Build an application and view security insights
This quickstart explains how to build an application and view security insights for the build in the Security insights panel in the Google Cloud console.
You will:
- Build and containerize a Java application using Cloud Build and push the container image to Artifact Registry Docker repository.
-
View the following security insights for the build:
- Supply-chain Levels for Software Artifacts (SLSA) level, which identifies the maturity level of your software build process in accordance with the SLSA specification .
- Vulnerabilities in build artifacts.
- Software bill of materials (SBOM) for the build artifacts.
- Build provenance, which is a collection of verifiable metadata about a build. It includes details such as the digests of the built images, the input source locations, the build toolchain, build steps, and the build duration.
Before you begin
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:
gcloud services enable cloudbuild.googleapis.com
artifactregistry.googleapis.com containerscanning.googleapis.com - Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init
-
Create or select a Google Cloud project.
-
Create a Google Cloud project:
gcloud projects create PROJECT_ID
Replace
PROJECT_ID
with a name for the Google Cloud project you are creating. -
Select the Google Cloud project that you created:
gcloud config set project PROJECT_ID
Replace
PROJECT_ID
with your Google Cloud project name.
-
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Cloud Build, Artifact Registry, and Container Scanning APIs:
gcloud services enable cloudbuild.googleapis.com
artifactregistry.googleapis.com containerscanning.googleapis.com
Prepare your environment
Set your project ID as an environment variable:
export PROJECT_ID=$(gcloud config get project)
Clone the repository that contains the Java code sample to build and containerize:
git clone https://github.com/googlecloudplatform/software-delivery-shield-demo-java.git cd software-delivery-shield-demo-java/backend
Create the Artifact Registry repository for your image
Create a new Docker repository named
containers
in the locationus-central1
with the description "Docker repository":gcloud artifacts repositories create containers \ --repository-format=docker \ --location=us-central1 --description="Docker repository"
Verify that your repository was created:
gcloud artifacts repositories list
You should see
containers
in the list of displayed repositories.
Build the application
Build and containerize the Java application using Cloud Build. The following command builds and containerizes the Java application and stores the built container in the Artifact Registry docker repository:
gcloud builds submit --config=cloudbuild.yaml --region=us-central1
After the build completes, you see a success status message similar to the following:
<pre class="none lang-sh">
DONE
-----------------------------------------------------------------------------
ID: 3e08565f-7f57-4449-bc68-51c46cf33d03
CREATE_TIME: 2022-09-19T15:41:07+00:00
DURATION: 54S
SOURCE: gs://sds-docs-project_cloudbuild/source/1663602066.777581-6ebe4b2d6fd741ffa18936d7f78055e9.tgz
IMAGES: us-central1-docker.pkg.dev/sds-docs-project/containers/java-guestbook-backend:quickstart
STATUS: SUCCESS
</pre>
Generate an SBOM for the built image
An SBOM is a full inventory of an application, identifying the packages your software relies on. The contents can include third-party software from vendors, internal artifacts, and open source libraries.
Generate the SBOM for the image you built in the previous section:
gcloud artifacts sbom export
--uri=us-central1-docker.pkg.dev/${PROJECT_ID}/containers/java-guestbook-backend:quickstart
View security insights
The Cloud Build UI in the Google Cloud console contains the Security insights panel that displays security information related to the build such as SLSA level, any vulnerabilities in the dependencies, and build provenance.
To view the Security insights panel:
Open the Build history page in the Google Cloud console:
Select your project and click Open.
In the Region drop-down menu, select us-central1.
In the table with the builds, locate the row with the build you just executed.
Under the Security insights column click View.
You see the Security insights panel for the build:
This panel displays the following information:
SLSA Level: This build has achieved SLSA Level 3. Click the Learn more link to learn what this security level means.
Vulnerabilities: Any vulnerabilities found in your artifacts. Click the image name (java-guestbook-backend) to see the artifacts that have been scanned for vulnerabilities.
Dependencies for the built container image in Artifact Registry.
Build details: Details of the build such as the builder and the link to view logs.
Clean up
To avoid incurring charges to your Google Cloud account for the resources used on this page, delete the Google Cloud project with the resources.
Disable Container Scanning API:
gcloud services disable containerscanning.googleapis.com --force
Delete the Artifact Registry repository:
gcloud artifacts repositories delete containers \ --location=us-central1 --async
You have now deleted the repository that you created as part of this quickstart.
What's next
- Learn more about the security insights panel in Cloud Build
- Learn how to view security insights when deploying to Cloud Run
- Learn how to view security insights when deploying to GKE
- Learn more about software supply chain security