Snyk CLI for container security
The Snyk Container command line interface (CLI) helps you find and fix vulnerabilities in container images on your local machine.
To use the CLI you must first install it and then authenticate.

Testing an image

To test an image run:
1
snyk container test debian
Copied!
This command does the following:
  1. 1.
    Downloads the image if it is not already available locally in your Docker daemon
  2. 2.
    Determines the software installed in the image
  3. 3.
    Sends that bill of materials to the Snyk service
  4. 4.
    Returns a list of the vulnerabilities in your image
You can use Snyk to test any image that you can pull from a remote registry, or any image you have built locally and made available in your local Docker daemon.
1
snyk container test <repository>:<tag>
Copied!
If you use a Dockerfile to build your image, you can specify that when running snyk container test.
1
snyk container test <repository>:<tag> --file=Dockerfile
Copied!
Specifying a Dockerfile provides more context, and allows Snyk to provide clear recommendations on how to fix discovered vulnerabilities.
In order to detect application vulnerabilities in your image, use the --app-vulns flag.

Monitoring an image

Snyk Container also allows you to monitor an image. This provides the following advantages:
  • Snyk alerts you if new vulnerabilities are disclosed that affect your image, without your having to retest your image locally.
  • Snyk interactively filters the results and explores the list of vulnerabilities in your web browser.
  • You can share results on Snyk with other members of your team.
You can also access aggregate reports of vulnerabilities across all of your projects.
Feature availability This aggregate reports feature is available with all paid plans. See pricing plans for more details.
To monitor an image run:
1
snyk container monitor <repository>:<tag>
Copied!
This command does the following
  1. 1.
    Downloads the image if it is not already available locally in your Docker daemon
  2. 2.
    Determines the software installed in the image
  3. 3.
    Sends that bill of materials to the Snyk service
  4. 4.
    Returns a link to the Snyk service where you can see the results
Note It’s common to use both test and monitor with Snyk Container. The test command is great for quick checks. The monitor command can be used for ongoing assurance and easier sharing of results.

More information

Export as PDF
Copy link
Edit on GitHub