How Snyk Container works
Container image scans
As defined by the Open Container Initiative (OCI) specifications, container images comprise a layered file system and associated metadata.
Container images often include several layers containing third-party software from:
Operating system distributions, such as Debian, Ubuntu, or CentOS
Application package managers, such as npm, pip, and RubyGems.
What Snyk Container detects
When Snyk Container tests an image using any of the available integrations, Snyk first finds the software installed in the image, including:
dpkg, rpm, and apk operating systems packages
Popular unmanaged software (installed outside a package manager)
Application packages that are based on the presence of a manifest file.
To determine the final filesystem, Snyk does not squash the layers of the container image into one. It scans for supported application package manifest files in each intermediate layer of the container image, even when those files are deleted by a subsequent layer.
Because Snyk reads the information from the file system, the container does not need to be run. This means that for a successful scan, no container or foreign code must be run.
After Snyk has the list of installed software, Snyk looks that up against the Snyk Vulnerability Database, which combines public sources with proprietary research.
Snyk supports testing OCI compliant and Docker v2 compliant images but does not support images that combine both OCI and Docker v2 standards into a single archive.
Operating systems supported by Snyk Container
Snyk detects vulnerabilities in images based on the following operating systems:
AlmaLinux
Alpine Linux
Amazon Linux
CentOS Linux & CentOS Stream
Chainguard
Debian
Oracle Linux
Red Hat Enterprise Linux (RHEL), including Universal Base Image (UBI)
Rocky Linux
SUSE Linux Enterprise Server (SLES)
Ubuntu
Wolfi
Snyk also supports images using packages from these distributions, but without the associated package manager, such as Distroless images.
For specific version support, see supported operating system distributions. For the latest updates, see Snyk updates.
Official advisory resources used by Snyk Container
Snyk works directly with the security teams of the supported Linux distributions to provide the most accurate and reliable information on the affected packages (including fix availability). The specific package versions listed are those distributed by the official container source and may differ from the upstream package versions.
Unmanaged container software
Some software components from upstream providers are not installed using a package manager but are downloaded as executables from third parties. Snyk uses file fingerprinting to detect versions of the following components:
Node.js
OpenJDK 8 binaries
Recurring container image scans
Snyk continuously discloses new vulnerabilities. Snyk can alert you to new vulnerabilities in your image as they are announced, even when your image software installed has not changed.
If you use an integration that saves a snapshot of the installed software on Snyk’s service and the image has not changed, Snyk Container automatically rescans without accessing the image, alerting you to new vulnerabilities.
If the image has changed, you must reimport your image, so that Snyk can access the updated image and its metadata before rescanning it.
Recurring scans do not detect updates to the dependencies of your applications. The recurring scans test for new vulnerabilities using a snapshot of your application dependencies at the time the application was imported. To detect changes in your application, such as updated dependencies, you must re-import your container image in Snyk.
To learn more about container security, see container security.
Last updated