tessl/npm-snyk

Developer-first, cloud-native security tool to scan and monitor your software development projects for security vulnerabilities

—

Pending

Overview

Eval results

Files

Container Security

Name: tessl/npm-snyk
Author: tessl

Specialized scanning capabilities for Docker containers, including base image vulnerabilities, application layer scanning, and continuous monitoring of container images with integration to container registries.

Capabilities

Container Testing

Command-line interface for scanning Docker container images for vulnerabilities.

# Basic container testing
snyk container test <image>              # Test container image
snyk container test nginx:latest         # Test specific image and tag
snyk container test myregistry.com/myapp:v1.0 # Test from custom registry

# Testing with options
snyk container test <image> --org=<org-id> # Test with organization
snyk container test <image> --json       # JSON output format
snyk container test <image> --sarif      # SARIF format output
snyk container test <image> --severity-threshold=high # Filter by severity

# Dockerfile analysis
snyk container test <image> --file=Dockerfile # Include Dockerfile analysis
snyk container test <image> --file=Dockerfile.prod # Custom Dockerfile path

# Application vulnerability scanning
snyk container test <image> --app-vulns  # Include application dependencies
snyk container test <image> --exclude-app-vulns # Exclude application scanning

# Advanced options
snyk container test <image> --platform=linux/amd64 # Specify platform
snyk container test <image> --exclude-base-image-vulns # Exclude base image
snyk container test <image> --nested-jars-depth=5 # JAR scanning depth

Container Monitoring

Continuous monitoring setup for container images in production environments.

# Basic container monitoring
snyk container monitor <image>           # Monitor container image
snyk container monitor nginx:latest --org=<org-id> # With organization

# Monitoring with project identification
snyk container monitor <image> --project-name="Production API" # Custom name
snyk container monitor <image> --target-reference=main # Git reference

# Application monitoring
snyk container monitor <image> --app-vulns # Include application dependencies
snyk container monitor <image> --platform=linux/amd64 # Specify platform

Container Build Integration

Integration with container build processes and CI/CD pipelines.

# CI/CD pipeline integration
# Build and test pattern
docker build -t myapp:latest .
snyk container test myapp:latest --severity-threshold=high
docker push myapp:latest
snyk container monitor myapp:latest --project-name="MyApp Production"

# Multi-stage build testing
docker build --target=dependencies -t myapp:deps .
snyk container test myapp:deps --app-vulns
docker build -t myapp:latest .
snyk container test myapp:latest

Registry Integration

Integration with container registries for automated scanning.

# Registry-specific scanning
snyk container test docker.io/library/nginx:latest # Docker Hub
snyk container test gcr.io/project/app:v1.0       # Google Container Registry
snyk container test <account>.dkr.ecr.region.amazonaws.com/app:latest # AWS ECR
snyk container test registry.redhat.io/ubi8:latest # Red Hat Registry

# Private registry authentication
# Uses Docker credentials from ~/.docker/config.json
docker login myregistry.com
snyk container test myregistry.com/private/app:latest

Container Vulnerability Types

Base Image Vulnerabilities

Detection and analysis of vulnerabilities in container base images.

# Base image specific scanning
snyk container test ubuntu:20.04         # Scan base image
snyk container test --exclude-app-vulns ubuntu:20.04 # Only base image vulns

# Base image recommendations
# CLI provides upgrade recommendations for base images
# Output includes newer, more secure base image versions

Application Dependencies

Scanning application dependencies within container layers.

# Application dependency scanning
snyk container test myapp:latest --app-vulns # Include app dependencies
snyk container test node:16 --app-vulns     # Node.js dependencies
snyk container test openjdk:11 --app-vulns  # Java dependencies

# Language-specific scanning
# Automatically detects and scans:
# - npm packages (package.json/package-lock.json)
# - Maven dependencies (pom.xml)
# - Gradle dependencies (build.gradle)
# - pip packages (requirements.txt)
# - Gem dependencies (Gemfile/Gemfile.lock)

Configuration Issues

Analysis of container and Dockerfile configurations for security issues.

# Dockerfile security analysis
snyk container test myapp:latest --file=Dockerfile
# Analysis includes:
# - Running as root user
# - Exposed sensitive ports
# - Hardcoded secrets
# - Insecure base images
# - Missing health checks
# - Inefficient layer caching

Container Metadata and Analysis

Image Information

# Container analysis provides:
# - Base image identification
# - Layer composition
# - Installed packages
# - Application dependencies
# - Configuration analysis
# - Security recommendations

# Example output includes:
# Base image: ubuntu:20.04
# Platform: linux/amd64
# Total dependencies: 150
# Vulnerable dependencies: 12
# Critical vulnerabilities: 2

Remediation Guidance

# Container-specific remediation:
# 1. Base image upgrades
# 2. Application dependency updates
# 3. Dockerfile improvements
# 4. Multi-stage build optimizations
# 5. Security policy recommendations

# Example recommendations:
# - Upgrade from ubuntu:20.04 to ubuntu:22.04
# - Update vulnerable npm packages
# - Use non-root user in Dockerfile
# - Remove unnecessary packages

Integration Patterns

CI/CD Pipeline Integration

# GitHub Actions example
- name: Build Docker image
  run: docker build -t myapp:${{ github.sha }} .

- name: Test container security
  run: |
    snyk container test myapp:${{ github.sha }} --severity-threshold=high
    snyk container monitor myapp:${{ github.sha }} --project-name="MyApp-${{ github.ref_name }}"

# Jenkins pipeline example
pipeline {
  stages {
    stage('Build') {
      steps {
        sh 'docker build -t myapp:${BUILD_NUMBER} .'
      }
    }
    stage('Security Scan') {
      steps {
        sh 'snyk container test myapp:${BUILD_NUMBER} --json > container-results.json'
        sh 'snyk container monitor myapp:${BUILD_NUMBER}'
      }
    }
  }
}

Kubernetes Integration

# Kubernetes deployment scanning
# Scan images before deployment
kubectl get deployments -o jsonpath='{.items[*].spec.template.spec.containers[*].image}' | \
  xargs -n1 snyk container test

# Example Kubernetes security workflow
snyk container test myapp:v1.0           # Test before deployment
kubectl apply -f deployment.yaml         # Deploy to cluster
snyk container monitor myapp:v1.0 --project-name="K8s-MyApp-Prod"

Registry Webhook Integration

# Automated scanning on image push
# Configure registry webhooks to trigger:
# 1. snyk container test <newly-pushed-image>
# 2. snyk container monitor <newly-pushed-image>
# 3. Generate security reports
# 4. Block deployment if critical vulnerabilities found

Advanced Container Features

Multi-Platform Support

# Platform-specific scanning
snyk container test myapp:latest --platform=linux/amd64
snyk container test myapp:latest --platform=linux/arm64
snyk container test myapp:latest --platform=windows/amd64

# Multi-architecture image scanning
docker manifest inspect myapp:latest     # Check available platforms
snyk container test myapp:latest         # Scans default platform

Nested JAR Analysis

# Java application scanning
snyk container test myapp:latest --nested-jars-depth=5 # Deep JAR analysis
snyk container test tomcat:9 --app-vulns # Scan WAR files
snyk container test springboot:latest --app-vulns # Spring Boot fat JARs

Custom CA and SSL

# Custom certificate handling
snyk container test myregistry.com/app:latest --ca=/path/to/ca.pem
snyk container test myregistry.com/app:latest --insecure # Skip SSL verification

Types

Container Types

interface ContainerTestResult {
  /** Container vulnerabilities */
  vulnerabilities: ContainerVulnerability[];
  /** Base image information */
  baseImage: string;
  /** Platform architecture */
  platform: string;
  /** Application dependencies found */
  applications?: Application[];
  /** Docker metadata */
  docker: DockerMetadata;
  /** Summary information */
  summary: ContainerSummary;
}

interface ContainerVulnerability extends Vulnerability {
  /** Vulnerability source layer */
  nearestFixedInVersion?: string;
  /** Container layer introducing vulnerability */
  introducedThrough?: string[];
  /** Fix available in newer base image */
  fixedIn?: string[];
  /** Dockerfile instruction related to vulnerability */
  dockerfileInstruction?: string;
}

interface DockerMetadata {
  /** Base image name */
  baseImage: string;
  /** Base image tag */
  baseImageTag: string;
  /** Image platform */
  platform: string;
  /** Image layers */
  layers: DockerLayer[];
  /** Image size */
  size: number;
  /** Image creation date */
  created: string;
}

interface DockerLayer {
  /** Layer SHA256 hash */
  sha: string;
  /** Layer instruction */
  instruction: string;
  /** Layer size in bytes */
  size: number;
}

interface Application {
  /** Application name */
  name: string;
  /** Application version */
  version: string;
  /** Package manager */
  packageManager: string;
  /** Dependencies */
  dependencies: Dependency[];
}

interface ContainerSummary {
  /** Total vulnerabilities */
  vulnerabilities: number;
  /** Vulnerabilities by severity */
  bySeverity: {
    critical: number;
    high: number;
    medium: number;
    low: number;
  };
  /** Base image vulnerabilities */
  baseImageVulns: number;
  /** Application vulnerabilities */
  applicationVulns: number;
}

Install with Tessl CLI