SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Getting started
PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Container security basics
How Snyk Container works
Supported operating system distributions
Understanding Linux vulnerability severity
Snyk CLI for container security
Getting around the Snyk Container UI
Scan your Dockerfile
Integrate self-hosted container registries
Image scanning library
Snyk Infrastructure as Code
FEATURES
Snyk CLI
Snyk API
Integrations
User and group management
Fixing and prioritizing issues
Reports
Other tools
PARTNER WORKSHOPS
Partner Workshops
INTEGRATION GUIDE
Integration Guide
MORE INFO
Disclosing vulnerabilities
How Snyk handles your data
Powered By GitBook
How Snyk Container works

What are container images?

Container images comprise a layered file system and associated metadata, as defined by the Open Container Initiative (OCI) specifications.
Container images often include several layers containing third-party software from:
    Operating system distributions, such as Debian, Ubuntu or CentOS.
    Application package managers, such as npm, pip and RubyGems.

What Snyk Container detects

When Snyk Container scans an image, using any of the available integrations, we first find the software installed in the image, including:
    dpkg, rpm and apk operating systems packages.
    Popular unmanaged software, ie. installed outside a package manager.
    Application packages based on the presence of a manifest file.
Note: the container does not need to be run as Snyk reads the info from the file system; therefore, no container or foreign code needs to be run in order to successfully scan.
After we have the list of installed software, we look that up against our vulnerability database, which combines public sources with proprietary research.

Supported operating systems

We detect vulnerabilities in images based on:
    Debian
    Ubuntu
    Centos
    Red Hat Enterprise Linux (including UBI)
    Amazon Linux 2
    SUSE Linux Enterprise Server
    Alpine
Check out the Operating Systems Support page for specific version support and our updates page for all the latest updates.
Note: Snyk also supports images using packages from those distributions but without the associated package manager, such as Distroless images.

Unmanaged software

Some software components from upstream providers are not installed using a package manager, but are downloaded as executables from third-parties. Snyk uses file fingerprinting to detect versions of the following components:
    Node.js
    OpenJDK

Recurring scans

New vulnerabilities are disclosed continuously., Snyk can alert you to new vulnerabilities in your image as they are announced, even when your image software installed has not changed.
If you use an integration which saves a snapshot of the installed software on Snyk’s service, Snyk Container automatically rescans without accessing the image, alerting you to new vulnerabilities quicker.
Learn more about container security.
Previous
Snyk Container security basics
Next
Supported operating system distributions
Last modified 27d ago
Export as PDF
Copy link
Contents
What are container images?
What Snyk Container detects
Supported operating systems
Unmanaged software
Recurring scans