Snyk Documentation

Docker Security

What type of Docker images does Snyk support?

Snyk supports testing and monitoring Docker images for which their dependencies are managed by dpkgRPM or APK. Docker scanning is available via the Snyk CLI.
Docker scanning is available for up to 100 tests on all plans, and as an unlimited option when bought as an add on to our paid plans. See Plans to learn more.

Testing Docker images

We scan Docker images by extracting the image layers and inspecting the package manager manifest info. We then compare every OS package installed in the image against our Docker vulnerability database.
To test an image, make sure it is built (i.e. docker build -t myapp:mytag .) or pulled locally (i.e. docker pull myapp:mytag).
* Run snyk test --docker myapp:mytag to test the image for vulnerabilities and receive remediation advice per vulnerability.
* Run snyk test --docker myapp:mytag --file=path/to/Dockerfile to test the image for vulnerabilities and receive remediation advice per vulnerability and as alternative base images for your Dockerfile.
* Run snyk monitor --docker ubuntu:latest to create a snapshot of the image's dependencies for continuous monitoring.

Key Binaries Scanning

Snyk supports scanning key binaries installed on the image. Often, these binaries are not installed by the OS package manager ( dpkgRPM or APK), but rather installed by downloading of files and running manual installation.
Snyk currently detects vulnerabilities for Node.js and OpenJDK.