Snyk analyzes the image and returns vulnerability and remediation details directly from the CLI.
The output includes this information, in the following order:
List of vulnerabilities—sorted by severity and grouped by vulnerability, where each is detailed as follows:
A clear heading line—each heading to a group of vulnerability details includes the severity and cites the vulnerable package and project dependency in which it is located
Info—offers a link to the full vulnerability description in our database, from which you can find more details and remediation advice for the vulnerability
Description—provides the official common name of the vulnerability
Introduced through—displays the top-level package names affected by the vulnerability
From—lists all full paths of the project in which the package is located
Introduced by your base image/ Introduced in your Dockerfile/ Introduced by the scratch image—indicates the base image, Dockerfile layer, or scratch image in which the package with the vulnerability originated. This feature is only available if you include your Dockerfile in the test (using the --file argument)
Fixed in—when the package in which the vulnerability was found has been fixed by its maintainer, this line indicates from which version the vulnerability was removed
Project summary, including this information:
Organization—the Snyk organization to which the project is associated; use environment variables when running snyk test to apply a specific organization. Otherwise, this is your default Snyk organization
Package manager—associated with this image
Docker image—the image and version that was tested/scanned
Total dependencies with known vulnerabilities, and the total number of vulnerabilities
Scan summary—displayed under the list of vulnerabilities, after running snyk test.
If you included your Dockerfile in the test, Snyk offers any available actionable remediation advice as follows:
analysis of the scratch image
the safest and best minor upgrade available
an option for a major upgrade which will reduce more vulnerabilities but with greater risk
viable alternative image options for replacing your current image with other, different images that provide the least amount of vulnerabilities possible.
Finally, if your base image is outdated, Snyk also recommends rebuilding your image.