Container Analysis API

Name: Container Analysis API API
Brand: Google Container Analysis API
Availability: InStock

✓ Official Vendor SpecSecurityVulnerability Managementoauth216 EndpointsREST

For Agents

Query vulnerability findings and build provenance for Artifact Registry images, attach custom security notes, and export SBOMs so an agent can gate deployments on supply-chain risk.

Quickstart

Get started with Container Analysis API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"list vulnerabilities for a container image"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Container Analysis API API.

List vulnerability and other occurrences for a specific container image URL

Create custom notes describing vulnerabilities, attestations, or build provenance

Attach occurrences linking a note to a specific image or other resource

Manage IAM policies on notes to control who can author findings

GET STARTED

Start building with Container Analysis API API

Explore with Jentic

View OpenAPI Document

Use for: I need to list all vulnerabilities for a specific container image, Get the SBOM for an image in Artifact Registry, Find all critical CVEs across our project's images, Create a custom attestation note for a signed build

Not supported: Does not run vulnerability scans, store images, or enforce deploy policy — use only to query and author finding metadata stored as notes and occurrences.

Google Container Analysis API stores and serves vulnerability, build, deployment, and SBOM metadata produced by Artifact Registry scanning, Advanced Vulnerability Insights, and other producers. It exposes notes (the metadata definitions, e.g. a CVE) and occurrences (instances of those notes against a specific resource URL such as a container image). Consumers can list occurrences for an image, attach custom notes, manage IAM on notes, and trigger an SBOM export for a scanned artifact. It is the metadata backbone for image-supply-chain security on Google Cloud.

Use Cases

Patterns agents use Container Analysis API API for, with concrete tasks.

★ Deployment Gate on Critical Vulnerabilities

A CI/CD pipeline calls Container Analysis after each Artifact Registry push to list occurrences of vulnerability notes against the new image. If any CRITICAL severity finding is unfixed, the pipeline aborts the deploy. The Container Analysis API surfaces the full occurrence list including CVE IDs, fixed package versions, and effective severity.

List occurrences for resourceUrl 'https://us-docker.pkg.dev/proj/repo/api@sha256:abc' and return any with severity CRITICAL and fixAvailable false.

SBOM Export for Compliance

A regulated team needs an SPDX or CycloneDX SBOM for every production image. Container Analysis exposes exportSBOM, which writes the artifact's component graph to Cloud Storage. Compliance auditors download SBOMs from a known bucket without needing to install scanning tooling.

Trigger exportSBOM for the image 'https://us-docker.pkg.dev/proj/repo/web@sha256:def' and return the resulting Cloud Storage URI.

Custom Attestation Authoring

A security team writes attestations (signed assertions about a build) as Container Analysis notes and links them to images via occurrences. Binary Authorization at deploy time references those attestations to enforce that only trusted builds run on GKE. The API exposes notes.create, occurrences.create, and IAM management to gatekeep authoring.

Create a note of kind ATTESTATION named 'prod-signoff', attach an occurrence linking it to image digest sha256:abc, and set its IAM policy to restrict writes to securityteam@example.com.

Cross-Project Vulnerability Dashboard

A security analytics dashboard pulls occurrence summaries from Container Analysis across every project to plot fixable critical CVEs by team. The API's filtered occurrence list, combined with note metadata, gives the dashboard severity, CVSS, and remediation hints without scraping logs.

List all occurrences in project 'shared-security' filtered to vulnerability kind and severity CRITICAL, and group results by image repository.

Key Endpoints

16 endpoints — google container analysis api stores and serves vulnerability, build, deployment, and sbom metadata produced by artifact registry scanning, advanced vulnerability insights, and other producers.

METHOD

PATH

DESCRIPTION

GET

/v1/{+name}/occurrences

List occurrences in a project

GET

/v1/{+name}/notes

List notes in a project

POST

/v1/{+name}:exportSBOM

Export the SBOM for a scanned image

GET

/v1/{+name}

Get a specific note or occurrence

GET

/v1/{+name}/occurrences

List occurrences in a project

GET

/v1/{+name}/notes

List notes in a project

POST

/v1/{+name}:exportSBOM

Export the SBOM for a scanned image

GET

/v1/{+name}

Get a specific note or occurrence

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google service account credentials are stored encrypted in the Jentic vault. Agents call containeranalysis.googleapis.com using short-lived OAuth access tokens with the cloud-platform scope, never raw JSON keys.

Intent-based discovery

Agents search Jentic for 'list vulnerabilities for container image' and Jentic returns the occurrences.list operation with its filter syntax and resourceUrl format documented in the schema.

Time to first call

Direct integration: 1-2 days to handle OAuth, occurrence filter syntax, and SBOM export polling. Through Jentic: under 30 minutes by composing search, load, and execute on occurrences and notes.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Artifact Registry API

Stores the images that Container Analysis scans and indexes

Use Artifact Registry to manage image repositories; use Container Analysis to retrieve their security metadata

Complementary

Binary Authorization API

Enforces deploy-time policy using attestation notes stored in Container Analysis

Use Binary Authorization to gate GKE deploys on the attestations Container Analysis stores

Complementary

Kubernetes Engine API

Runs the workloads whose images Container Analysis evaluates

Pair with GKE when an agent wants to assess the security posture of currently running images

FAQs

Specific to using Container Analysis API API through Jentic.

What authentication does the Container Analysis API use?

The Container Analysis API uses Google OAuth 2.0 with the cloud-platform scope. Through Jentic the service account credentials are stored encrypted in the Jentic vault, and agents receive scoped access tokens minted per request.

Can I list vulnerabilities for a single container image with the Container Analysis API?

Yes. Call occurrences.list with a filter on resourceUrl matching your image's full digest URL and on kind=VULNERABILITY. Each returned occurrence contains the linked note (CVE), severity, package, fix version when available, and effective severity.

What are the rate limits for the Container Analysis API?

Container Analysis applies per-project read and write quotas, with stricter limits on exportSBOM because it triggers a long-running operation. Inspect the Cloud Console Quotas page for the precise per-method limits in your project.

How do I export an SBOM for a deployed image through Jentic?

Run pip install jentic, search Jentic for 'export sbom for container image', load the schema for the exportSBOM operation on containeranalysis.googleapis.com, and execute it with the image's full resource URL.

Does the Container Analysis API perform the vulnerability scanning itself?

No. Scans are produced by Artifact Registry and Advanced Vulnerability Insights and written into Container Analysis as occurrences. This API stores, filters, and serves those findings; it does not execute the scanners.