We noticed in the last few hours our GitHub actions using https://github.com/snyk/actions/tree/master/gradle-jdk17 were failing and I believe it is related to this recent change: #35

To confirm this, I tested it locally running the docker image and was able to produce the same issue:

docker run --rm -it --env SNYK_TOKEN -v $(PWD):/app snyk/snyk:gradle-jdk17 "snyk" "code test" "--sarif-file-output=snyk.sarif --org=advanced-qem"
The following option combination is not currently supported: code test + sarif-file-output

Contrast that with

docker run --rm -it --env SNYK_TOKEN -v $(PWD):/app snyk/snyk:gradle-jdk17 "snyk" "code" "test" "--sarif-file-output=snyk.sarif --org=advanced-qem"

Testing /app ...


✔ Test completed

Organization:      advanced-qem
Test type:         Static code analysis
Project path:      /app

Summary:

✔ Awesome! No issues were found.

From what I can tell, the docker command is recognizing it as an entire command coming from the Snyk Action workflow.

with:
  command: code test
  args: "--sarif-file-output=snyk.sarif --org=advanced-qem"

This line in the Dockerfile https://github.com/snyk/snyk-images/blob/master/Dockerfile#L32 should not longer be needed if we upgrade pkg. See vercel/pkg#726 (comment) for reference.

Please add image for golang-1.22
Thanks heaps

I want the digest history of snyk/snyk:python-3.10. Thanks

Starting from a recent version of Snyk image, it upgraded to Git
2.30.2-1+deb11u1, which backported the safe.directory option [1].

# image built 2 days ago
$ docker run --rm --entrypoint bash -i b44a997189b5 -c 'dpkg -l | grep -w git; git help --config | grep safe.directory'
ii  git                        1:2.30.2-1+deb11u1             amd64        fast, scalable, distributed revision control system
ii  git-man                    1:2.30.2-1+deb11u1             all          fast, scalable, distributed revision control system (manual pages)
safe.directory

# image built 9 days ago
$ docker run --rm --entrypoint bash -i 5f988dd42068 -c 'dpkg -l | grep -w git; git help --config | grep safe.directory'
ii  git                        1:2.30.2-1                     amd64        fast, scalable, distributed revision control system
ii  git-man                    1:2.30.2-1                     all          fast, scalable, distributed revision control system (manual pages)

Now since I guess inside Docker we run everything as root, however the
mounted Git repository is owned by user/group runner (uid 1000, gid
1000 IIRC), Git now refuses to do anything in the repository.

And in Go projects, apparently snyk calls go list to check the dependencies,
which calls Git internally, it now complains

'go list -json -deps ./...' command failed with error: error obtaining VCS status: exit status 128
    Use -buildvcs=false to disable VCS stamping.

Two workarounds right now. One, add a GOFLAGS: "-buildvcs=false" environment
variable; two, run this before Synk:

- name: Set work directory as Git safe directory in Docker
  run: |
    git config --global safe.directory '*'
    mkdir -p /home/runner/runner/agent/_work/_temp/_github_home
    cp "$HOME/.gitconfig" "/home/runner/runner/agent/_work/_temp/_github_home/.gitconfig"

But I think in the long run we should either add the safe.directory
automatically (but don't use *), or run synk with the same uid/gid of the
owner/group of the repository.

[1] https://release.debian.org/proposed-updates/bullseye_diffs/git_2.30.2-1+deb11u1.debdiff

Both Snyk docker images for Scala and sbt seemingly have critical Log4Shell issues and have for some time. When do we expect this to be fixed?

See sbt and scala images.

Hi, I wanted to execute snyk test and snyk monitor in one container call. But only snyk test is executed and then the container exits. The output is as follows:

$ docker run --rm -it --env SNYK_TOKEN -v $PWD:/app snyk/snyk:golang 'snyk test && snyk monitor'

Testing /app...

Organization:      <>
Package manager:   gomodules
Target file:       go.mod
Project name:      app
Open source:       no
Project path:      /app
Licenses:          enabled

✔ Tested /app for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

I have set the x flag in /user/local/bin/docker-entrypoint.sh (set -x) and the output is as follows:

$ docker run --rm -it --env SNYK_TOKEN -v $PWD:/app local/snyk:golang 'snyk test && snyk monitor'
+ [ -z  ]
+ command -v pip
+ [ -x  ]
+ command -v mvn
+ [ -x  ]
+ command -v go
+ [ -x /usr/local/go/bin/go ]
+ [ -f Gopkg.toml ]
+ exit_code=0
+ [ 0 -ne 0 ]
+ [ -z  ]
+ [  = test -a  = true ]
+ [  = test -a  = true ]
+ cmd_string=snyk test && snyk monitor
+ eval exec snyk test && snyk monitor
+ exec snyk test

Testing /app...

Organization:      <>
Package manager:   gomodules
Target file:       go.mod
Project name:      app
Open source:       no
Project path:      /app
Licenses:          enabled

✔ Tested /app for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.

Here you can see that only the first command is executed with exec and then the process is terminated. If your container offers the possibility to execute multiple commands by an Bash logical (&&) operator, then the following code changes could fulfill this:

- eval "exec ${cmd_string}"
+ eval "${cmd_string}"

The following output shows the execution:

$ docker run --rm -it --env SNYK_TOKEN -v $PWD:/app local/snyk:golang 'snyk test && snyk monitor'
+ [ -z  ]
+ command -v pip
+ [ -x  ]
+ command -v mvn
+ [ -x  ]
+ command -v go
+ [ -x /usr/local/go/bin/go ]
+ [ -f Gopkg.toml ]
+ exit_code=0
+ [ 0 -ne 0 ]
+ [ -z  ]
+ [  = test -a  = true ]
+ [  = test -a  = true ]
+ cmd_string=snyk test && snyk monitor
+ eval snyk test && snyk monitor
+ snyk test

Testing /app...

Organization:      <>
Package manager:   gomodules
Target file:       go.mod
Project name:      app
Open source:       no
Project path:      /app
Licenses:          enabled

✔ Tested /app for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.


+ snyk monitor

Monitoring /app (app)...

Explore this snapshot at https://app.snyk.io/org/<>/project/<>

Notifications about newly disclosed issues related to these dependencies will be emailed to you.

Another solution would be the GitHub entrypoint example dockerfile-support-for-github-actions

- cmd_string="$* $JSON_OUTPUT $SARIF_OUTPUT"
- eval "exec ${cmd_string}"
+ sh -c "$* $JSON_OUTPUT $SARIF_OUTPUT"

The following output shows the execution:

$ docker run --rm -it --env SNYK_TOKEN -v $PWD:/app local/snyk:golang 'snyk test && snyk monitor'
+ [ -z  ]
+ command -v pip
+ [ -x  ]
+ command -v mvn
+ [ -x  ]
+ command -v go
+ [ -x /usr/local/go/bin/go ]
+ [ -f Gopkg.toml ]
+ exit_code=0
+ [ 0 -ne 0 ]
+ [ -z  ]
+ [  = test -a  = true ]
+ [  = test -a  = true ]
+ sh -c snyk test && snyk monitor

Testing /app...

Organization:      <>
Package manager:   gomodules
Target file:       go.mod
Project name:      app
Open source:       no
Project path:      /app
Licenses:          enabled

✔ Tested /app for known issues, no vulnerable paths found.

Next steps:
- Run `snyk monitor` to be notified about new related vulnerabilities.
- Run `snyk test` as part of your CI/test.



Monitoring /app (app)...

Explore this snapshot at https://app.snyk.io/org/<>/project/<>/history<>

Notifications about newly disclosed issues related to these dependencies will be emailed to you.

Snyk needs to mvn install before running the test.
Looking at the maven lifecycle install is the after test phase.
This mean all tests will be called during a mvn install.
If one of the tests fails the build breaks and snyk test will not be reached.

I don't believe running the test suite is part of the scope.
Maybe call mvn install -DskipTests or make it configurable?

Maybe on oversight on my part and I've missed out something, I will upload my Ci/Cd file showing my usage of snyk later today.

It appears the GitLab runner can't run custom images properly, failing to run exec on the entry point, however eval works

https://gitlab.com/gitlab-org/gitlab-runner/-/issues/1253

I'm not in a position to run my own image on the pipeline at the moment so can't really test it, but I was wondering if I had made a configuration mistake, and if not is it possible to change exec -> eval here without repercussions to other platforms where this is already functional, like GitHub Actions, CircleCI, etc.

As well as tagging for the build tools we also want to tag each new version of Snyk, in case users want to ping to a specific version for some reason.

The number of images being built now means the build is failing. We'll need to split it into chunks I think and run in separate jobs in parallel.

Hello,

We are interested in using these images, but the description says they are experimental. Is there an ETA when they will stop being experimental?

Thank you

Hello,
A question, more than an issue:

What is the difference between the images here vs. those in snyk/snyk-cli? And which ones should we use to scan our dependencies?

Thanks!

How do I customize the org name and the API endpoint? For on-premises Snyk deployments?

docker-entrypoint.sh contains

if ! [ -z "${COMMAND}" ]; then
    eval ${COMMAND}
else
...

This means that unless you override the entrypoint to be /bin/sh you will have problems with using this docker container in CI if CI passes it complex scripts, e.g. shell check

if [ -x /usr/local/bin/bash ]; then
	exec /usr/local/bin/bash 
elif [ -x /usr/bin/bash ]; then
	exec /usr/bin/bash 
elif [ -x /bin/bash ]; then
	exec /bin/bash 
elif [ -x /usr/local/bin/sh ]; then
	exec /usr/local/bin/sh 
elif [ -x /usr/bin/sh ]; then
	exec /usr/bin/sh 
elif [ -x /bin/sh ]; then
	exec /bin/sh 
elif [ -x /busybox/sh ]; then
	exec /busybox/sh 
else
	echo shell not found
	exit 1
fi

or, more easy to test:

$ docker run -ti snyk/snyk:golang-1.18 'if [ -z "" ]; then echo asdf; fi'
/usr/local/bin/docker-entrypoint.sh: 1: eval: Syntax error: "then" unexpected

https://docs.gitlab.com/ee/ci/docker/using_docker_images.html recommends

For Docker 17.06 and later:

image:
  name: super/sql:experimental
  entrypoint: [""]

For Docker 17.03 and earlier:

image:
  name: super/sql:experimental
  entrypoint: ["/bin/sh", "-c"]

which is a working workaround.

however, IMO this should not be needed, in which case eval is not appropriate in the default entrypoint.

It's recommended to lint shell scripts using shellcheck, there's a couple of potential commands in the docker-entrypoint.sh that may not be POSIX compliant

This has happened a few times that it feels warranted, but I'd like the snyk CLI to gracefully handle the inability for it to reach Snyk API. We're going to be minting our own docker image to wrap a handler on if it encounters a 5xx error, but would be great if the CLI did that so it's not massively disruptive when Snyk itself is having an issue (vs. finding something vulnerable).

golang: Pulling from docker.io/snyk/snyk
Digest: sha256:8c23008def1171ba2e2c22c4afa6d73e0e32699cf51b07befcd1c80150509c18
+ snyk test project --project-name="org/project" --org="<redacted>" --fail-on=upgradable
Internal error (reference: 29f94950-46f3-4f6c-a64b-66f64a22cfe9)

This could be done at the docker entrypoint (or in the CLI itself). Happy to close this and raise in the CLI repo, depending on how the team wants to dispense.

Would be nice to add the MONITOR=true feature of the classic images in order to have the results + the monitor results in one call.

It would save the time of bootstraping the project.

Hi Team,

I have been working on building snyk/snyk-images docker image for both amd64 and arm64 platforms.Successfully built the docker image having base image available for both the platforms. I have added buildx support to GitHub Actions build.yml workflow to release multi-arch images.

Changes Required: odidev@22ad16a

Do you have any plans for releasing ARM64 images?

It will be very helpful if an ARM64 image is available. If interested, I will raise a PR.

The examples are referencing $(PWD), which is invalid, it should probably be "${PWD}"

Based on this conversation https://twitter.com/garethr/status/1219642552565014528 it would be worthwhile having a Clojure image with all of the relevant tools.

When will node 16 and node 18 images be added for vulnerability scanning?

Missing Arm64 support on docker images; Org migrating to Graviton/Arm based instances and missing support for it is a deal breaker for us to keep using Snyk. Anything that can be shared at the moment?

Saw #22 , #59 and #68 being all related.

Hey guys! Is there a way to create also linux/arm64v8 images? I'm currently using Mac and I cannot make it work or at least I haven't found the way to do it.

I only see AMD64 image in DockerHub.

Cheers.