This page describes the removal of vulnerability scanning capabilities from the
Google Kubernetes Engine (GKE) security posture dashboard.
About vulnerability scanning
The GKE security posture dashboard lets you monitor eligible
workloads for issues like security misconfigurations and known vulnerabilities.
Workload vulnerability scanning uses the following tiers, each of which
scans specific parts of your running containers:
Workload vulnerability scanning - standard tier: scan the container
OS for vulnerabilities.
Advanced Vulnerability Insights: scan the container OS and language
packages for vulnerabilities.
Timeline and milestones
The workload vulnerability scanning removal has the following major milestones:
July 31, 2025: the standard tier of vulnerability
scanning is shutdown. Results for these scans no longer display in the
Google Cloud console. You no longer see an option to enable or disable
vulnerability scanning for GKE in the Google Cloud console.
June 16, 2025: Advanced Vulnerability Insights
is deprecated. Scan results still display in the GKE
security posture dashboard. Informational messages about the deprecation
display in the Google Cloud console.
June 16, 2026: Advanced Vulnerability Insights results
no longer display in the Google Cloud console.
Impact to workloads and clusters
The removal of workload vulnerability scanning capabilities won't result in
workload or cluster disruptions. If you take no action by the dates in the
preceding section, the only changes that occur are as follows:
The Security Posture page in the Google Cloud console doesn't display
new vulnerability scanning results.
If the vulnerability scanning tier is deprecated, you can't enable that tier
in clusters.
If the vulnerability scanning tier is removed, you can't view historical
results for that tier.
You can't view existing scan results in the security posture dashboard .
Workload vulnerability scanning is disabled in existing clusters that use the
feature.
Existing logs in Cloud Logging remain in the _Default log bucket for the
configured log retention period.
What you can do
To scan images for vulnerabilities after workload vulnerability scanning is
removed, consider the following options:
Artifact Analysis has automatic or on-demand vulnerability
scanning options for container images in Artifact Registry. For details, see
Container scanning overview.
Security Command Center can assess the images of deployed Pods for vulnerabilities. For
more information, see the following security sources:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Vulnerability scanning removal from GKE\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page describes the removal of vulnerability scanning capabilities from the\nGoogle Kubernetes Engine (GKE) security posture dashboard.\n\nAbout vulnerability scanning\n----------------------------\n\nThe GKE security posture dashboard lets you monitor eligible\nworkloads for issues like security misconfigurations and known vulnerabilities.\nWorkload vulnerability scanning uses the following *tiers*, each of which\nscans specific parts of your running containers:\n\n- **Workload vulnerability scanning - standard tier**: scan the container OS for vulnerabilities.\n- **Advanced Vulnerability Insights**: scan the container OS and language packages for vulnerabilities.\n\nTimeline and milestones\n-----------------------\n\nThe workload vulnerability scanning removal has the following major milestones:\n\n- **July 31, 2025**: the standard tier of vulnerability scanning is shutdown. Results for these scans no longer display in the Google Cloud console. You no longer see an option to enable or disable vulnerability scanning for GKE in the Google Cloud console.\n- **June 16, 2025**: Advanced Vulnerability Insights is deprecated. Scan results still display in the GKE security posture dashboard. Informational messages about the deprecation display in the Google Cloud console.\n- **June 16, 2026**: Advanced Vulnerability Insights results no longer display in the Google Cloud console.\n\nImpact to workloads and clusters\n--------------------------------\n\n| **Key Point:** No disruptions occur in your workloads and clusters. Vulnerability scanning is a monitoring capability that doesn't interact directly with your running workloads.\n\nThe removal of workload vulnerability scanning capabilities won't result in\nworkload or cluster disruptions. If you take no action by the dates in the\npreceding section, the only changes that occur are as follows:\n\n- The **Security Posture** page in the Google Cloud console doesn't display new vulnerability scanning results.\n- If the vulnerability scanning tier is deprecated, you can't enable that tier in clusters.\n- If the vulnerability scanning tier is removed, you can't view historical results for that tier.\n- You can't view existing scan results in the security posture dashboard .\n- Workload vulnerability scanning is disabled in existing clusters that use the feature.\n\nExisting logs in Cloud Logging remain in the `_Default` log bucket for the\nconfigured [log retention period](/logging/quotas#logs_retention_periods).\n\nWhat you can do\n---------------\n\nTo scan images for vulnerabilities after workload vulnerability scanning is\nremoved, consider the following options:\n\n- Artifact Analysis has automatic or on-demand vulnerability scanning options for container images in Artifact Registry. For details, see [Container scanning overview](/artifact-analysis/docs/container-scanning-overview).\n- Security Command Center can assess the images of deployed Pods for vulnerabilities. For\n more information, see the following security sources:\n\n - [Artifact Registry vulnerability assessment](/security-command-center/docs/concepts-security-sources#ar-vuln-assessment) ([Preview](/products#product-launch-stages)).\n - [Vulnerability Assessment for Google Cloud](/security-command-center/docs/concepts-security-sources#vulnerability-assessment-for-google-cloud). ([Preview](/products#product-launch-stages)).\n\nDisable vulnerability scanning\n------------------------------\n\nTo stop using vulnerability scanning in your clusters prior to the removal in\nthe GKE Standard edition, see\n[Disable workload vulnerability scanning](/kubernetes-engine/docs/how-to/security-posture-vulnerability-scanning#disable-security-posture)."]]
