or run

npx @tessl/cli init
Log in

Version

Tile

Overview

Evals

Files

Files

docs

cli-commands.mdconfiguration.mdcontainer-security.mdindex.mdinfrastructure-as-code.mdproject-monitoring.mdsource-code-analysis.mdvulnerability-testing.md

container-security.mddocs/

0
# Container Security
1


2
Specialized scanning capabilities for Docker containers, including base image vulnerabilities, application layer scanning, and continuous monitoring of container images with integration to container registries.
3


4
## Capabilities
5


6
### Container Testing
7


8
Command-line interface for scanning Docker container images for vulnerabilities.
9


10
```bash { .api }
11
# Basic container testing
12
snyk container test <image>              # Test container image
13
snyk container test nginx:latest         # Test specific image and tag
14
snyk container test myregistry.com/myapp:v1.0 # Test from custom registry
15


16
# Testing with options
17
snyk container test <image> --org=<org-id> # Test with organization
18
snyk container test <image> --json       # JSON output format
19
snyk container test <image> --sarif      # SARIF format output
20
snyk container test <image> --severity-threshold=high # Filter by severity
21


22
# Dockerfile analysis
23
snyk container test <image> --file=Dockerfile # Include Dockerfile analysis
24
snyk container test <image> --file=Dockerfile.prod # Custom Dockerfile path
25


26
# Application vulnerability scanning
27
snyk container test <image> --app-vulns  # Include application dependencies
28
snyk container test <image> --exclude-app-vulns # Exclude application scanning
29


30
# Advanced options
31
snyk container test <image> --platform=linux/amd64 # Specify platform
32
snyk container test <image> --exclude-base-image-vulns # Exclude base image
33
snyk container test <image> --nested-jars-depth=5 # JAR scanning depth
34
```
35


36
### Container Monitoring
37


38
Continuous monitoring setup for container images in production environments.
39


40
```bash { .api }
41
# Basic container monitoring
42
snyk container monitor <image>           # Monitor container image
43
snyk container monitor nginx:latest --org=<org-id> # With organization
44


45
# Monitoring with project identification
46
snyk container monitor <image> --project-name="Production API" # Custom name
47
snyk container monitor <image> --target-reference=main # Git reference
48


49
# Application monitoring
50
snyk container monitor <image> --app-vulns # Include application dependencies
51
snyk container monitor <image> --platform=linux/amd64 # Specify platform
52
```
53


54
### Container Build Integration
55


56
Integration with container build processes and CI/CD pipelines.
57


58
```bash { .api }
59
# CI/CD pipeline integration
60
# Build and test pattern
61
docker build -t myapp:latest .
62
snyk container test myapp:latest --severity-threshold=high
63
docker push myapp:latest
64
snyk container monitor myapp:latest --project-name="MyApp Production"
65


66
# Multi-stage build testing
67
docker build --target=dependencies -t myapp:deps .
68
snyk container test myapp:deps --app-vulns
69
docker build -t myapp:latest .
70
snyk container test myapp:latest
71
```
72


73
### Registry Integration
74


75
Integration with container registries for automated scanning.
76


77
```bash { .api }
78
# Registry-specific scanning
79
snyk container test docker.io/library/nginx:latest # Docker Hub
80
snyk container test gcr.io/project/app:v1.0       # Google Container Registry
81
snyk container test <account>.dkr.ecr.region.amazonaws.com/app:latest # AWS ECR
82
snyk container test registry.redhat.io/ubi8:latest # Red Hat Registry
83


84
# Private registry authentication
85
# Uses Docker credentials from ~/.docker/config.json
86
docker login myregistry.com
87
snyk container test myregistry.com/private/app:latest
88
```
89


90
## Container Vulnerability Types
91


92
### Base Image Vulnerabilities
93


94
Detection and analysis of vulnerabilities in container base images.
95


96
```bash { .api }
97
# Base image specific scanning
98
snyk container test ubuntu:20.04         # Scan base image
99
snyk container test --exclude-app-vulns ubuntu:20.04 # Only base image vulns
100


101
# Base image recommendations
102
# CLI provides upgrade recommendations for base images
103
# Output includes newer, more secure base image versions
104
```
105


106
### Application Dependencies
107


108
Scanning application dependencies within container layers.
109


110
```bash { .api }
111
# Application dependency scanning
112
snyk container test myapp:latest --app-vulns # Include app dependencies
113
snyk container test node:16 --app-vulns     # Node.js dependencies
114
snyk container test openjdk:11 --app-vulns  # Java dependencies
115


116
# Language-specific scanning
117
# Automatically detects and scans:
118
# - npm packages (package.json/package-lock.json)
119
# - Maven dependencies (pom.xml)
120
# - Gradle dependencies (build.gradle)
121
# - pip packages (requirements.txt)
122
# - Gem dependencies (Gemfile/Gemfile.lock)
123
```
124


125
### Configuration Issues
126


127
Analysis of container and Dockerfile configurations for security issues.
128


129
```bash { .api }
130
# Dockerfile security analysis
131
snyk container test myapp:latest --file=Dockerfile
132
# Analysis includes:
133
# - Running as root user
134
# - Exposed sensitive ports
135
# - Hardcoded secrets
136
# - Insecure base images
137
# - Missing health checks
138
# - Inefficient layer caching
139
```
140


141
## Container Metadata and Analysis
142


143
### Image Information
144


145
```bash { .api }
146
# Container analysis provides:
147
# - Base image identification
148
# - Layer composition
149
# - Installed packages
150
# - Application dependencies
151
# - Configuration analysis
152
# - Security recommendations
153


154
# Example output includes:
155
# Base image: ubuntu:20.04
156
# Platform: linux/amd64
157
# Total dependencies: 150
158
# Vulnerable dependencies: 12
159
# Critical vulnerabilities: 2
160
```
161


162
### Remediation Guidance
163


164
```bash { .api }
165
# Container-specific remediation:
166
# 1. Base image upgrades
167
# 2. Application dependency updates
168
# 3. Dockerfile improvements
169
# 4. Multi-stage build optimizations
170
# 5. Security policy recommendations
171


172
# Example recommendations:
173
# - Upgrade from ubuntu:20.04 to ubuntu:22.04
174
# - Update vulnerable npm packages
175
# - Use non-root user in Dockerfile
176
# - Remove unnecessary packages
177
```
178


179
## Integration Patterns
180


181
### CI/CD Pipeline Integration
182


183
```bash { .api }
184
# GitHub Actions example
185
- name: Build Docker image
186
  run: docker build -t myapp:${{ github.sha }} .
187


188
- name: Test container security
189
  run: |
190
    snyk container test myapp:${{ github.sha }} --severity-threshold=high
191
    snyk container monitor myapp:${{ github.sha }} --project-name="MyApp-${{ github.ref_name }}"
192


193
# Jenkins pipeline example
194
pipeline {
195
  stages {
196
    stage('Build') {
197
      steps {
198
        sh 'docker build -t myapp:${BUILD_NUMBER} .'
199
      }
200
    }
201
    stage('Security Scan') {
202
      steps {
203
        sh 'snyk container test myapp:${BUILD_NUMBER} --json > container-results.json'
204
        sh 'snyk container monitor myapp:${BUILD_NUMBER}'
205
      }
206
    }
207
  }
208
}
209
```
210


211
### Kubernetes Integration
212


213
```bash { .api }
214
# Kubernetes deployment scanning
215
# Scan images before deployment
216
kubectl get deployments -o jsonpath='{.items[*].spec.template.spec.containers[*].image}' | \
217
  xargs -n1 snyk container test
218


219
# Example Kubernetes security workflow
220
snyk container test myapp:v1.0           # Test before deployment
221
kubectl apply -f deployment.yaml         # Deploy to cluster
222
snyk container monitor myapp:v1.0 --project-name="K8s-MyApp-Prod"
223
```
224


225
### Registry Webhook Integration
226


227
```bash { .api }
228
# Automated scanning on image push
229
# Configure registry webhooks to trigger:
230
# 1. snyk container test <newly-pushed-image>
231
# 2. snyk container monitor <newly-pushed-image>
232
# 3. Generate security reports
233
# 4. Block deployment if critical vulnerabilities found
234
```
235


236
## Advanced Container Features
237


238
### Multi-Platform Support
239


240
```bash { .api }
241
# Platform-specific scanning
242
snyk container test myapp:latest --platform=linux/amd64
243
snyk container test myapp:latest --platform=linux/arm64
244
snyk container test myapp:latest --platform=windows/amd64
245


246
# Multi-architecture image scanning
247
docker manifest inspect myapp:latest     # Check available platforms
248
snyk container test myapp:latest         # Scans default platform
249
```
250


251
### Nested JAR Analysis
252


253
```bash { .api }
254
# Java application scanning
255
snyk container test myapp:latest --nested-jars-depth=5 # Deep JAR analysis
256
snyk container test tomcat:9 --app-vulns # Scan WAR files
257
snyk container test springboot:latest --app-vulns # Spring Boot fat JARs
258
```
259


260
### Custom CA and SSL
261


262
```bash { .api }
263
# Custom certificate handling
264
snyk container test myregistry.com/app:latest --ca=/path/to/ca.pem
265
snyk container test myregistry.com/app:latest --insecure # Skip SSL verification
266
```
267


268
## Types
269


270
### Container Types
271


272
```typescript { .api }
273
interface ContainerTestResult {
274
  /** Container vulnerabilities */
275
  vulnerabilities: ContainerVulnerability[];
276
  /** Base image information */
277
  baseImage: string;
278
  /** Platform architecture */
279
  platform: string;
280
  /** Application dependencies found */
281
  applications?: Application[];
282
  /** Docker metadata */
283
  docker: DockerMetadata;
284
  /** Summary information */
285
  summary: ContainerSummary;
286
}
287


288
interface ContainerVulnerability extends Vulnerability {
289
  /** Vulnerability source layer */
290
  nearestFixedInVersion?: string;
291
  /** Container layer introducing vulnerability */
292
  introducedThrough?: string[];
293
  /** Fix available in newer base image */
294
  fixedIn?: string[];
295
  /** Dockerfile instruction related to vulnerability */
296
  dockerfileInstruction?: string;
297
}
298


299
interface DockerMetadata {
300
  /** Base image name */
301
  baseImage: string;
302
  /** Base image tag */
303
  baseImageTag: string;
304
  /** Image platform */
305
  platform: string;
306
  /** Image layers */
307
  layers: DockerLayer[];
308
  /** Image size */
309
  size: number;
310
  /** Image creation date */
311
  created: string;
312
}
313


314
interface DockerLayer {
315
  /** Layer SHA256 hash */
316
  sha: string;
317
  /** Layer instruction */
318
  instruction: string;
319
  /** Layer size in bytes */
320
  size: number;
321
}
322


323
interface Application {
324
  /** Application name */
325
  name: string;
326
  /** Application version */
327
  version: string;
328
  /** Package manager */
329
  packageManager: string;
330
  /** Dependencies */
331
  dependencies: Dependency[];
332
}
333


334
interface ContainerSummary {
335
  /** Total vulnerabilities */
336
  vulnerabilities: number;
337
  /** Vulnerabilities by severity */
338
  bySeverity: {
339
    critical: number;
340
    high: number;
341
    medium: number;
342
    low: number;
343
  };
344
  /** Base image vulnerabilities */
345
  baseImageVulns: number;
346
  /** Application vulnerabilities */
347
  applicationVulns: number;
348
}
349
```