Documentation

Snyk for Docker

What type of Docker images does Snyk support?

Snyk supports testing and monitoring Docker images that have their dependencies managed by Debian, RPM or APK. Docker scanning is available via the Snyk CLI.

Docker scanning is available as an add on to our paid plans. See Plans to learn more.

Testing Docker images

We scan Docker images by extracting the image layers and inspecting the package manager manifest info. We then compare every OS package installed in the image against our Docker vulnerability database.

To test an image, make sure it is built (i.e. docker build -t myapp:mytag .) or pulled locally (i.e. docker pull myapp:mytag).

  • Run snyk test --docker myapp:mytag to test the image for vulnerabilities and receive remediation advice per vulnerability.
  • Run snyk test --docker myapp:mytag --file=path/to/Dockerfile to test the image for vulnerabilities and receive remediation advice per vulnerability and as alternative base images for your Dockerfile.
  • Run snyk monitor --docker ubuntu:latest to create a snapshot of the image’s dependencies for continuous monitoring.