Securing Containerized on Google Cloud Platform: Web Apps

Introduction

We're gonna be analyzing our container image for vulnerabilities and scanning our running application using Web Security Scanner and identify vulnerabilities that are occuring on the active web app.

Artifact Registry is the recommended service for container image storage and management on Google Cloud. Artifact Registry provides the same container management features as Container Registry and includes additional features and benefits. As a fully-managed service with support for both container images and non-container artifacts, Artifact Registry extends the capabilities of Container Registry.¹

Prerequisites

Before we begin, make sure you have the following prerequisites in place:

1. A Google Cloud Platform (GCP) account with access to Artifact Registry (enable) and Container Scanning (enable).
2. A local development environment with the required tools, such as the Google Cloud SDK and Docker, installed. (If docker is not installed you can install it from here for Ubuntu).²

Step 1: Set Up Your Development Environment

To start, ensure that you have the Google Cloud SDK installed on your local machine. (If not installed go here. )This SDK provides the necessary tools and commands to interact with Artifact Registry. Additionally, if you plan to push Docker images, make sure Docker is installed as well.

Step 2: Authenticate with Google Cloud

Before interacting with Artifact Registry, you need to authenticate with your Google Cloud account. Open a terminal or command prompt and run the following command:

gcloud auth login

This will open a browser window where you can log in with your Google Cloud credentials. Once authenticated, you will be able to access your GCP resources.

Step 3: Configure the GCP Project and Region

Set your default GCP project by running the following command and replacing [PROJECT_ID] with your project’s ID:

gcloud config set project [PROJECT_ID]

Next, set the default region for your project. Choose a region closest to your location to minimize latency:

gcloud config set compute/region [REGION]

Step 4: Enable the Artifact Registry API

Ensure that the Artifact Registry API is enabled for your project. You can enable it using the following command:

gcloud services enable artifactregistry.googleapis.com

Step 5: Create an Artifact Registry Repository

In this step, we will create a repository in Artifact Registry to store our artifacts. Run the following command, replacing [REPO_NAME] with a name for your repository:

gcloud artifacts repositories create [REPO_NAME] — repository-format=docker \
— location=[REGION] — description=”My Artifact Repository”

Step 6: Docker Pull, Tag and Push an Image

Docker Pull

Pull the DVWA Docker image:

docker pull vulnerables/web-dvwa

Docker Tags

Now, let’s push an artifact to the repository we created. For example, if you want to push a Docker image, ensure that you have built the image locally. Tag the image using the following command:

docker tag [IMAGE_NAME]/gcr.io/[PROJECT_ID]/[REPO_NAME]/[IMAGE_NAME]:[TAG]

Replace [IMAGE_NAME], [PROJECT_ID], [REPO_NAME], and [TAG] with appropriate values.

docker tag demo us-central1-docker.pkg.dev/abcd-doc-lab/docker-repo/demo

#from lab guru
docker tag demo-dvwa docker.io/vulnerables/web-dvwa:latest gcr.io/${GOOGLE_CLOUD_PROJECT}/web-dvwa:latest

Docker Push

Next, push the tagged image to Artifact Registry by running:

docker push gcr.io/[PROJECT_ID]/[REPO_NAME]/[IMAGE_NAME]:[TAG]

eg. docker push us-central1-docker.pkg.dev/abcd-doc-lab/docker-repo/demo

Step 7: Verify the Pushed Artifact

To verify that your artifact has been successfully pushed to Artifact Registry, navigate to the Google Cloud Console, open Artifact Registry, and select your repository. You should see the pushed artifact listed there.

Referensi:

• https://medium.com/@abhinav.90444/title-pushing-artifacts-to-artifact-registry-a-step-by-step-guide-97f825242cfc
• https://cloud.google.com/artifact-registry/docs/docker/pushing-and-pulling