Automatic Pull Requests (PRs)
Snyk detects vulnerable base images by scanning your Dockerfile when importing a Git repository and helps you fix them using automatic pull requests. This allows you to examine security issues before you build the image and fix them before they land in your registry or in production.
Supported Git-based repository managers for Dockerfile fix PRs include:
GitHub Enterprise Server
For any Dockerfile Project created in Snyk, if the base image is a Docker Official image, the results include a list of suitable base images that can be used instead of the existing, more vulnerable one. For. For more information, see Analyze and fix container images.
Snyk then automatically issues a fix pull request against your Dockerfile to upgrade to the latest minor version available.
Snyk opens an automatic fix PR when there is a change in the Dockerfile or when it identifies a better base image after the initial scan.
Enable automatic update of Dockerfile base images
The feature is available for all Snyk users. It is on by default for all users with free accounts and off by default for existing integrations of Snyk customers.
You can enable automatic update PRs from the integration or Project settings page, under Dockerfiles:
Open a fix PR manually
Alternatively, you can open a fix PR manually from the Project page by clicking Open a Fix PR for the base image version you wish to upgrade to.
After the fix PR is opened, you can view it in your Git repository and see what the change is and where it takes place. The
FROM line in your Dockerfile is updated with the new and improved version.
Ensure your application works properly before merging the change.
When the PR is opened and ready, you can safely merge it and instantly reduce the number of vulnerabilities in your container image.