Advanced use of Snyk Container CLI
In addition to scanning images from a local Docker daemon or remote registry, Snyk can directly scan or monitor a Docker or OCI archive by running
snyk container test docker-archive:<filename>.tar
or snyk container test oci-archive:<filename>.tar.
For example:
snyk container test docker-archive:archive.tar
snyk container test oci-archive:archive.tar
Some repositories represent multi-manifests, pointing to several different images depending on the operating system and the architecture required. To explicitly scan an image for a specific platform, you can use the Snyk CLI
container test
command.For example:
snyk container test --platform=linux/arm64 debian
The
--platform
option must contain one of the following:- linux/amd64
- linux/arm64
- linux/riscv64
- linux/ppc64le
- linux/s390x
- linux/386
- linux/arm/v7
- linux/arm/v
When Docker is installed, the Snyk CLI
container
commands use any pre-configured registry authentication. If you are not using Docker, you can pass the credentials on the command line in one of the following ways:- Use the following environment variables:
SNYK_REGISTRY_USERNAME
andSNYK_REGISTRY_PASSWORD
- Pass the username and password:
snyk container test <repository>:<tag> --username= --password=
When both are passed, the options take precedence over the environment variables.
Frequently used CLI options include:
--json
- useful for integrating with other tools--sarif
- useful for integrating with other tools. The option is only available withcontainer test
. See also OASIS Static Analysis Results Interchange Format (SARIF).--exclude-base-image-vulns
- only available withcontainer test
--severity-threshold
- only available withcontainer test
--exclude-app-vulns
--nested-jars-depth
--fail-on
- only available withcontainer test
snyk container --help
Last modified 4d ago