Custom Base Image Recommendations
This feature is currently in Beta. Please contact your Snyk account team if you are interested in participating.

When scanning a container image, Snyk provides recommendations based on the base image detected. These recommendations apply only to a subset of images, as Snyk precomputes recommendations only for Official Docker images.
Customers often maintain their own internal, customized base images, built on top of Official Docker images or other upstream images. These are provided as a service to a wider set of development teams, for example, somecompany/java:v1.2.4.
Using the custom base image recommendation feature, Snyk can recommend an image upgrade from a pool of the customer’s internal images. This allows teams to be notified of newer and more secure versions of their internal base images.

  1. 1.
    Your company's platform team, responsible for creating and maintaining custom base images for the organization, scans and marks images in Snyk as custom base images.
  2. 2.
    Your company's application teams, using those pre-built custom base images and adding additional layers on top of it for their applications, can get recommendations for upgrading to a newer internal version.

As an example, when scanning the following images and marking them (in the following order) as custom base images:
  1. 1.
    developer-java/oracle-jre-rhel7/8e32:1.8.0
  2. 2.
    developer-java/oracle-jre-rhel7/8e32:1.9.2
  3. 3.
    developer-java/oracle-jre-rhel7/8e32:1.7.0
Snyk will recommend the second image, as it is the newest image based on the semantic versioning of the tag.
If Snyk cannot find a standard semantic versioning schema in the tag, the recommendation is the last image that was marked as a custom base image (in this example, the third image), as determined in the following logic.

As an example, when scanning the following images and marking them (in the following order) as custom base images through the Snyk interface, under project settings:
  1. 1.
    developer-java/oracle-jre-rhel7/8e32:1.8.0_2021021008
  2. 2.
    developer-java/oracle-jre-rhel7/8e32:1.8.0_2021022508
  3. 3.
    developer-java/oracle-jre-rhel7/8e32:1.8.0_2021031708
Snyk recommends the third image, as it was last marked as a custom base image.

  • To use the Custom Base Image Recommendations feature, Snyk needs to enable it for each organization that wants to be able to mark images as custom base images (for example, the platform team).
    • This means that every user in the organization (platform team in this example) will be able to mark images as custom base images in the project settings.
    • Later, projects in the same group as the organization (platform team in this example) will be able to receive custom base image recommendations.
  • The current logic is: for the same image family (same repo and name), Snyk will recommend the newest image based on the semantic versioning of the image tag. If Snyk is unable to find a standard semantic versioning schema in the tag, the recommendation will be the last image that was marked as a custom base image (timestamp of marking. See the User flows→ Platform team section that follows.
  • A Dockerfile must be specified (see the instructions that follow) in the project in order to receive custom base image recommendations
  • All custom base image recommendations are considered as minor upgrades, regardless of the image tag.
  • Automatic fix PRs are supported for custom base image recommendations.
  • In order for Snyk to identify a project is using a custom base image, the same custom base image must be imported and marked as such in the project's settings.

Responsible for creating and maintaining custom base images for the organization.
  1. 1.
    Ask Snyk to enable the feature for the organization being used by the platform team.
  2. 2.
    Create a custom base image.
  3. 3.
    Import the image to a Snyk’s project either:
    1. 1.
      Through the Web UI: Import an image into Snyk using a container registry.
    2. 2.
      Through the CLI
      1. 1.
        Use --file (optional) to specify the path to the Dockerfile, and --project-name (mandatory) to give the project a unique name (Snyk recommends using the image name and tag, without the repo. Example: oracle-jre-rhel7/8e32:1.8.0_2021022508)
      2. 2.
        The following is an example command: snyk container monitor snykgoof/custom-base-python:3.9.2_2021110408 --file=path/to/Dockerfile.3.9.2 --project-name=custom-base-python:3.9.2_2021110408 --org=ORGANIZATION_ID/ORGANIZATION_NAME
  4. 4.
    Mark the project as a custom base image.
    1. 1.
      Go to the project’s Settings page
      \
    2. 2.
      Under Custom Base Image Recommendation, select Treat as custom base image.
    3. 3.
      Click Update image status.
  5. 5.
    Mark whether the image should be eligible for recommendations.
    1. 1.
      Again in Custom Base Image Recommendation, select the Use in recommendations checkbox.
    2. 2.
      Click Update image status.
  6. 6.
    To test the feature, go through the preceding steps for at least two different images from the same repository in order to get recommendations.

Using pre-built custom base images and adding additional layers on top of it for their applications
First, import an image to a new Snyk project (check that the project is in the same group as the custom images). You can do this from the CLI or the Web UI.
If the same image is scanned from both the CLI and UI, Snyk creates two projects which will both be monitored.

  1. 1.
    Use --file (mandatory) to specify the path to the Dockerfile.
  2. 2.
    The following is an example command: snyk container monitor snykgoof/custom-base-python:3.9.2_2021110408 --file=path/to/Dockerfile.3.9.2
  3. 3.
    Optional: use the --exclude-base-image-vulns flag for the snyk test command to not show the base image vulnerabilities.

Configure the Dockerfile through the project’s settings (mandatory):

Next, get recommendations for the image:

  1. 1.
    Marking an image as a custom base image is supported only through the UI, and not through the API/CLI.
  2. 2.
    Custom base image recommendations will not appear when scanning an image without attaching the Dockerfile to the project.
  3. 3.
    The image’s registry is ignored when giving recommendations for custom base images. Images with the same repository but different registries will be treated as coming from the same registry (the current base image’s registry) in showing recommendations and fix PRs.
Export as PDF
Copy link
Edit on GitHub
On this page
Overview
Case study
SemVer recommendation logic
Timestamp recommendation logic
Notes
User flows
Platform team
Application team
Known gaps