snyk test docker --fail-on= workaround
07 Oct 2021 | #tech | #securityI’m running Snyk to scan docker images and break the build if they have high or critical vulnerabilities:
snyk test --severity-threshold=high --docker $IMAGE_NAME
However sometimes the upstream image has high or critical vulnerabilities (e.g. at the times of writing this, debian
), so there is very little action one can take (other than moving to a different base image, which is usually not easy). Thus I only want to break the build if there are high or critical vulnerabilities AND they can be fixed by ugrading the base image.
snyk
CLI has the --fail-on=all|upgradable|patchable
option that says
Only fail when there are vulnerabilities that can be fixed.
which would be perfect, but it’s broken for docker scans. Thus I had to come up with a workaround:
snyk test --severity-threshold=high --docker $IMAGE_NAME --json-file-output=/tmp/out.json || if cat /tmp/out.json | jq '.docker.baseImageRemediation.code' | grep -q "NO_REMEDIATION_AVAILABLE"; then return 0; else return 1; fi
This scans the image, saves the output to json. If the scan failed, then parses the json to look for the .docker.baseImageRemediation.code
that will tell whether NO_REMEDIATION_AVAILABLE
or REMEDIATION_AVAILABLE
. And only fail the build if there is remediation available.