Advanced use of Snyk Container CLI
Scan archives
In addition to scanning images from a local Docker daemon or remote registry, Snyk can directly scan or monitor a Docker or OCI archive by running the following commands: snyk container test docker-archive:<filename>.tar or snyk container test oci-archive:<filename>.tar.
Examples:
snyk container test docker-archive:archive.tar
snyk container test oci-archive:archive.tarTest multi-platform images
Some repositories represent multi-manifests, pointing to several different images depending on the operating system and the architecture required. To explicitly scan an image for a specific platform, you can use the Snyk CLI container test command.
For example:
snyk container test --platform=linux/arm64 debianThe --platform option must contain one of the following:
linux/amd64
linux/arm64
linux/riscv64
linux/ppc64le
linux/s390x
linux/386
linux/arm/v7
linux/arm/v
Authenticate to a remote container registry
When Docker is installed, the Snyk CLI container commands use any pre-configured registry authentication. If you are not using Docker, you can pass the credentials on the command line in one of the following ways:
Use the following environment variables:
SNYK_REGISTRY_USERNAMEandSNYK_REGISTRY_PASSWORDPass the username and password:
snyk container test <repository>:<tag> --username= --password=Other commonly used CLI options
Frequently used CLI options include:
--json- useful for integrating with other tools--sarif- useful for integrating with other tools. The option is only available withcontainer test. See also OASIS Static Analysis Results Interchange Format (SARIF).--exclude-base-image-vulns- only available withcontainer test--severity-threshold- only available withcontainer test--exclude-app-vulns--nested-jars-depth--fail-on- only available withcontainer test
For more details and CLI options, see the Snyk CLI container help or display the help by running:
snyk container --helpLast updated
Was this helpful?