Scanning ARM container images with Snyk
ARM-based systems are increasingly popular amongst developers, for edge and IoT use cases as well as some server uses with the likes of the AWS Graviton Amazon EC2 instances. Docker provides an increasingly flexible toolset for building container images for multiple architectures. But how do you know those images are secure?
Helping ARM developers secure their containers
Snyk today supports scanning Docker images built for ARM (or, in fact, any other platform). If the tag in question is only built for ARM then it’s as simple as just pointing the Snyk CLI at the image as normal:
snyk container test arm64v8/debian
But some Docker images support multiple platforms, using manifest lists. You can see more about how these are built and published from Docker.
When you have an image like the one above, you can specify the platform you want to test explicitly using the
--platform flag. Here’s an example of using that to test the debian image from Docker Hub:
$ snyk container test --platform=linux/arm64 debian … ✗ Medium severity vulnerability found in gcc-8/libstdc++6 Description: Information Exposure Info: https://snyk.io/vuln/SNYK-DEBIAN10-GCC8-347558 Introduced through: email@example.com, firstname.lastname@example.org, meta-common-packages@meta From: email@example.com From: firstname.lastname@example.org > email@example.com From: firstname.lastname@example.org > email@example.com > firstname.lastname@example.org and 2 more... ✗ High severity vulnerability found in gnutls28/libgnutls30 Description: Out-of-bounds Write Info: https://snyk.io/vuln/SNYK-DEBIAN10-GNUTLS28-609778 Introduced through: email@example.com+deb10u5, firstname.lastname@example.org From: email@example.com+deb10u5 From: firstname.lastname@example.org > email@example.com+deb10u5
Organization: garethr Package manager: deb Project name: docker-image|debian Docker image: debian Licenses: enabled Tested 92 dependencies for known issues, found 54 issues.
Using platform information in Snyk
The information about the platform is also available in the Snyk Project Page if you import ARM images from a container registry like ACR, Docker Hub, ECR or GCR, or adding an image to be tracked by Snyk using
snyk container monitor. You can see the platform in the project metadata.
The platform information is also available for customers in the Snyk API. Whenever you retrieve a container image project you should see the imagePlatform attribute containing the platform.
At Snyk we’re really interested in seeing how developers embrace the ARM platform in the next few years, and will be looking for more ways of helping developers to build secure Docker images, whatever platform they choose to build for.
You can try out the new ARM functionality shown above by downloading the latest version of the Snyk CLI.