Container

m

Create images with security built-in from the start

Integrations

I

I

Install Snyk CLI

npm – npm install -g snyk

snyk auth

snyk container test debian

- Downloads the image if it’s not already available locally in your Docker daemon

- Determines the software installed in the image
- Sends that bill of materials to the Snyk Service
- Returns a list of the vulnerabilities in your image

You can use Snyk to test any image that you can pull from a remote registry, or any image you have built locally and made available in your local Docker daemon.

snyk container test <repository>:<tag>

If you use a Dockerfile to build your image, you can provide that when running Snyk.

snyk container test <repository>:<tag> --file=Dockerfile

Provides more Context

Clearer Recommendations

Vulnerabilities appear in reverse severity order, so there's less scrolling up to see the most important issues.

If Snyk determines the base image used, and the image uses an Official Docker image, the output includes recommendations for upgrades to resolve some of the discovered vulnerabilities.

Direct Test Docker/OCI Archives

snyk container test docker-archive:archive.tar
snyk container test oci-archive:archive.tar

Specific Platform

snyk container test --platform=linux/arm64 debian

SCM: Snyk can detect Dockerfiles directly from Git repositories, and provide recommendations for updating the base image to a less vulnerable one.

CI: can act as a gate, for example breaking the build on new high severity vulnerabilities.

Container registries: useful to test a large number of images, or if you cannot modify lots of CI pipelines.

Kubernetes: similar to container registries, but with more context about the running workload Snyk can use to prioritize vulnerabilities or group projects.

Layered File Systems

Operating system distributions, such as Debian, Ubuntu or CentOS.

Application package managers, such as npm, pip and RubyGems.

Steps

1. We first find the software installed in the image, including:

dpkg, rpm and apk operating systems packages.

Popular unmanaged software, ie. installed outside a package manager.

Application packages based on the presence of a manifest file.

2. After we have the list of installed software, we look that up against our vulnerability database, which combines public sources with proprietary research.

Link Images

Link Images

r

Snyk allows you to manually or automatically link from a Dockerfile to all container images built from it. You can use this to understand the security impact on your running applications, and understand which images can be better secured, or need to be rebuilt, when taking action and updating the Dockerfile base image.

You can get automatic links between imported images (via container registry integration) to existing Dockerfile projects. This is done by checking whether the OCI label in the image matches the path of a Dockerfile that exists in the org in Snyk.

Supported OS's

File Fingerprinting

Node.js

OpenJDK

Monitoring/Recurring Scans

Integration which saves snapshot

Snyk will alert you if new vulnerabilities are disclosed that affect your image, without you having to retest it locally

Interactively filter the results and explore the list of vulnerabilities in your web browser

Results on Snyk can be shared with other members of your team

snyk container monitor <repository>:<tag>

- Downloads the image if it’s not already available locally in your Docker daemon

- Determines the software installed in the image

- Sends that bill of materials to the Snyk Service

- Returns a list of the vulnerabilities in your image

Relative Importance

Relative Importance

External Information Sources

NVD

Debian Severity

Ubuntu CVE Priority

Red Hat Enterprise Linux Severity

SUSE Linux Enterprise Security Rating Overview

Amazon Linux

Distro specific findings

Demo Help

Build off of the SDLC Slide

LEVERAGE the container CLI (Developer Endpoint)

Talk about the remediation advice from the CLI

Mention the container IDE (Limited though)

Talk about the CI/CD Pipeline

Based on gating

monitor the container within the Snyk UI

Choose to ignore "Base Image Vulnerabilities" in the scan

Integrate directly in a container registry

HarborCR

ECR

ACR

Benefit

The container has been BUILT

Git-Based PR Scanning

Benefit

Open a Fix PR

Dockerfile scanning is less accurate

PreBUILT

Automate PRs automatically

Remediation advice

Base Image Recommendations

Custom

Personal Registries

Public Repos

User will get the least vulnerable version

Most vulnerabilities are found here

Deployments

On-Prem

Broker

Cloud

Software Composition Analysis

For Linux Packages

OS Package manager metadata

Operating System vs OSS

Security

Exploit Maturity

Social Trends

Relative Importance

NVD

Debian or Linux flavor

Multiple Layers

Base Image Changes

User Instructions

Install X first

THEN Skip user instruction

The container will find the previous instruction and skip