: Modular Magician <magic-modules@google.com>
It looks like this issue is resolve by enabling those APIs. (also note that Container Registry is now deprecated in favor of Artifact Registry #19661) |
Community Note
Description
I'd like to contribute a few lines to allow users to enable Vulnerability Scanning if there is interest in such a feature.
New or Affected Resource(s)
Potential Terraform Configuration
References
None that I could dig up.
The text was updated successfully, but these errors were encountered: