What type of Docker images does Snyk support?
Snyk supports testing and monitoring Docker images for which their dependencies are managed by dpkg, RPM or APK. Docker scanning is available via the Snyk CLI.
Docker scanning is available for up to 100 tests on all plans, and as an unlimited option when bought as an add on to our paid plans. See Plans to learn more.
Testing Docker images
We scan Docker images by extracting the image layers and inspecting the package manager manifest info. We then compare every OS package installed in the image against our Docker vulnerability database.
To test an image, make sure it is built (i.e.
docker build -t myapp:mytag .) or pulled locally (i.e.
docker pull myapp:mytag).
snyk test --docker myapp:mytag to test the image for vulnerabilities and receive remediation advice per vulnerability.
snyk test --docker myapp:mytag --file=path/to/Dockerfile to test the image for vulnerabilities and receive remediation advice per vulnerability and as alternative base images for your Dockerfile.
snyk monitor --docker ubuntu:latest to create a snapshot of the image's dependencies for continuous monitoring.
Key Binaries Scanning
Snyk supports scanning key binaries installed on the image. Often, these binaries are not installed by the OS package manager ( dpkg, RPM or APK), but rather installed by downloading of files and running manual installation.
Snyk currently detects vulnerabilities for Node.js