Snyk UI can report on Container results from multiple different sources:
- CLI results from snyk container monitor
- Built image results from a Container Registry integration or Kubernetes integration
- Dockerfile import from an SCM integration
The Snyk Dockerfile scanning available via SCM integration is different from Container image scanning available via CLI or Container Registry integration or Kubernetes integration. When you import and scan just the Dockerfile, Snyk will provide recommendations for the base image in the Dockerfile. You can read more about it Detect vulnerable bases images from Dockerfile
On the other hand when you scan the container image i.e via the CLI or the by importing the image through the container registry integration. Snyk scans the container image itself, it will go through the image layer by layer for vulnerabilities. This will include any installed application packages and project manifest files if any manifest file is present. If you pass the Dockerfile along with the image as you can see in the suggestions you will also get base image suggestions.
In the web app, to get a combined result of both i.e container image scanning with base image scanning, you will need to attach Dockerfile to the container image. For this you can follow the guide Adding your Dockerfile and test your base image. After this you can compare the two results as the scanning scenarios will be similar.
A Dockerfile SCM scan will not detect updates made to the base image, for example via apt-get update, and will report on the state of the packages as provided by the base image.
To get up-to date information regarding the included packages, scan the built image.