Advanced use of Snyk Container CLI

Scan archives

In addition to scanning images from a local Docker daemon or remote registry, Snyk can directly scan or monitor a Docker or Open Container Initiative (OCI) archive when you use the following commands:

  • snyk container test docker-archive:<filename>.tar

  • OR snyk container test oci-archive:<filename>.tar.

Beginning with CLI version 1.1296.0, you can scan and monitor Kaniko image archives using the following commands:

  • snyk container test kaniko-archive:<filename>.tar

  • snyk container monitor kaniko-archive:<filename>.tar.

Examples:

snyk container test docker-archive:archive.tar
snyk container test oci-archive:archive.tar
snyk container test kaniko-archive:archive.tar

ForCrane, Snyk supports only the formats --format=oci and--format=legacy.

Test multi-platform images

Some repositories represent multi-manifests, pointing to several different images depending on the operating system and the architecture required. To explicitly scan an image for a specific platform, you can use the Snyk CLI container test command, for example:

snyk container test --platform=linux/arm64 debian

The --platform option must contain one of the following:

  • linux/amd64

  • linux/arm64

  • linux/riscv64

  • linux/ppc64le

  • linux/s390x

  • linux/386

  • linux/arm/v7

  • linux/arm/v

Authenticate to a remote container registry

When Docker is installed, the Snyk CLI container commands use any pre-configured registry authentication. If you are not using Docker, you can pass the credentials on the command line in one of the following ways:

  • Use the following environment variables: SNYK_REGISTRY_USERNAME and SNYK_REGISTRY_PASSWORD

  • Pass the username and password:

snyk container test <repository>:<tag> --username= --password=

When both are passed, the options take precedence over the environment variables.

Use an alternate Docker context

The Snyk CLI container commands always use the default Docker context. To force the Snyk CLI to use an alternate context's connection, set the DOCKER_HOST environment variable to the desired context URI.

Other commonly used CLI options

Frequently used CLI options include:

  • --json - useful for integrating with other tools

  • --sarif - useful for integrating with other tools. The option is available only with container test. See also OASIS Static Analysis Results Interchange Format (SARIF).

  • --exclude-base-image-vulns - only available with container test

  • --severity-threshold - available only with container test

  • --exclude-app-vulns

  • --nested-jars-depth

  • --fail-on - available only with container test

For more details and CLI options, see the Snyk CLI container help or display the help by running:

snyk container --help

Last updated

Was this helpful?