Snyk CLI for container security
The Snyk Container command line interface (CLI) helps you find and fix vulnerabilities in container images on your local machine.
To test an image, run the
container test
command, for example:snyk container test debian
This command does the following:
- 1.Downloads the image if it is not already available locally in your Docker daemon
- 2.Determines the software installed in the image
- 3.Sends that bill of materials to the Snyk service
- 4.Returns a list of the vulnerabilities in your image
You can use Snyk to test any image you can pull from a remote registry or any image you have built locally and made available in your local Docker daemon.
snyk container test <repository>:<tag>
If you use a Dockerfile to build your image, you can specify that when running
snyk container test
.snyk container test <repository>:<tag> --file=Dockerfile
Specifying a Dockerfile provides more context and allows Snyk to provide clear recommendations on how to fix discovered vulnerabilities.
- Snyk alerts you if new vulnerabilities are disclosed that affect your image without your having to retest your image locally.
- Snyk interactively filters the results and explores the list of vulnerabilities in your web browser.
- You can share results on Snyk with other members of your team.
You can also access aggregate reports of vulnerabilities across all of your Projects,
Feature availability
This aggregate reports feature is available with all paid plans. See pricing plans for more details.
To monitor an image, run the
container monitor
command:snyk container monitor <repository>:<tag>
This command does the following:
- 1.Downloads the image if it is not already available locally in your Docker daemon
- 2.Determines the software installed in the image
- 3.Sends that bill of materials to the Snyk service
- 4.Returns a link to the Snyk service, where you can see the results

Recommendatios for upgrading the base image
It is common to use both
test
and monitor
with Snyk Container. The test
command is great for quick checks. The monitor
command can be used for ongoing assurance and easier sharing of results.