Links

Custom Base Image Recommendations

This feature is currently in Beta. Contact your Snyk account team if you are interested in participating.

Overview

When scanning a container image, Snyk provides recommendations based on the base image detected. These recommendations apply only to a subset of images, as Snyk precomputes recommendations only for Docker Official Images.
Customers often maintain their own internal, customized base images, built on top of Docker Official Images or other upstream images. These are provided as a service to a wider set of development teams, for example, somecompany/java:v1.2.4.
Through the Custom Base Image Recommendation feature, Snyk can recommend an image upgrade from a pool of the customer’s internal images. This allows teams to be notified of newer and more secure versions of their internal base images.

How Custom Base Image Recommendations work

  • For a customer to use the Custom Base Image Recommendations feature, Snyk needs to enable it for each Organization that wants to be able to mark images as custom base images (for example, the platform team).
    • This means that every user in the Organization (platform team in this example) will be able to mark images as custom base images in the project settings.
    • Later, projects in the same Group as the organization (platform team in this example) will be able to receive custom base image recommendations.
  • The current logic is: for the same image family (same repo and name), Snyk recommends the newest image based on the semantic versioning of the image tag. If Snyk is unable to find a standard semantic versioning schema in the tag, the recommendation is the last image that was marked as a custom base image based on the timestamp of marking. Refer to the steps in enabling the feature for more information.
  • The user must specify a Dockerfile in the project in order to receive custom base image recommendations. Refer to the steps in enabling the feature for more information.
  • All custom base image recommendations are considered minor upgrades, regardless of the image tag.
  • Automatic fix PRs are supported for custom base image recommendations. If the user is not using the latest version of the base image, then immediately after image import Snyk automatically issues a fix pull request against your Dockerfile, to upgrade to the latest custom base image version available.
  • In order for Snyk to identify whether a project is using a custom base image, the same custom base image must be imported and marked as such in the project's settings.

How to enable Custom Base Image Recommendations

Configure an image as a custom base image

This step is done by the team that is responsible for creating and maintaining custom base images for the Organization, the platform team in these instructions.
  1. 1.
    Ask Snyk to enable the feature for the Organization being used by the platform team.
  2. 2.
    Create a custom base image.
  3. 3.
    Import the image to a Snyk’s project either:
    1. 1.
      Through the Web UI: Import an image into Snyk using a container registry.
    2. 2.
      Or through the CLI: Use --file (optional) to specify the path to the Dockerfile, and --project-name (mandatory) to give the project a unique name. Snyk recommends using the image name and tag, without the repo. Example image name: oracle-jre-rhel7/8e32:1.8.0_2021022508)
      Example Snyk CLI command: snyk container monitor snykgoof/custom-base-python:3.9.2_2021110408 --file=path/to/Dockerfile.3.9.2 --project-name=custom-base-python:3.9.2_2021110408 --org=ORGANIZATION_ID/ORGANIZATION_NAME
  4. 4.
    Mark the project as a custom base image.
    1. 1.
      Go to the Settings page for the project.
      Navigate to Settings page for the project
      Navigate to Settings page for the project
    2. 2.
      Under Custom Base Image Recommendation, select Treat as custom base image.
    3. 3.
      Click Update image status.
  5. 5.
    Mark whether the image should be eligible for recommendations.
    1. 1.
      In Custom Base Image Recommendation, select the Use in recommendations checkbox.
    2. 2.
      Click Update image status.
  6. 6.
    To test the feature, go through the preceding steps for at least two different images from the same repository in order to get recommendations.

Receiving custom base image recommendations

This step is done by the applications team responsible for using pre-built custom base images and adding additional layers on top of the pre-built images for their applications.
First, import an image to a new Snyk project. Check that the project is in the same Group as the custom images. You can import an image from the CLI or the Web UI.
If the same image is scanned from both the CLI and UI, Snyk creates two projects and monitor both.

Import an image through the CLI

The following is an example command: snyk container monitor snykgoof/custom-base-python:3.9.2_2021110408 --file=path/to/Dockerfile.3.9.2
Use --file (mandatory) to specify the path to the Dockerfile.
Use the --exclude-base-image-vulns flag (optional) for the snyk test command to not show the base image vulnerabilities.

Import an image through the Web UI

Configure the Dockerfile through the project’s settings (mandatory):
Configure the project's Dockerfile
Configure the project's Dockerfile
Configure the path to your Dockerfile
Configure the path to your Dockerfile

Get Custom Base Image Recommendations

Next, get recommendations for the image.
Custom Base Image Recommendations example
Custom Base Image Recommendations example

Known limitations

  • Marking an image as a custom base image is supported only through the UI, and not through the API and CLI.
  • Custom base image recommendations will not appear when scanning an image unless the user attaches the Dockerfile to the project.
  • The image’s registry is ignored when recommendations are given for custom base images. Images with the same repository but different registries are treated as coming from the same registry (the current base image’s registry) in showing recommendations and fix PRs.
  • Once imported and marked, a custom base image project should not be moved to a different Organization or Group within Snyk.

Case study for Custom Base Image Recommendations

  1. 1.
    Your company's platform team, responsible for creating and maintaining custom base images for the organization, scans and marks images in Snyk as custom base images.
  2. 2.
    Your company's application teams, using those pre-built custom base images and adding additional layers on top of the pre-built images for their applications, can get recommendations for upgrading to a newer internal version.

SemVer recommendation logic

As an example, when scanning the following images and marking them (in the following order) as custom base images, the SemVer logic is:
  1. 1.
    developer-java/oracle-jre-rhel7/8e32:1.8.0
  2. 2.
    developer-java/oracle-jre-rhel7/8e32:1.9.2
  3. 3.
    developer-java/oracle-jre-rhel7/8e32:1.7.0
Snyk recommends the second image, as it is the newest image based on the semantic versioning of the tag.
If Snyk cannot find a standard semantic versioning schema in the tag, the recommendation is the last image that was marked as a custom base image (in this example, the third image), as determined in the Timestamp recommendation logix.

Timestamp recommendation logic

As an example, when scanning the following images and marking them (in the following order) as custom base images through the Snyk interface, under project settings, the timestamp logic is:
  1. 1.
    developer-java/oracle-jre-rhel7/8e32:1.8.0_2021021008
  2. 2.
    developer-java/oracle-jre-rhel7/8e32:1.8.0_2021022508
  3. 3.
    developer-java/oracle-jre-rhel7/8e32:1.8.0_2021031708
Snyk recommends the third image, as it was last marked as a custom base image.
© 2022 Snyk Limited