Snyk Documentation

CLI—analysis and remediation

Snyk analyzes the image and returns vulnerability and remediation details directly from the CLI. The output includes this information, in this order:

  • List of vulnerabilities—sorted by severity and grouped by vulnerability, where each is detailed as follows:
    • A clear heading line—each heading to a group of vulnerability details includes the severity and cites the vulnerable package and project dependency in which it is located
    • Info—offers a link to the full vulnerability description in our database, from which you can find more details and remediation advice for the vulnerability
    • Description—provides the official common name of the vulnerability
    • Introduced through—displays the top-level package names affected by the vulnerability
    • From—lists all full paths of the project in which the package is located
    • Introduced by your base image/ Introduced in your Dockerfile/ Introduced by the scratch image—indicates the base image, Dockerfile layer, or scratch image in which the package with the vulnerability originated. This feature is only available if you include your Dockerfile in the test (using the --file argument)
    • Fixed in—when the package in which the vulnerability was found has been fixed by its maintainer, this line indicates from which version the vulnerability was removed

  • Project summary, including this information:
    • Organization—the Snyk organization to which the project is associated; use environment variables when running snyk test to apply a specific organization. Otherwise, this is your default Snyk organization
    • Package manager—associated with this image
    • Docker image—the image and version that was tested/scanned
    • Total dependencies with known vulnerabilities, and the total number of vulnerabilities
    • Scan summary—displayed under the list of vulnerabilities, after running snyk test.
  • If you included your Dockerfile in the test, Snyk offers any available actionable remediation advice as follows:
      • analysis of the scratch image
      • the safest and best minor upgrade available
      • an option for a major upgrade which will reduce more vulnerabilities but with greater risk
      • viable alternative image options for replacing your current image with other, different images that provide the least amount of vulnerabilities possible.


    • Finally, if your base image is outdated, Snyk also recommends rebuilding your image.