We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
    • Platform
      • What is Snyk?
        See Snyk’s developer-first security platform in action
      • Developer Security Platform
        Secure all the components of the modern cloud native application in a single platform
      • Security Intelligence
        Access our comprehensive vulnerability data to help your own security systems
      • License Compliance Management
        Manage open source license usage in your projects
    • Self-paced security education with Snyk Learn
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Self-paced security education with Snyk Learn
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
helm charts security
Cloud Native Security

Detecting application vulnerabilities in container images

Danielle InbarMay 18, 2020

Snyk now makes it even easier for you to detect vulnerabilities in container images, by identifying vulnerable application dependencies alongside the operating system vulnerability.

snyk detect vulnerabilities in container images example

Lost provenance and third-party images

Snyk today provides the ability to detect vulnerabilities in your Java, .NET, Python, Go, etc. application dependencies, as well as in your container images. But, until now, we’ve left those as separate commands in our CLI.

That works well when you’re testing your application dependencies, building images, and then testing the container operating system vulnerabilities as part of a tightly integrated pipeline. But what about the third-party images you’re running where you never had the source code? Or that image in your registry which you’re not quite sure what version of the software it has installed.

A single scan to find all your vulnerabilities

Previously, when we scanned a container image, we’d show something like:

Snyk scanned a container image previous result

Here you can see the image name, an icon representing the base image operating system, and the number of high, medium, and low vulnerabilities. Scanning the same image today will show:

snyk scanned a container image improvement

Here you can see we’ve also detected applications in the images and found some vulnerabilities present in their dependencies as well.

This feature builds on Snyk’s world-class vulnerability database, which contains vulnerabilities from a wide range of public and private sources, including the work of our very own research team. 

Availability

We’re starting to roll this new feature out across our container integrations now, starting with our support for container registries. If you’re using Amazon ECR, Docker Hub, GCR, ACR, or Artifactory you can use this today. We’ll add support to our Kubernetes integration and CLI tools next but we like getting features into your hands quickly.

We’ve also started with a subset of languages, focused mainly on dynamic languages at the moment. Today we have support for Python, JavaScript, PHP, and Ruby. In time, we’d like to support all the languages we support elsewhere.

For new Snyk users and for those with free Snyk accounts we’re enabling this feature by default. For Snyk Container customers we’re erring on the side of caution, as we don’t want to introduce unexpected noise into how you report on vulnerabilities in Snyk. Whether you are a free or paid user you can enable or disable this functionality in the settings page:

How to enable or disable detecting application vulnerabilities in container images with Snyk

Let us know what you think

As always, please let us know what you think about this new feature, and what you’d like to see next.

Log4Shell resource center

We’ve created an extensive library of Log4Shell resources to help you understand, find and fix this Log4j vulnerability.

Browse Resources
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom