Snyk CLI for container security

Test images with the Snyk Container CLI

The Snyk Container command line interface (CLI) helps you find and fix vulnerabilities in container images on your local machine.

Install the Snyk CLI

Use any of the following:
    npm – npm install -g snyk
    Homebrew – brew tap snyk/tap && brew install snyk
    Scoop - scoop bucket add snyk https://github.com/snyk/scoop-snyk
    A manual installer available from GitHub
For more detailed installation guidance and options, see Install the Snyk CLI.

Authentication

After installation, authenticate with Snyk to test your image, running snyk auth from the CLI:
1
snyk auth
Copied!
For more details about authentication, see Authenticate the CLI with your account

Testing an image

To test an image run:
1
snyk container test debian
Copied!
This:
    1.
    Downloads the image if it’s not already available locally in your Docker daemon
    2.
    Determines the software installed in the image
    3.
    Sends that bill of materials to the Snyk Service
    4.
    Returns a list of the vulnerabilities in your image
You can use Snyk to test any image that you can pull from a remote registry, or any image you have built locally and made available in your local Docker daemon.
1
snyk container test :
Copied!
If you use a Dockerfile to build your image, you can provide that when running Snyk.
1
snyk container test : --file=Dockerfile
Copied!
Specifying a Dockerfile provides more context, and allows Snyk to provide clear recommendations on how to fix discovered vulnerabilities.

Monitoring an image

Snyk Container also has the concept of monitoring an image. This provides the following advantages:
    Snyk will alert you if new vulnerabilities are disclosed that affect your image, without you having to retest it locally
    Interactively filter the results and explore the list of vulnerabilities in your web browser
    Results on Snyk can be shared with other members of your team
You can also access aggregate reports of vulnerabilities across all of your projects.
Feature availability This aggregate reports feature is available with all paid plans. See pricing plans for more details.
To monitor an image run:
1
snyk container monitor :
Copied!
monitor will:
    1.
    Download the image if it is not already available locally in your Docker daemon
    2.
    Determine the software installed in the image
    3.
    Send that build of materials to the Snyk Service
    4.
    Return a link to the Snyk service where you can see the results
Note It’s common to use both test and monitor with Snyk. test is great for quick checks, monitor can be used for ongoing assurance and easier sharing of results.

More information

Last modified 20d ago