Generating security information for your build
Cloud Build can provide security-related information for each build when the produced artifact (container image or Java, Python, or Node.js package) is stored in the Artifact Registry. The following information is provided:
- Vulnerability scanning report
- Supply-chain Levels for Software Artifacts (SLSA)-compliant digitally signed provenance
Cloud Build stores both of these as metadata in the Artifact Registry. The vulnerability scanning requires that the Artifact Analysis API is enabled.
The first thing we’ll provide is provenance information.
Producing digitally signed provenance
In order to generate provenance metadata for builds running in regional or private pools, you need to add a requestedVerifyOption
setting to your build config file:
- In the
options:
section of yourcloudbuild.yaml
file, add therequestedVerifyOption:
VERIFIED
setting.The section will look like this:
options: Â Â ...