{"id":17473,"library":"snyk-docker-plugin","title":"Snyk CLI Docker Plugin","description":"The `snyk-docker-plugin` is a specialized component designed to extend the capabilities of the Snyk CLI, enabling it to detect vulnerabilities within Docker images. It currently stands at version 9.6.5 and exhibits a rapid release cadence, with multiple patches and minor versions released weekly or bi-weekly, indicating active development and maintenance. This plugin is crucial for scanning a wide array of Linux-based operating systems (Debian, Red Hat, Alpine, etc.), including distroless and scratch images, across various architectures (ARM, AMD, PPC). A key differentiator is its ability to identify vulnerabilities not only through package managers (rpm, apk, deb) but also by detecting Node and Java binaries installed outside of standard package management, and by analyzing Dockerfiles directly. It supports various image protocols and container registries, providing comprehensive security analysis for containerized applications.","status":"active","version":"9.6.5","language":"javascript","source_language":"en","source_url":"https://github.com/snyk/snyk-docker-plugin","tags":["javascript","typescript"],"install":[{"cmd":"npm install snyk-docker-plugin","lang":"bash","label":"npm"},{"cmd":"yarn add snyk-docker-plugin","lang":"bash","label":"yarn"},{"cmd":"pnpm add snyk-docker-plugin","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"This package is a plugin for the Snyk CLI tool and is not intended for standalone use. The Snyk CLI (npm package 'snyk') is required to utilize its functionality.","package":"snyk","optional":false}],"imports":[{"note":"This package is a plugin for the Snyk CLI and is not designed for direct programmatic import into user applications. Its functionality is exposed via the Snyk CLI commands, specifically `snyk container test`.","wrong":"import { DockerPlugin } from 'snyk-docker-plugin'","symbol":"Snyk CLI usage","correct":"snyk container test <IMAGE_NAME>:<TAG>"},{"note":"While this plugin ships its own TypeScript types, they are internal to the Snyk CLI's architecture. Developers typically interact with the Snyk CLI's public API and types, rather than directly with the plugin's internal types. The main interaction is through CLI commands, not direct TypeScript imports.","wrong":"import type { DockerScanResult } from 'snyk-docker-plugin'","symbol":"Snyk CLI type definitions","correct":"import type { SnykTestOptions } from 'snyk'"}],"quickstart":{"code":"npm install -g snyk\n\n# Authenticate your Snyk CLI with your Snyk account\nsnyk auth\n\n# Build a sample Docker image (assuming you have a Dockerfile in your current directory)\n# For example, create a Dockerfile with:\n# FROM node:20-alpine\n# WORKDIR /app\n# COPY package*.json ./\n# RUN npm install\n# COPY . .\n# CMD [\"node\", \"server.js\"]\ndocker build -t my-vulnerable-app:latest .\n\n# Test your Docker image for vulnerabilities using the Snyk Docker plugin\nsnyk container test my-vulnerable-app:latest \\\n  --file=./Dockerfile \\\n  --exclude-app-vulns \\\n  --severity-threshold=high\n\n# Alternatively, test a remote image from Docker Hub\nsnyk container test node:20-alpine\n\n# Scan a local Docker archive\ndocker save -o my-app.tar my-vulnerable-app:latest\nsnyk container test --file=./my-app.tar\n","lang":"bash","description":"Demonstrates the installation of the Snyk CLI and how to use the `snyk container test` command with a local or remote Docker image to scan for vulnerabilities, including options for specifying a Dockerfile or excluding application vulnerabilities."},"warnings":[{"fix":"Upgrade your Node.js environment to version 20.19 or higher. Use a tool like `nvm` to manage multiple Node.js versions: `nvm install 20 && nvm use 20`.","message":"The minimum Node.js engine requirement was updated to `>=20.19`. Running the Snyk CLI (and thus this plugin) with older Node.js versions will result in errors.","severity":"breaking","affected_versions":">=9.0.0 (approx, based on engine requirement)"},{"fix":"Interact with Docker image scanning functionality exclusively through the Snyk CLI by running `snyk container test ...` commands in your terminal or CI/CD pipelines.","message":"The `snyk-docker-plugin` is not a standalone library for direct programmatic use. Attempting to `import` or `require` it in your Node.js application will lead to errors as its API is internal and exposed solely via the Snyk CLI.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Always include `--file=<path/to/Dockerfile>` when running `snyk container test <IMAGE>` to enable full Dockerfile analysis and improve the accuracy of Snyk's recommendations.","message":"When testing container images, it's crucial to specify the `--file` flag pointing to your Dockerfile for accurate base image detection and recommendations. Omitting it might lead to less precise results.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Ensure you are using the latest Snyk CLI version (`npm install -g snyk@latest`). Explore options like `snyk container test --file=./my-image.tar` or direct registry pulling which reduce dependencies on local Docker daemon setup.","message":"Older versions of the Snyk CLI might require specific Docker daemon access or configurations. The plugin has continuously improved its ability to scan images from various sources, including archives or registries without direct daemon access. Relying on direct Docker daemon access for scanning might become less necessary or supported in future versions.","severity":"deprecated","affected_versions":"<8.0.0 (approx)"}],"env_vars":null,"last_verified":"2026-04-22T00:00:00.000Z","next_check":"2026-07-21T00:00:00.000Z","problems":[{"fix":"Update your Node.js environment to version 20.19 or newer. Use `nvm install 20` and `nvm use 20` if using Node Version Manager.","cause":"The Snyk CLI and its plugins have updated their minimum Node.js version requirement.","error":"Error: Node.js v18.x.x is not supported. Please upgrade to Node.js v20.19.x or higher."},{"fix":"This package is a CLI plugin, not a library for programmatic import. Use the `snyk container test` command via the Snyk CLI instead of trying to import it directly.","cause":"Attempting to import the plugin as a regular Node.js module.","error":"Cannot find module 'snyk-docker-plugin'"},{"fix":"Verify the image name and tag are correct. Ensure the image is pulled locally (`docker pull my-image:latest`) or that the Snyk CLI has correct registry authentication configured (`snyk config set dockerToken=...`).","cause":"The specified Docker image is not found in the local Docker daemon or accessible via configured registries.","error":"ERROR: Could not find image 'my-image:latest'. Please ensure the image is available locally or in a configured registry."},{"fix":"Ensure your user is part of the `docker` group (`sudo usermod -aG docker $USER && newgrp docker`) or configure Docker daemon access appropriately. If running in CI, ensure the CI runner has necessary Docker permissions.","cause":"The user running the Snyk CLI does not have appropriate permissions to interact with the Docker daemon socket.","error":"Permission denied while accessing Docker socket."}],"ecosystem":"npm","meta_description":null}