Testing archives
As well as testing images from a local Docker daemon or remote registry, Snyk can also directly test or monitor a Docker or OCI archive.
snyk container test docker-archive:archive.tar snyk container test oci-archive:archive.tar
Testing multi-platform images
Some repositories represent multi-manifests, pointing to several different images depending on the operating system and architecture required. The Snyk Container CLI can be used to explicitly test an image for a specific platform:
snyk container test --platform=linux/arm64 debian
The --platform
flag should contain one of:
- linux/amd64
- linux/arm64
- linux/riscv64
- linux/ppc64le
- linux/s390x
- linux/386
- linux/arm/v7
- linux/arm/v
Authenticating to a remote container registry
When Docker is installed, the Snyk Container CLI will use any pre-configured registry authentication. If you're not using Docker then you can instead explicitly pass the credentials on the command line. This can be done either by:
- Using the following environment variables:
SNYK_REGISTRY_USERNAME
andSNYK_REGISTRY_PASSWORD
. - Or by passing
--username
and--password flags
, like so:
snyk container test <repository>:<tag> --username=<username> --password=<password>
Note that the flags take precedence over the environment variables in the case both are passed.
Common additional options
Some useful CLI options include:
|
Output the results as a JSON document, useful for integrating with other tools |
|
Output the results as a SARIF document, useful for integrating with other tools. Note this requires the test to be run with --file as well |
|
Don’t show vulnerabilities only introduced by the base image |
|
Only show a subset of vulnerabilities which match the severity or higher |
For a full list of options, access the Snyk help information:
snyk container --help