Understanding container CLI scan results

A clear heading line—each heading to a group of vulnerability details includes the severity and cites the vulnerable package and project dependency in which it is located

Info—offers a link to the full vulnerability description in our database, from which you can find more details and remediation advice for the vulnerability

Description—provides the official common name of the vulnerability

Introduced through—displays the top-level package names affected by the vulnerability

From—lists all full paths of the project in which the package is located

Introduced by your base image/ Introduced in your Dockerfile/ Introduced by the scratch image—indicates the base image, Dockerfile layer, or scratch image in which the package with the vulnerability originated. This feature is only available if you include your Dockerfile in the test (using the --file argument)

Fixed in—when the package in which the vulnerability was found has been fixed by its maintainer, this line indicates from which version the vulnerability was removed

Organization—the Snyk organization to which the project is associated; use environment variables when running snyk test to apply a specific organization. Otherwise, this is your default Snyk organization

Package manager—associated with this image

Docker image—the image and version that was tested/scanned

Total dependencies with known vulnerabilities, and the total number of vulnerabilities

Scan summary—displayed under the list of vulnerabilities, after running snyk test.

analysis of the scratch image

the safest and best minor upgrade available

an option for a major upgrade which will reduce more vulnerabilities but with greater risk

viable alternative image options for replacing your current image with other, different images that provide the least amount of vulnerabilities possible.