We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Develop secure cloud infrastructure
      • Snyk Cloud
        Keep your cloud environment secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Support & services
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityDependency Health

Securing container applications using the Snyk CLI

Hadar MutaiAugust 30, 2022

When scanning an image you probably want to scan for both operating system vulnerabilities and vulnerabilities in the application dependencies (like npm, pom.xml, package.json etc), in order to get a full picture of the security issues within your images.

Until now, when using the Snyk Container test/monitor commands to scan images you had to specify the --app-vulns flag in order to scan for application vulnerabilities. 

We are excited to share that now, when using the snyk container test/monitor commands, we will scan for application vulnerabilities by default. This change will go live in the near future and we’ll update this blog once it’s live, so be sure to update your Snyk CLI to take advantage of the new capability. You can also follow the steps at the end to take advantage of this behavior today.

In order to support this update, we now also include application vulnerabilities when using the --json flag. We’ve added a new applications key to the JSON output that includes an array of all application scan results. The new JSON format will look like the following:

{
  "vulnerabilities": [],
  "ok": true,
  "dependencyCount": 13,
  ...
  "packageManager": "apk",
  "summary": "No known operating system vulnerabilities",
  "uniqueCount": 0,
  "projectName": "docker-image|snykgoof/os-app",
  "platform": "linux/amd64",
  "path": "snykgoof/os-app:node-snykin/os-app",
  "applications": [
    {
      "vulnerabilities": [
        {
          A bunch of vulns
        },
        ...
      ],
      "ok": false,
      "dependencyCount": 116,
      "packageManager": "yarn",
      "summary": "14 vulnerable dependency paths",
      "uniqueCount": 9,
      "targetFile": "/app2/package.json",
      "projectName": "snykin",
      "displayTargetFile": "/app2/package.json",
      "path": "snykgoof/os-app:node-snykin"
    }
  ]

The new JSON output is available in CLI version 1.962.0.

Using the Snyk CLI in your CI/CD pipeline

Adding security scanning to your continuous integration and continuous delivery pipeline is a common way to scan your images and secure your containers. And, since integrating with a CI/CD pipeline ultimately uses the Snyk CLI, it’s important to know about every change made in the results. 

How will this change impact my build?

If you have integrated Snyk Container testing into your existing CI/CD workflow, you should know that this update may cause your scan to detect more vulnerabilities — since application vulnerabilities will now be included. 

If you were already using the --app-vulns flag, you won’t notice any changes in behavior or results of your scans. However, if you aren’t currently specifying the --app-vulns flag in your snyk container test command, your scan behavior may be different and you’ll potentially see more vulnerabilities. If you wish to maintain the previous behavior, you can “opt out” of the application vulnerability scanning by specifying the --exclude-app-vulns flag — which will omit the application vulnerabilities section from the results, mimicking the previous behavior. The --exclude-app-vulns flag is available in CLI version 1.1021.0 and above.

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

GO TO DISCORD
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
  • Code Checker
  • Python Code Checker
  • JavaScript Code Checker
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Code snippets
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2023 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom