On-Demand Scanning API

Name: On-Demand Scanning API API
Brand: On-Demand Scanning API
Availability: InStock

✓ Official Vendor SpecSecurityVulnerability Managementoauth27 EndpointsREST

For Agents

Trigger on-demand vulnerability scans of container images and read back the resulting vulnerability occurrences and severity ratings.

Quickstart

Get started with On-Demand Scanning API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"scan a container image for vulnerabilities"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with On-Demand Scanning API API.

Submit a container image for vulnerability analysis via analyzePackages

Poll long-running scan operations until results are ready

List vulnerability occurrences detected for a scanned resource

Cancel a scan operation that is no longer needed

GET STARTED

Start building with On-Demand Scanning API API

Explore with Jentic

View OpenAPI Document

Use Cases

Patterns agents use On-Demand Scanning API API for, with concrete tasks.

★ Pre-deployment image scanning in CI

Run an on-demand scan against a container image as the final gate before promoting it from staging to production. The CI step submits the image via analyzePackages, waits on the resulting operation, and fails the build if any vulnerability above a chosen severity threshold is reported. Pairs well with Binary Authorization for enforcement at admission time.

Submit image us-docker.pkg.dev/proj/repo/api@sha256:abc123 to /v1/{+parent}/scans:analyzePackages, wait on the operation, and fail the pipeline if any HIGH or CRITICAL vulnerability appears in the result.

Air-gapped or scheduled rescans

Re-scan production images on a schedule to catch newly disclosed vulnerabilities, especially for images that no longer trigger Artifact Registry auto-scan because the auto-scan window has lapsed. The on-demand path lets a security automation hit any image you have access to and capture the up-to-date vulnerability list. Works well as a daily cron driven by Cloud Scheduler.

For every image in production-allowlist.json, submit a scan, wait on the operation, and write all vulnerabilities of severity HIGH or above into a Cloud Storage bucket.

Triage and reporting on vulnerability occurrences

Pull the list of vulnerability occurrences for a previously scanned image and feed them into a triage workflow — Jira tickets, Slack messages, or a security dashboard. The API returns CVE IDs, fix versions, severity, and affected packages so the downstream automation can deduplicate and prioritise.

Call GET /v1/{+parent}/vulnerabilities for image digest sha256:abc123 and create a Jira ticket for every vulnerability whose severity is CRITICAL and that has a fix available.

Agent-driven container security checks via Jentic

A security agent can use Jentic to scan an image referenced in a chat or ticket — issue an intent like scan this image for cves and Jentic returns the matching On-Demand Scanning operation. Credentials stay in the Jentic vault, so the agent runs scans under a scoped service-account token with full audit trail.

Use Jentic to find the analyzePackages operation, load its schema, execute it for the image referenced in a triage ticket, and reply with a count of HIGH and CRITICAL findings.

Key Endpoints

7 endpoints — the on-demand scanning api scans container images for os package and language ecosystem vulnerabilities outside the standard artifact registry auto-scan path.

METHOD

PATH

DESCRIPTION

POST

/v1/{+parent}/scans:analyzePackages

Submit an image for vulnerability scanning

GET

/v1/{+parent}/vulnerabilities

List vulnerability occurrences for a parent

GET

/v1/{+name}

Get a long-running operation

POST

/v1/{+name}:cancel

Cancel a scan operation

POST

/v1/{+name}:wait

Wait synchronously on an operation

POST

/v1/{+parent}/scans:analyzePackages

Submit an image for vulnerability scanning

GET

/v1/{+parent}/vulnerabilities

List vulnerability occurrences for a parent

GET

/v1/{+name}

Get a long-running operation

POST

/v1/{+name}:cancel

Cancel a scan operation

POST

/v1/{+name}:wait

Wait synchronously on an operation

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google OAuth 2.0 tokens are minted from a service account stored in the Jentic vault (MAXsystem). Agents call the API under scoped, short-lived tokens — the service-account key never enters their context.

Intent-based discovery

Agents search Jentic with intents like scan container for cves and Jentic returns the matching On-Demand Scanning operation with required scopes and input schema.

Time to first call

Direct integration: 1 day to wire OAuth, image URI resolution, and long-running operation polling. Through Jentic: under 30 minutes — search, load, execute.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Alternative

Container Analysis API

Container Analysis stores notes and occurrences and runs auto-scan on Artifact Registry

Use Container Analysis when the image already lives in Artifact Registry and auto-scan results are sufficient; use On-Demand Scanning when the agent needs to trigger a fresh scan explicitly.

Complementary

Binary Authorization API

Binary Authorization enforces deployment policies based on scan results

Use Binary Authorization when the agent needs to block a deployment based on scan outcomes; use On-Demand Scanning to produce those scan outcomes.

Complementary

Artifact Registry API

Artifact Registry hosts the images that On-Demand Scanning analyses

Use Artifact Registry when the agent needs to upload or list container images; use On-Demand Scanning to assess their vulnerability posture.

FAQs

Specific to using On-Demand Scanning API API through Jentic.

What authentication does the On-Demand Scanning API use?

The API uses Google OAuth 2.0 with the cloud-platform scope. Through Jentic, tokens are minted from a service account stored in the Jentic vault so agents never see raw credentials.

Can I scan an image hosted outside Artifact Registry?

Yes — analyzePackages accepts a resource URI for any image you have read access to, including Container Registry and properly-credentialled third-party registries. The scanner pulls package metadata and matches against Google's vulnerability feeds.

What are the rate limits for the On-Demand Scanning API?

Google Cloud meters scan operations as long-running operations under per-project quotas. Treat scans as asynchronous — submit, then poll /v1/{+name} or use :wait, rather than retrying on failure.

How do I scan a container image through Jentic?

Search Jentic for scan container image, load the schema for POST /v1/{+parent}/scans:analyzePackages, and execute it with the image resource URI. The Jentic SDK returns the operation handle so the agent can poll for vulnerabilities.

Does this API also enforce admission policy?

No — admission enforcement happens in Binary Authorization, which can consume the attestations or vulnerability data this API produces. Use this API to discover vulnerabilities, then Binary Authorization to block deployments.

How do I read the result of a finished scan?

Once the operation is done, the result includes a list of vulnerability occurrences, or you can call GET /v1/{+parent}/vulnerabilities filtered by the scanned resource URI.