Configure Pub/Sub notifications (original) (raw)

Skip to main content

• Documentation

  • Guides
  • Reference
  • Support
  • Resources

• Technology areas

• Cross-product tools

• Related sites

• Console

• Contact Us

• Start free

• Discover

• Product overview

• Software supply chain security

• Explore vulnerabilities with Gemini assistance

• Get started

• Enable or disable automatic scanning

• Enable or disable on-demand scanning

• Scan containers

• Container scanning overview

• Severity levels

• Investigate vulnerabilities

• View licenses and dependencies

• Control vulnerability scanning costs

• Prioritize vulnerabilities

• Create VEX statements

• Upload VEX statements

• View VEX status

• Support compliance with SBOMs

• Software bill of materials (SBOM) overview

• Generate and store SBOMs

• Upload SBOMs

• View and filter SBOMs

• Manage metadata

• Metadata management overview

• Enable or disable metadata storage

• Create custom notes and occurrences

• Control access

• Access control with IAM

• Configure data locality by using regional endpoints

• Protect Artifact Analysis in a service perimeter

• Monitor and notify

• Configure Pub/Sub notifications

• Artifact Analysis Audit logging

• On-Demand Scanning Audit logging

• Connect with other services

• Registry integration

• Use On-Demand Scanning in your Cloud Build pipeline

• Create attestations with Kritis Signer

Configure Pub/Sub notifications

Stay organized with collections Save and categorize content based on your preferences.

This document describes how to set up notifications for updates tonotes and occurrences.

Artifact Analysis provides notifications via Pub/Sub for vulnerabilities found by automated scanning and for other metadata. When a note or occurrence is created or updated, a message is published to the corresponding topic for each API version. Use the topic for the API version you are using.

Before you begin

1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
   Go to project selector
3. Enable the Container Analysis API.
   Enable the API
4. Install the Google Cloud CLI.
5. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
6. To initialize the gcloud CLI, run the following command:
   gcloud init
7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
   Go to project selector
8. Enable the Container Analysis API.
   Enable the API
9. Install the Google Cloud CLI.
10. If you're using an external identity provider (IdP), you must first sign in to the gcloud CLI with your federated identity.
11. To initialize the gcloud CLI, run the following command:
    gcloud init
12. Learn how to set up access control for metadata in your project. Skip this step if you only consume metadata from vulnerability occurrences created by Artifact Analysis container scanning.

Create Pub/Sub topics

After you activate the Artifact Analysis API, Artifact Analysis automatically creates Pub/Sub topics with the following topic IDs:

• container-analysis-notes-v1
• container-analysis-occurrences-v1

If the topics were accidentally deleted or are missing, you can add them yourself. For example, the topics might be missing if your Google Cloud organization has an organization policy constraint that requires encryption with customer-managed encryption keys (CMEK). When the Pub/Sub API is in the deny list of this constraint, services cannot automatically create topics with Google-owned and Google-managed encryption keys.

To create the topics with Google-owned and Google-managed encryption keys:

Console

1. Go to the Pub/Sub topics page in the Google Cloud console.
   Open the Pub/Sub topics page
2. Click Create Topic.
3. Enter a Topic ID:

container-analysis-notes-v1  

so that the name matches URI:

projects/PROJECT_ID/topics/container-analysis-notes-v1  

where PROJECT_ID is your Google Cloudproject ID. 4. Click Create. 5. Enter a Topic ID:

container-analysis-occurrences-v1  

so that the name matches URI:

projects/PROJECT_ID/topics/container-analysis-occurrences-v1  

gcloud

Run the following commands in your shell or terminal window:

gcloud pubsub topics create projects/PROJECT_ID/topics/container-analysis-notes-v1
gcloud pubsub topics create projects/PROJECT_ID/topics/container-analysis-occurrences-v1

To learn more about the gcloud pubsub topics command, see thetopics documentation.

To create the topics with CMEK encryption, see the Pub/Subinstructions for encrypting topics.

Anytime a note or an occurrence is created or updated, a message is published to the respective topic, though you must also create a Pub/Sub subscription to listen for events and receive messages from the Pub/Sub service.

Create Pub/Sub subscriptions

To listen to events, create a Pub/Sub subscription associated with the topic:

Console

1. Go to the Pub/Sub subscriptions page in the Google Cloud console.
   Open the Pub/Sub subscriptions page
2. Click Create Subscription.
3. Type a name for the subscription. For example, notes.
4. Enter the URI of the topic for notes:

projects/PROJECT_ID/topics/container-analysis-notes-v1  

where PROJECT_ID is your Google Cloudproject ID. 5. Click Create. 6. Create another subscription for occurrences with the URI:

projects/PROJECT_ID/topics/container-analysis-occurrences-v1  

gcloud

To receive Pub/Sub events, you must first create a subscription associated with the container-analysis-occurrences-v1 topic:

gcloud pubsub subscriptions create \
    --topic container-analysis-occurrences-v1 occurrences

Going forward, you can pull messages concerning your occurrences using your new subscription:

gcloud pubsub subscriptions pull \
    --auto-ack occurrences

Java

To learn how to install and use the client library for Artifact Analysis, seeArtifact Analysis client libraries. For more information, see theArtifact Analysis Java API reference documentation.

To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Go

To learn how to install and use the client library for Artifact Analysis, seeArtifact Analysis client libraries. For more information, see theArtifact Analysis Go API reference documentation.

To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Node.js

To learn how to install and use the client library for Artifact Analysis, seeArtifact Analysis client libraries. For more information, see theArtifact Analysis Node.js API reference documentation.

To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Ruby

To learn how to install and use the client library for Artifact Analysis, seeArtifact Analysis client libraries. For more information, see theArtifact Analysis Ruby API reference documentation.

To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Python

To learn how to install and use the client library for Artifact Analysis, seeArtifact Analysis client libraries. For more information, see theArtifact Analysis Python API reference documentation.

To authenticate to Artifact Analysis, set up Application Default Credentials. For more information, seeSet up authentication for a local development environment.

Subscriber applications only receive messages that are published to the topic after the subscription is created.

Pub/Sub payloads are in JSON and their schema is as follows:

Notes:

{ "name": "projects/PROJECT_ID/notes/NOTE_ID", "kind": "NOTE_KIND", "notificationTime": "NOTIFICATION_TIME", }

Occurrences:

{ "name": "projects/PROJECT_ID/occurrences/OCCURRENCE_ID", "kind": "NOTE_KIND", "notificationTime": "NOTIFICATION_TIME", }

where:

• NOTE_KIND is one of the values inNoteKind
• NOTIFICATION_TIME is a timestamp in RFC 3339 UTC "Zulu" format, accurate to nanoseconds.

View details

To learn more about a note or occurrence, you can access metadata stored in Artifact Analysis. For example, you can request all the details for a specific occurrence. See instructions inInvestigating Vulnerabilities.

What's next

• For instructions on how to use Artifact Analysis to store and manage your custom metadata, seeCreate custom notes and occurrences.
• You can use attestations with vulnerability scanning to prevent images with known security issues from running in your deployment environment. For instructions on doing this see,Create attestations with Kritis Signer.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-06-12 UTC.