Snyk tracks public Docker Hub images to make remediation recommendations and help you keep your containers secure.
With Snyk Container, you can:
test your projects from our CLI tool (see Test and protect below)
import and set up monitoring for your projects in the Snyk UI (see Monitor and protect below)
Test and protect
Once the user installs the Snyk CLI, downloads the image to be tested and runs snyk test from the CLI, Snyk does the following:
Scans the OS packages per image by inspecting the relevant OS package manager manifest information for any of these package managers:
Analyzes images for key application binaries not managed by the OS package manager; for example Node.js and OpenJDK. When the image has no package manager at all (for example, scratch images), we scan for key application binaries only. We are continuing to expand our key binary detection mechanism by demand.
Compares every OS package or key binary installed in the image against our vulnerability database.
If you included the Dockerfile in the command line, Snyk also scans the Dockerfile in order to provide a more detailed analysis for your base images (including scratch images).
Returns a summary of package, layer and dependency details for the image, and also lists discovered vulnerabilities, their severity and any available remediation advice.
Monitor and protect
Use the Snyk UI to monitor your projects on an ongoing basis.
The user imports a container project by one of the following methods:
Run snyk monitor on your local image from the CLI
Import and select projects directly from your own registry such as Docker Hub.
One registry organization can be integrated with each Snyk organization. For multiple organizations from the same registry, set up and integrate multiple Snyk organizations.
Snyk imports a snapshot of the image dependencies to Snyk servers. You can also include the Dockerfile (additional base and scratch image support) for monitoring.
Snyk displays all identified vulnerabilities and remediation advice. See Add your Dockerfile for base image remediation.
Snyk displays a dependency tree for the image to assist you in understanding the dependency structure of your image.
Snyk scans the image snapshot dependencies (which in turn refers to its tag) regularly based on your configurations (daily or weekly) and updates you when any new vulnerabilities are identified (email or Slack, also based on your configurations). If the tag for an image changes and the original tag is used for a different image, Snyk continues to scan the image associated with the original tag, meaning we scan the new image on recurring tests. In order to continue testing an image with a different tag, import the relevant tag.