We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Develop secure cloud infrastructure
      • Snyk Cloud
        Keep your cloud environment secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Support & services
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Container Vulnerability Management For Developers
Product

Container vulnerability management for developers

Aner Mazur
Aner MazurJune 28, 2018

Today Snyk released a container vulnerability management solution which empowers developers to fully own the security of their Dockerized application!

Containers are becoming the standard form in which applications are packaged and executed, so the need to protect not only the application itself but the entire container against open source vulnerabilities is growing. Snyk, being committed to helping developers secure their applications from open source vulnerabilities, is extending its support to Docker containers, with its unique developer first approach. The solution will seamlessly integrate with the various dev and runtime platforms throughout the SDLC – providing deep application analysis, automated vulnerability remediation, and our leading vulnerability database.

Easily scan for open source vulnerabilities

Container images are created and managed by developers, so Snyk created a simple CLI that will enable developers to both test images locally as well as integrate image validation into their CI/CD processes. It’s part of Snyk’s regular CLI, and released to all Enterprise customers. All you need to do is upgrade to the latest CLI version:

npm install -g snyk
snyk auth

Snyk will scan all Operating System libraries installed by DEB, APK or RPM package managers, extract their exact versions, and test them against the most up to date version of our vulnerability database. To test a local Docker image, use the docker flag and point to the image name:

docker pull ubuntu:artful-20170601
snyk test ubuntu:artful-20170601 --docker --org=my-team

This will result in displaying all detected operating system vulnerabilities.

✗ High severity vulnerability found on glibc/libc-bin@2.24-9ubuntu2
- desc: Privilege Escalation
- info: https://snyk.io/vuln/SNYK-LINUX-GLIBC-129450
- from: ubuntu@artful-20170601 > glibc/libc-bin@2.24-9ubuntu2
- fixed in: glibc/libc-bin@2.26-0ubuntu2.1

✗ Medium severity vulnerability found on libgcrypt20@1.7.6-1
- desc: CVE-2018-0495
- info: https://snyk.io/vuln/SNYK-LINUX-LIBGCRYPT20-104368
- from: ubuntu@artful-20170601 > util-linux/bsdutils@1:2.29-1ubuntu3 > systemd/libsystemd0@233-6ubuntu3 > libgcrypt20@1.7.6-1
- fixed in: libgcrypt20@1.7.8-2ubuntu1.1

✗ High severity vulnerability found on perl/perl-base@5.24.1-2ubuntu1
- desc: Buffer Overflow
- info: https://snyk.io/vuln/SNYK-LINUX-PERL-106304
- from: ubuntu@artful-20170601 > meta-common-packages@meta > perl/perl-base@5.24.1-2ubuntu1
- fixed in: perl/perl-base@5.26.0-8ubuntu1.1

To track a project for newly disclosed vulnerabilities through the Snyk UI, use themonitor
command. You can use bothsnyk test andsnyk monitor in your CI environments to bake security into your deployment pipeline.

Remediate vulnerabilities

One of Snyk’s key differentiators is empowering developers to not just find vulnerabilities, but actually fix them. For every vulnerability which has an upgradeable version for its library, which will fix the vulnerability, we will suggest the minimal version the user should upgrade to.

Looking at the first result of the snyk test run above, we see a privilege escalation vulnerability was found inlibc-bin

Clicking the link to the vulnerability page in Snyk, we can see that with this vulnerability a local attacker could exploit it to execute arbitrary code in setuid programs and gain root privileges. On top of that, multiple exploits exist for this vulnerability and are publicly available (in metasploit, exploit db and the likes), so this one will be of critical priority to fix.

docker-vuln-1

Understand library context

Snyk considers containers to be a different way to package an application, and approaches it with the same dev first angle we had before. This is evident in the great developer experience our CLI offers, but also in the application perspective. Instead of just saying we found a vulnerable component and leaving it to the developer to figure out “how did THAT library get there?”, we track the inclusion path of every vulnerable library (as seen in the ‘from’ line in the CLI results), making it far easier to understand the vulnerability in the context of the application – which is key for assessing exploitability but even more so for remediation.

Over time, you’ll see more capabilities around our container security that will help developers easily find and fix vulnerabilities, aligned with Snyk’s commitment to developer friendliness and remediation. So stay tuned 🙂

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

GO TO DISCORD
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
  • Code Checker
  • Python Code Checker
  • JavaScript Code Checker
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2023 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom