Skip to main content

Container Image vulnerabilities ||

  • July 11, 2025
  • 4 replies
  • 204 views
Sahil-Rakhyani
Forum|alt.badge.img

Hello Guys, 
I am able to see many container image vulnerabilities in our environment. The occurrences are from artifact registry.

We have fixed from 156 vulnerabilities to 22 and deleted the older digests as well.

But in Risk overview -> Findings -> I am still able to see the older digests vulnerabilities that have already been fixed. When I click them it shows not found (That confirms it was deleted) but in findings tab it still retains the count.

Why doesn't the count gets refreshed? 
We have tried manual artifact image scanning using Gcloud artifact scanner and also tried pushing the image again for refreshing still its not working. 


Any solution ?

louisaxone
comply4661

4 replies

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • July 30, 2025

Please take a look at the Data Retention section of the following to see if can explain the behavior you are seeing: https://cloud.google.com/security-command-center/docs/concepts-data-security-overview

matthewnichols
Sahil-Rakhyani
Sahil-Rakhyani
Forum|alt.badge.img

@kentphelps Hi Kent , Hope you are well.
After resolving the findings, it should go inactive, but its still showing in active state 

After clicking that active vulnerability, it shows (“resource not found “) that confirms it has removed, but in dashboard findings count it still remains same.

So is this expected ? We already waited 30 days for those findings to go inactive/or deleted

Sahil-Rakhyani
louisaxone
Forum|alt.badge.img
  • louisaxone
  • New Member
  • September 11, 2025

I am running into the same issue…

I had a vulnerability finding in one of my GKE containers so I updated the affected dependency, built and published a new image to artifact registry and updated my deployment on GKE to that new image and yet the finding is still active within SCC. What’s really odd is that the finding in question is still in reference to my older, unpatched image tag (finding field: kubernetes.objects.elem.containers.elem.uri), despite that version not being deployed in GKE anymore.

 

My question is, why won’t this finding go away if the issue is resolved ?

For reference, this is the finding in question (minus sensitive and irrelevant fields):

{
  "finding": {
    "name": "organizations/REDACTED/sources/REDACTED/locations/global/findings/REDACTED",
    "parent": "organizations/REDACTED/sources/REDACTED/locations/global",
    "resourceName": "//container.googleapis.com/projects/PROJECT_NAME/locations/europe-west1/clusters/foc-k8s",
    "state": "ACTIVE",
    "category": "OS_VULNERABILITY",
    "eventTime": "2025-09-04T06:40:45.172Z",
    "createTime": "2025-09-04T06:50:28.128Z",
    "severity": "HIGH",
    "canonicalName": "projects/PROJECT_ID/sources/REDACTED/locations/global/findings/REDACTED",
    "mute": "UNDEFINED",
    "findingClass": "VULNERABILITY",
    "muteUpdateTime": "1970-01-01T00:00:00Z",
    "muteInitiator": "",
    "muteInfo": {
      "staticMute": {
        "state": "UNDEFINED",
        "applyTime": "1970-01-01T00:00:00Z"
      },
      "dynamicMuteRecords": []
    },
    "kubernetes": {
      "pods": [],
      "nodes": [],
      "nodePools": [],
      "roles": [],
      "bindings": [],
      "accessReviews": [],
      "objects": [
        {
          "group": "",
          "kind": "Deployment",
          "ns": "default",
          "name": "SERVICE_NAME",
          "containers": [
            {
              "name": "SERVICE_NAME",
              "uri": "europe-west1-docker.pkg.dev/PROJECT_NAME/internal/SERVICE_NAME:v5.6.0",
              "imageId": "europe-west1-docker.pkg.dev/PROJECT_NAME/internal/SERVICE_NAME@sha256:REDACTED",
              "labels": [],
              "createTime": "1970-01-01T00:00:00Z"
            }
          ]
        }
      ]
    },
    "parentDisplayName": "Vulnerability Assessment",
    "moduleName": "",
    "vulnerability": {
      "cve": {
        "id": "REDACTED"
      }
    },
    "files": [
      {
        "path": "var/lib/dpkg/status",
        "size": "0",
        "sha256": "",
        "hashedSize": "0",
        "partiallyHashed": false,
        "contents": "",
        "diskPath": {
          "partitionUuid": "",
          "relativePath": ""
        },
        "operations": []
      }
    ],
    "deactivationReason": {
      "reason": "REASON_UNSPECIFIED"
    },
    "domains": [
      {
        "category": "VULNERABILITY"
      }
    ],
    "affectedResources": {
      "count": "0"
    },
    "caiResource": "//container.googleapis.com/projects/PROJECT_NAME/locations/europe-west1/clusters/foc-k8s",
    "remediationDetails": {
      "remediationIntent": "",
      "repositoryUri": "",
      "pullRequestUri": "",
      "remediationExplanation": "",
      "remediationState": "REMEDIATION_STATE_UNSPECIFIED",
      "remediationError": "",
      "prGenerationTime": "1970-01-01T00:00:00Z",
      "owner": ""
    }
  },
  "resource": {
    "name": "//container.googleapis.com/projects/PROJECT_NAME/locations/europe-west1/clusters/foc-k8s",
    "displayName": "foc-k8s",
    "type": "google.container.Cluster",
    "cloudProvider": "GOOGLE_CLOUD_PLATFORM",
    "service": "container.googleapis.com",
    "location": "europe-west1",
    "gcpMetadata": {
      "project": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "projectDisplayName": "PROJECT_NAME",
      "parent": "//cloudresourcemanager.googleapis.com/projects/PROJECT_ID",
      "parentDisplayName": "PROJECT_NAME",
      "folders": [],
      "organization": "organizations/REDACTED"
    },
    "resourcePathString": "organizations/REDACTED/projects/PROJECT_ID"
  }
}

My fixed image tag is 5.6.1 but as you can see it’s still referencing 5.6.0 despite that container not existing for almost a whole day.

chrisf
Staff
Forum|alt.badge.img+5
  • chrisf
  • Staff
  • September 24, 2025
Not all findings automatically change the state of a finding from Active to Inactive.  Some require manual updates to the state.  Please see the documenation linked below for detailed explanations.

https://cloud.google.com/security-command-center/docs/finding-states

https://cloud.google.com/security-command-center/docs/how-to-remediate-security-health-analytics-findings#finding-deactivation

https://cloud.google.com/security-command-center/docs/review-manage-findings#change_the_state_of_a_finding

matthewnichols
Sahil-Rakhyani
Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.