After you install the Snyk Controller in your Kubernetes cluster, it pulls images from your container registries:
The Snyk Controller has read-only access to the Kubernetes workloads and container registries.
The Snyk Controller pulls images to disk, scans them, and then deletes the images once the scanning completes.
The Snyk Controller collects only the minimum relevant information in order to perform vulnerability analysis, specifically the list of dependencies in the image and the workload metadata.
The data that the Snyk Controller collects is stored in Snyk's backend, but it is deleted after eight days. Below is the data that Snyk Controller collects:
Workload metadata (Kubernetes configuration):
Policy for the workloads, specifically the policy for automatically importing and deleting Kubernetes workload projects
Image scan results and image metadata:
List of OS packages
The Snyk Controller's scanning result is updated in the Snyk Web UI after some time between a few minutes and a few hours. This is because the result depends on multiple factors:
The Snyk Controller doing the first scan of the cluster
The size of the Kubernetes clusters and workloads
How the customer uses manual or auto-import of the Kubernetes workload
The size of the images
The size of scanning queues
The network speed.
Snyk highly recommends NOT storing sensitive data in plain text as an environment variable in the container, for example, password, authentication token, and SSH key. Alternatively, you can store the sensitive data in a Secret, mount it as a Volume, and access the information from there.