Snyk Blog

Securing container applications using the Snyk CLI

Written by:
Hadar Mutai
Hadar Mutai
wordpress-sync/blog-hero-test-in-terraform

August 30, 2022

0 mins read

When scanning an image you probably want to scan for both operating system vulnerabilities and vulnerabilities in the application dependencies (like npm, pom.xml, package.json etc), in order to get a full picture of the security issues within your images.

Until now, when using the Snyk Container test/monitor commands to scan images you had to specify the --app-vulns flag in order to scan for application vulnerabilities.

We are excited to share that now, when using the snyk container test/monitor commands, we will scan for application vulnerabilities by default. This change will go live in the near future and we'll update this blog once it's live, so be sure to update your Snyk CLI to take advantage of the new capability. You can also follow the steps at the end to take advantage of this behavior today.

In order to support this update, we now also include application vulnerabilities when using the --json flag. We’ve added a new applications key to the JSON output that includes an array of all application scan results. The new JSON format will look like the following:

1{
2  "vulnerabilities": [],
3  "ok": true,
4  "dependencyCount": 13,
5  ...
6  "packageManager": "apk",
7  "summary": "No known operating system vulnerabilities",
8  "uniqueCount": 0,
9  "projectName": "docker-image|snykgoof/os-app",
10  "platform": "linux/amd64",
11  "path": "snykgoof/os-app:node-snykin/os-app",
12  "applications": [
13    {
14      "vulnerabilities": [
15        {
16          A bunch of vulns
17        },
18        ...
19      ],
20      "ok": false,
21      "dependencyCount": 116,
22      "packageManager": "yarn",
23      "summary": "14 vulnerable dependency paths",
24      "uniqueCount": 9,
25      "targetFile": "/app2/package.json",
26      "projectName": "snykin",
27      "displayTargetFile": "/app2/package.json",
28      "path": "snykgoof/os-app:node-snykin"
29    }
30  ]

The new JSON output is available in CLI version 1.962.0.

Using the Snyk CLI in your CI/CD pipeline

Adding security scanning to your continuous integration and continuous delivery pipeline is a common way to scan your images and secure your containers. And, since integrating with a CI/CD pipeline ultimately uses the Snyk CLI, it’s important to know about every change made in the results.

How will this change impact my build?

If you have integrated Snyk Container testing into your existing CI/CD workflow, you should know that this update may cause your scan to detect more vulnerabilities — since application vulnerabilities will now be included.

If you were already using the --app-vulns flag, you won’t notice any changes in behavior or results of your scans. However, if you aren’t currently specifying the --app-vulns flag in your snyk container test command, your scan behavior may be different and you’ll potentially see more vulnerabilities. If you wish to maintain the previous behavior, you can "opt out" of the application vulnerability scanning by specifying the --exclude-app-vulns flag — which will omit the application vulnerabilities section from the results, mimicking the previous behavior.

We suggest downloading the newest CLI version, and testing the updates with your current configuration as soon as possible.

Posted in:Container Security, Application Security

How CISOs are Transforming their DevSecOps Strategies

500 devs to 1 security professional is the reality of today. The security pro’s role must transform into an aware, knowledgeable, supportive partner capable of empowering developers to make security decisions.

See the playbook

Get started for free

Secure your applications with Snyk’s vulnerability scanning and AI-powered fixes.

No credit card required.

Start free with GithubStart free with Google

Or Sign up with

SSOBitbucketAzure ADDocker ID

By logging in or signing up, you agree to abide by our policies, including our Terms of Service and Privacy Policy

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

Developer Security PlatformSnyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeApplication securitySoftware supply chain securityASPMSecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securityWhat is Snyk?Snyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersDeveloper security educationVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10Videos

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal information

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHub

© 2023 Snyk Limited
Registered in England and Wales

logo-devseccon