Stay organized with collectionsSave and categorize content based on your preferences.
This document describes how to view and filter dependency metadata that
Artifact Analysis detects with automatic scanning.
When you enable the scanning API to to identify vulnerabilities in container
images, Artifact Analysis also gathers information about the dependencies
and licenses used in your images.
You can use this metadata to understand the components of your container
images and remediate security issues.
Artifact Analysis provides dependency and license detection for OS packages
andsupported language packageswithin container images
stored in stored in a Docker format Artifact Registry repository. For more
information, seeContainer scanning overview.
Like vulnerability information, license and dependency metadata is generated
each time you push an image to Artifact Registry, then stored in
Artifact Analysis.
Artifact Analysis only updates the metadata for images that were pushed
or pulled in the last 30 days. After 30 days, the metadata will no longer be
updated, and the results will be stale. Furthermore, Artifact Analysis
archives metadata that is stale for more than 90 days, and the metadata won't be
available in the Google Cloud console, gcloud, or by using the
API. To re-scan an image with stale or archived metadata, pull that image.
Refreshing metadata can take up to 24 hours.
In the repositories list, click a repository name.
TheRepository detailspage opens and displays a list of your images.
In the images list, click an image name.
The page displays a list of your image digests.
In the image digest list, click a digest name.
The page displays a row of tabs where theOverviewtab is open, showing
details such as format, location, repository, virtual size, and tags.
In the row of tabs, click theDependenciestab.
The dependencies tab opens and displays the following information:
SBOM section
Licenses section
A filterable list of dependencies
SBOMs
If you generate or upload a software bill of materials (SBOM) with
Artifact Analysis, your SBOM details are displayed in this section. SBOMs
aren't generated automatically like license and dependency information. Learn
how to add SBOMs inSBOM overview.
Licenses
TheLicensessummary section displays a bar graph calledMost common
licenses. This represents the types of licenses that appear most often in your
dependency information. When you hold the pointer over a bar in the graph, the
console displays the exact count for instances of that license type.
Dependencies
The list of dependencies displays the contents of your image digest including:
Package name
Package version
Package type
License type
You can filter the list of dependencies by any of these categories.
View licenses and dependencies in Cloud Build
If you're using Cloud Build, you can view image metadata in theSecurity insightsside panel within the Google Cloud console.
TheSecurity insightsside panel provides a high-level overview of build
security information for artifacts stored in Artifact Registry. To learn more
about the side panel and how you can use Cloud Build to help protect your
software supply chain, seeView build security insights.
Limitations
Information about licenses and dependencies is only available with automatic
scanning. On-demand scanning does not support this feature.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eArtifact Analysis automatically scans container images in Artifact Registry to gather dependency and license metadata, helping users understand image components and address security issues.\u003c/p\u003e\n"],["\u003cp\u003eDependency and license metadata is generated upon each image push to Artifact Registry, and while this data is only updated for images pushed or pulled within the last 30 days, it is archived and no longer available after 90 days.\u003c/p\u003e\n"],["\u003cp\u003eYou can view a list of dependencies, which includes package name, version, type, and license type, in the Google Cloud console under the "Dependencies" tab of a specific image digest.\u003c/p\u003e\n"],["\u003cp\u003eA "Licenses" section will display a graph of most common licenses in your dependency information, and you can also see SBOM details if a Software Bill of Materials was generated or uploaded.\u003c/p\u003e\n"],["\u003cp\u003eTo view this metadata, users need specific IAM roles, including Container Analysis Occurrences Viewer, Service Usage Consumer, and Artifact Registry Reader, and this information is only available through automatic scanning.\u003c/p\u003e\n"]]],[],null,["This document describes how to view and filter dependency metadata that\nArtifact Analysis detects with automatic scanning.\n\nWhen you enable the scanning API to to identify vulnerabilities in container\nimages, Artifact Analysis also gathers information about the dependencies\nand licenses used in your images.\n\nYou can use this metadata to understand the components of your container\nimages and remediate security issues.\n\nArtifact Analysis provides dependency and license detection for OS packages\nand [supported language packages](/artifact-analysis/docs/container-scanning-overview#feature-support) within container images\nstored in stored in a Docker format Artifact Registry repository. For more\ninformation, see [Container scanning overview](/artifact-analysis/docs/container-scanning-overview).\n\nLike vulnerability information, license and dependency metadata is generated\neach time you push an image to Artifact Registry, then stored in\nArtifact Analysis.\n\nArtifact Analysis only updates the metadata for images that were pushed\nor pulled in the last 30 days. After 30 days, the metadata will no longer be\nupdated, and the results will be stale. Furthermore, Artifact Analysis\narchives metadata that is stale for more than 90 days, and the metadata won't be\navailable in the Google Cloud console, gcloud, or by using the\nAPI. To re-scan an image with stale or archived metadata, pull that image.\nRefreshing metadata can take up to 24 hours.\n\nBefore you begin\n\n- [Sign in](https://accounts.google.com/Login) to your Google Account.\n\n If you don't already have one, [sign up for a new account](https://accounts.google.com/SignUp).\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Container Analysis, Artifact Registry APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://containeranalysis.googleapis.com, https://artifactregistry.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n- In the Google Cloud console, on the project selector page,\n select or create a Google Cloud project.\n\n | **Note**: If you don't plan to keep the resources that you create in this procedure, create a project instead of selecting an existing project. After you finish these steps, you can delete the project, removing all resources associated with the project.\n\n [Go to project selector](https://console.cloud.google.com/projectselector2/home/dashboard)\n-\n [Verify that billing is enabled for your Google Cloud project](/billing/docs/how-to/verify-billing-enabled#confirm_billing_is_enabled_on_a_project).\n\n-\n\n\n Enable the Container Analysis, Artifact Registry APIs.\n\n\n [Enable the APIs](https://console.cloud.google.com/flows/enableapi?apiid=https://containeranalysis.googleapis.com, https://artifactregistry.googleapis.com)\n-\n [Install](/sdk/docs/install) the Google Cloud CLI.\n\n | **Note:** If you installed the gcloud CLI previously, make sure you have the latest version by running `gcloud components update`.\n- If you're using an external identity provider (IdP), you must first\n [sign in to the gcloud CLI with your federated identity](/iam/docs/workforce-log-in-gcloud).\n\n-\n To [initialize](/sdk/docs/initializing) the gcloud CLI, run the following command:\n\n ```bash\n gcloud init\n ```\n\n1. Have a Docker repository in Artifact Registry . See instructions on [generating SBOMs](/artifact-analysis/docs/generate-store-sbom).\n\n\u003cbr /\u003e\n\nRequired roles\n\n\nTo get the permissions that\nyou need to view SBOM data and filter results,\n\nask your administrator to grant you the\nfollowing IAM roles on the project:\n\n- [Container Analysis Occurrences Viewer](/iam/docs/roles-permissions/containeranalysis#containeranalysis.occurrences.viewer) (`roles/containeranalysis.occurrences.viewer`)\n- [Service Usage Consumer](/iam/docs/roles-permissions/serviceusage#serviceusage.serviceUsageConsumer) (`roles/serviceusage.serviceUsageConsumer`)\n- [Artifact Registry Reader](/iam/docs/roles-permissions/artifactregistry#artifactregistry.reader) (`roles/artifactregistry.reader`)\n\n\nFor more information about granting roles, see [Manage access to projects, folders, and organizations](/iam/docs/granting-changing-revoking-access).\n\n\nYou might also be able to get\nthe required permissions through [custom\nroles](/iam/docs/creating-custom-roles) or other [predefined\nroles](/iam/docs/roles-overview#predefined).\n\nView licenses and dependencies in the Google Cloud console\n\n1. Open the Artifact Registry **Repositories** page.\n\n [Open the Repositories page](https://console.cloud.google.com/artifacts)\n\n The page displays a list of your repositories.\n2. In the repositories list, click a repository name.\n\n The **Repository details** page opens and displays a list of your images.\n3. In the images list, click an image name.\n\n The page displays a list of your image digests.\n4. In the image digest list, click a digest name.\n\n The page displays a row of tabs where the **Overview** tab is open, showing\n details such as format, location, repository, virtual size, and tags.\n5. In the row of tabs, click the **Dependencies** tab.\n\n The dependencies tab opens and displays the following information:\n - SBOM section\n - Licenses section\n - A filterable list of dependencies\n\nSBOMs\n\nIf you generate or upload a software bill of materials (SBOM) with\nArtifact Analysis, your SBOM details are displayed in this section. SBOMs\naren't generated automatically like license and dependency information. Learn\nhow to add SBOMs in [SBOM overview](/artifact-analysis/docs/generate-store-sboms).\n\nLicenses\n\nThe **Licenses** summary section displays a bar graph called **Most common\nlicenses**. This represents the types of licenses that appear most often in your\ndependency information. When you hold the pointer over a bar in the graph, the\nconsole displays the exact count for instances of that license type.\n\nDependencies\n\nThe list of dependencies displays the contents of your image digest including:\n\n- Package name\n- Package version\n- Package type\n- License type\n\nYou can filter the list of dependencies by any of these categories.\n\nView licenses and dependencies in Cloud Build\n\nIf you're using Cloud Build, you can view image metadata in the\n**Security insights** side panel within the Google Cloud console.\n\nThe **Security insights** side panel provides a high-level overview of build\nsecurity information for artifacts stored in Artifact Registry. To learn more\nabout the side panel and how you can use Cloud Build to help protect your\nsoftware supply chain, see\n[View build security insights](/build/docs/view-build-security-insights).\n\nLimitations\n\nInformation about licenses and dependencies is only available with automatic\nscanning. On-demand scanning does not support this feature.\n\nWhat's next\n\n- [Generate a software bill of materials (SBOM)](/artifact-analysis/docs/generate-store-sboms) to support compliance requirements.\n- [Investigate vulnerabilities](/artifact-analysis/docs/investigate-vulnerabilities) using common query patterns.\n- [Create VEX statements](/artifact-analysis/docs/create-vex) to attest to the security posture of your images."]]
