SupportAPI docsProduct updatesSign up for free
Search…
Snyk User Documentation
Introducing Snyk
Implementing Snyk in your teams
Getting started
Snyk Web UI
Snyk CLI
Getting started with the CLI
Scan and maintain projects using the CLI
CLI commands and options summary
CLI help
Auth
Code
Config
Container
IaC
IaC describe
IaC update-exclude-policy
IaC test
Ignore
Log4shell
Monitor
Policy
Test
Install or update the Snyk CLI
Authenticate the CLI with your account
Configure the Snyk CLI
Snyk API
Snyk for IDEs
Snyk Apps
Snyk Integrations
SNYK PRODUCTS
Snyk Open Source
Snyk Code
Snyk Container
Snyk Infrastructure as Code
USING SNYK
Snyk Broker
User and group management
Fixing and prioritizing issues
Reports
Snyk Tools
SNYK INFO
Disclosing vulnerabilities
How Snyk handles your data
Snyk Partner workshops
Powered By GitBook
Container

Usage

snyk container <SUBCOMMAND> [<OPTIONS>] [<IMAGE>]

Description

The snyk container command tests container images for vulnerabilities.
For more information see Snyk CLI for container security

Subcommands

test

Test for any known vulnerabilities.

monitor

Capture the container image layers and dependencies and monitor for vulnerabilities on snyk.io

Exit codes

Possible exit codes and their meaning:
0: success, no vulnerabilities found 1: action_needed, vulnerabilities found 2: failure, try to re-run command 3: failure, no supported projects detected

Configure the Snyk CLI

You can use environment variables to configure the Snyk CLI and set variables for connecting with the Snyk API.
There are environment variables that apply to the container command; see Configure the Snyk CLI

Debug

Use the -d option to output the debug logs.

Options for the container test and container monitor subcommands

Print the dependency tree before sending it for analysis.

--org=<ORG_ID>

Specify the <ORG_ID> to run Snyk commands tied to a specific organization. The <ORG_ID> influences some features availability and private test limits.
If you have multiple organizations, you can set a default from the CLI using:
$ snyk config set org=<ORG_ID>
Set a default to ensure all newly tested and monitored projects are tested and monitored under your default organization. If you need to override the default, use the --org=<ORG_ID> option.
Default: <ORG_ID> that is the current preferred organization in your Account settings
For more information see the article How to select the organization to use in the CLI

--file=<FILE_PATH>

For more detailed advice, include the path to the Dockerfile for the image.

--project-name=<PROJECT_NAME>

Specify a custom Snyk project name.

--policy-path=<PATH_TO_POLICY_FILE>

Manually pass a path to a .snyk policy file.

--json

Print results in JSON format, useful for integrating with other tools
Example: $ snyk container test --json

--json-file-output=<OUTPUT_FILE_PATH>

Save test output in JSON format directly to the specified file, regardless of whether or not you use the --json option.
This is especially useful if you want to display the human-readable test output using stdout and at the same time save the JSON format output to a file.
Example: $ snyk container test --json-file-output=vuln.json

--sarif

Return results in SARIF format. Note this requires the test to be run with --file as well.

--sarif-file-output=<OUTPUT_FILE_PATH>

Save test output in SARIF format directly to the <OUTPUT_FILE_PATH> file, regardless of whether or not you use the --sarif option.
This is especially useful if you want to display the human-readable test output using stdout and at the same time save the SARIF format output to a file.

--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>

Set the project environment to one or more values (comma-separated). To clear the project environment set --project-environment=
Allowed values: frontend, backend, internal, external, mobile, saas, onprem, hosted, distributed
For more information see Project attributes

--project-lifecycle=<LIFECYCLE>[,<LIFECYCLE]...>

Set the project lifecycle to one or more values (comma-separated). To clear the project lifecycle set --project-lifecycle=
Allowed values: production, development, sandbox
For more information see Project attributes

--project-business-criticality=<BUSINESS_CRITICALITY>[,<BUSINESS_CRITICALITY>]...>

Set the project business criticality to one or more values (comma-separated). To clear the project business criticality set --project-business-criticality=
Allowed values: critical, high, medium, low
For more information see Project attributes

--project-tags=<TAG>[,<TAG>]...>

Set the project tags to one or more values (comma-separated key values pairs with an "=" separator).
Example: --project-tags=department=finance,team=alpha
To clear the project tags set --project-tags=

--tags=<TAG>[,<TAG>]...>

This is an alias for --project tags

--severity-threshold=<low|medium|high|critical>

Report only vulnerabilities at the specified level or higher.

--app-vulns

Allow detection of vulnerabilities in your application dependencies from container images, as well as from the operating system, all in one single scan.

--nested-jars-depth

When using --app-vulns use the --nested-jars-depth option to set how many levels of nested jars Snyk is to unpack. Depth must be a number.

--exclude-base-image-vulns

Do not show vulnerabilities introduced only by the base image. Available when using snyk container test only.

--platform=<PLATFORM>

For multi-architecture images, specify the platform to test.
Supported platforms are: linux/amd64, linux/arm64, linux/riscv64, linux/ppc64le, linux/s390x, linux/386, linux/arm/v7, or linux/arm/v6

--username=<CONTAINER_REGISTRY_USERNAME>

Specify a username to use when connecting to a container registry. This is ignored in favor of local Docker binary credentials when Docker is present.

--password=<CONTAINER_REGISTRY_PASSWORD>

Specify a password to use when connecting to a container registry. This is ignored in favor of local Docker binary credentials when Docker is present.

Examples for the container test command

Scan and monitor Docker images

$ snyk container test <image>
$ snyk container monitor <image>

Option to get more information including base image remediation

--file=path/to/Dockerfile

Scan a Docker image created using the given Dockerfile and with a specified policy path

$ snyk container test app:latest --file=Dockerfile
$ snyk container test app:latest --file=Dockerfile --policy-path=path/to/.snyk
For more information and examples see Advanced Snyk Container CLI usage
Previous
Config
Next
IaC
Last modified 8d ago
Export as PDF
Copy link
Edit on GitHub
Contents
Usage
Description
Subcommands
test
monitor
Exit codes
Configure the Snyk CLI
Debug
Options for the container test and container monitor subcommands
--print-deps
--org=<ORG_ID>
--file=<FILE_PATH>
--project-name=<PROJECT_NAME>
--policy-path=<PATH_TO_POLICY_FILE>
--json
--json-file-output=<OUTPUT_FILE_PATH>
--sarif
--sarif-file-output=<OUTPUT_FILE_PATH>
--project-environment=<ENVIRONMENT>[,<ENVIRONMENT>]...>
--project-lifecycle=<LIFECYCLE>[,<LIFECYCLE]...>
--project-business-criticality=<BUSINESS_CRITICALITY>[,<BUSINESS_CRITICALITY>]...>
--project-tags=<TAG>[,<TAG>]...>
--tags=<TAG>[,<TAG>]...>
--severity-threshold=<low|medium|high|critical>
--app-vulns
--nested-jars-depth
--exclude-base-image-vulns
--platform=<PLATFORM>
--username=<CONTAINER_REGISTRY_USERNAME>
--password=<CONTAINER_REGISTRY_PASSWORD>
Examples for the container test command
Scan and monitor Docker images
Option to get more information including base image remediation
Scan a Docker image created using the given Dockerfile and with a specified policy path