Snyk Documentation

How it works

With Snyk, you can:

Test and protect

Once the user installs the Snyk CLI, downloads the image to be tested and runs snyk test from the CLI, Snyk does the following:

  1. Scans the OS packages per image by inspecting the relevant OS package manager manifest information for any of these package managers:
    • dpkg (Debian and Ubuntu)
    • RPM (RHEL)
    • APK (Alpine)
  2. Analyzes images for key application binaries not managed by the OS package manager; for example Node.js and OpenJDK. When the image has no package manager at all (for example, scratch images), we scan for key application binaries only. We are continuing to expand our key binary detection mechanism by demand.
  3. Compares every OS package or key binary installed in the image against our vulnerability database.
  4. If you included the Dockerfile in the command line, Snyk also scans the Dockerfile in order to provide a more detailed analysis for your base images (including scratch images). 
  5. Returns a summary of package, layer and dependency details for the image, and also lists discovered vulnerabilities, their severity and any available remediation advice.

For help working with our CLI, see: CLI—test your container.

Monitor and protect

Use the Snyk UI to monitor your projects on an ongoing basis.

  1. The user imports a container project by one of the following methods:
    • Run snyk monitor on your local image from the CLI
    • Import and select projects directly from your own registry such as Docker Hub
  2. Snyk imports a snapshot of the image dependencies to Snyk servers. You can also include the Dockerfile (additional base and scratch image support) for monitoring.
  3. Snyk displays all identified vulnerabilities and remediation advice. See Add your Dockerfile for base image remediation.
  4. Snyk displays a dependency tree for the image to assist you in understanding the dependency structure of your image.
  5. Snyk scans the image dependencies regularly based on your configurations (daily or weekly) and updates you when any new vulnerabilities are identified (email or Slack, also based on your configurations).

For help working with our CLI, see: CLI—test your container.

For help working with our UI, see: Docker Hub—integrate and testECR—integrate and test and GCR – integrate and test.