Detecting application vulnerabilities in container images
Snyk allows detection of vulnerabilities in your application dependencies from container images, as well as from the operating system, all in one single scan.
After you integrate with a container registry and import your projects, Snyk scans your image and test for vulnerabilities.
- 1.Navigate to your container registry integration settings
- 2.Enable the Detect application vulnerabilities capability and save the changes:
When scanning an image using a container registry, Kubernetes integration, or through the Docker scan command, the scan also uses the
--app-vulnsflag by default. You can opt out of the flag in the container registry only. Do so by disabling the ‘detect application vulnerabilities’ toggle in the integration settings.
- 1.For Java, when you use the flag, Snyk scans one level of nested jars by default.
- 2.For Python, Snyk supports Poetry and Pip (in all integration points).
- 3.For Go binaries, Snyk supports any kind of a Go binary built with Go module support.
Beginning January 24th, 2023, Snyk will scan for application dependencies in your image by deafult, without the need to specify the
If you wish to opt out of application vulnerability scanning, you can do so by specifying the
--exclude-app-vulnsflag — which will omit the application vulnerabilities section from the results, mimicking the previous behavior. The
--exclude-app-vulnsflag is available in CLI version 1.1021.0 and above.
For Java applications, when using
--app-vulns, you can also use the
--nested-jars-depth=nflag to set how many levels of nested jars Snyk will unpack. The implicit default is 1. When you specify 2, it means that Snyk unzips jars in jars; 3 means Snyk unzips jars in jars in jars, and so on.
Users can use
--nested-jar-depth=0to opt out of any scans they feel are unnecessary.
After the feature is enabled, you can see:
- Dependency vulnerabilities and licensing issues of manifest files detected in your container image.
- Vulnerabilities detected in operating system packages.
When an image is imported to Snyk, it appears under its registry record in the Projects view, showing the operating system vulnerabilities found in your image.
With this feature enabled, you can also see nested manifest files detected in the image and their vulnerabilities and licensing issues.
Snyk scans the image regularly based on your project’s settings, and updates you via email or Slack - based on your configuration - when any new vulnerabilities are identified in both the operating system and application dependencies.
For each project, you can choose the test frequency under its settings (the default is daily testing).
Supported container registries
This is supported across the following container registries:
The supported languages work on the following integrations: