Detecting application vulnerabilities in container images
For application Projects created from images imported from Container Registry integrations, the applications will not be re-imported during recurring tests or manual re-test.
Instead, the application dependencies that were found during the initial image import will be tested for new vulnerabilities.
This means that if new dependencies were introduced in an application within an image, they will not be detected by the recurring tests or manual re-test.
To detect new or updated applications within images from container registries, you must re-import the image to Snyk.
For applications found in images imported from the Kubernetes integration, existing applications will be re-imported, but new apps added to the image will not be imported during recurring tests.
To detect new applications within images from Kubernetes, you must re-import the image to Snyk.
Snyk allows detection of vulnerabilities in your application dependencies from container images, as well as from the operating system, all in one scan.
After you integrate with a container registry and import your Projects, Snyk scans your image and test for vulnerabilities.
Enable application vulnerabilities scan from container registries
Navigate to your container registry integration settings
Enable the Detect application vulnerabilities capability and save the changes:
When you are scanning an image using a container registry or Kubernetes integration, the scan also uses the --app-vulns flag by default. You can opt out of the flag in the container registry only. Do so by disabling the detect application vulnerabilities toggle in the integration settings.
Using Snyk Container CLI to detect vulnerabilities
App vulns option
In CLI versions 1.1090.0 (2023-01-24) and higher, Snyk scans for application dependencies in your image by default; you do not need to specify the --app-vulns option.
If you wish to opt out of application vulnerability scanning, you can specify the --exclude-app-vulns flag. This omits the application vulnerabilities section from the results, mimicking the previous behavior. The --exclude-app-vulns option is available in CLI version 1.1021.0 and above.
Nested jars depth option
For Java applications, when --app-vulns is enabled, you can also use the --nested-jars-depth=n option to set how many levels of nested jars Snyk will unpack. The implicit default is 1. When you specify 2, it means that Snyk unzips jars in jars; 3 means Snyk unzips jars in jars in jars, and so on.
Use --nested-jar-depth=0 to opt out of any scans you feel are unnecessary.
View vulnerabilities and licensing issues
After the feature is enabled, you can see:
Dependency vulnerabilities and licensing issues of manifest files detected in your container image
Vulnerabilities detected in operating system packages
When an image is imported to Snyk, it appears under its registry record in the Projects view, showing the operating system vulnerabilities found in your image.
With this feature enabled, you can also see nested manifest files detected in the image and their vulnerabilities and licensing issues.
Automated scanning
Snyk scans the image regularly based on your Project settings. Snyk updates you via email or Slack based on your configuration when any new vulnerabilities are identified in both the operating system and application dependencies.
For each Project, you can choose the test frequency under its settings; the default is daily testing.
Supported container registries
This is supported across the following container registries:
Supported integrations
The supported languages work with the following integrations:
Language
Container Registry
CLI
Kubernetes
Node
Yes
Yes
Yes
Ruby
Yes
PHP
Yes
Yes
Yes
Python
Yes
Yes
Yes
Go Binaries
Yes
Yes
Yes
Java
Yes
Yes
Yes
Additional information about application vulnerabilities
For more information, see the following pages:
Last updated
Was this helpful?