Alternatives to GCR Vulnerability Scanning

Google Cloud Platform is really great. GCP provides all the infrastructure and services that your apps need. However, sometimes the cloud can be costly if you are as poor as I am

I’ve gone through the process of containerising all my apps and moving into a more distributed application architecture. I’ve been building individual APIs around most of the services my apps use and I’m moving away from the monolithic approach of building apps

Before, I would deploy my entire apps codebase into static Linode server infrastructure and perform the routine operating system maintenance–which I’m probably really bad at because who really feels like updating operating system packages on a regular basis and my brain can’t do repeat work

But security is important and what’s great about containerisation in GCP is that they offer vulnerability scanning for containers. The vulnerability scanning is invoked each time a container (a new tag) is pushed into Google Container Registry

This means I can get a report of all the vulnerabilities that exist in the container. Awesome!

Until the bill arrives…

USD $7.54 for container vulnerability scanning! This is way to expensive

I analyse the bill like this:

Cloud SQL: USD $12.24

I don’t want to manage relational database servers and all I care about is the schema design and stored procedures

Cloud Storage: USD $1.52

Persistent data storage seeing the containers are ephemeral (I don't need locally mounted block storage)

Cloud DNS: USD $0.20

I have a few DNS zones that I use for GCP and I don’t feel like managing any more DNS zones in Bind9

Cloud Run: USD $0.05

Hosted Knative is really great and this bill is super cheap because my apps scale to zero. I don’t want to manage any servers and all I care about is code and and getting the business logic right

Translate: USD $0.00

The language processor on my website will cache the dynamic translations so this API is only ever invoked when I add or change any template strings on my website

Places API: USD $0.00

I’d imagine this bill will ramp up when I feature on the homepage of Product Hunt or Hacker News

So, I need to find a different way to perform vulnerability scanning, particularly a way that is free so I can disable the vulnerability scanning in GCR. This needed to be done quickly as I can’t afford to spend this amount of money anymore

The solution

Grype - absolutely the best solution and it's really easy to use


grype "$IMAGE" -o table

You’ll be presented with all vulnerabilities that exist in the container

✔ Vulnerability DB        [no update available]
✔ Loaded image            
✔ Parsed image            
✔ Cataloged packages      [398 packages]
✔ Scanned image           [110 vulnerabilities]

apache2        CVE-2019-17567
apache2-bin    CVE-2019-17567
apache2-data   CVE-2019-17567
apache2-utils  CVE-2019-17567
coreutils      CVE-2016-2781

Don't try these

Clair - absolutely crap and has massive amounts of dependencies (I used brew to install clair and it ended up installing Postgres too)