Ensure container images do not contain exploitable vulnerabilities

Remediation

Rebuild the affected image from a patched base image, update vulnerable packages, publish a new immutable digest, and move workloads to the fixed image. Do not rely only on mutable tags such as latest.

Google Cloud / Artifact Registry

Review vulnerabilities for the affected image digest or package context in Artifact Analysis / Security Command Center, then rebuild and publish a fixed image. Replace {{manual.imageReference}} with the full image reference and {{manual.fixedTag}} with the approved fixed tag.

gcloud artifacts docker images describe {{manual.imageReference}} \
  --show-package-vulnerability

Build and push a patched image from the updated source and dependencies:

gcloud builds submit \
  --tag {{manual.fixedTag}}

If the vulnerable image is no longer needed, delete or quarantine the vulnerable tag after workloads have moved to the fixed digest:

gcloud artifacts docker tags delete {{manual.vulnerableTag}} \
  --quiet

Rollout guidance

1. Patch the Dockerfile base image, OS packages, lockfiles, and language dependencies.
2. Rebuild from source; avoid patching a running container manually.
3. Deploy by immutable digest and monitor rollout health.
4. Remove stale vulnerable tags and add CI/CD admission checks to block exploitable critical/high findings.
5. Track exceptions with an owner, expiry date, compensating controls, and proof that the vulnerable code path is not reachable.

References

• https://cloud.google.com/artifact-analysis/docs/container-scanning-overview
• https://cloud.google.com/sdk/gcloud/reference/artifacts/docker/images/describe
• https://cloud.google.com/build/docs/build-push-docker-image