container-security

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Container Security Scanner

容器安全扫描工具

Guide for comprehensive container image security analysis, covering OS vulnerabilities, application dependencies, and Dockerfile best practices.

Core Principle: Secure containers from the base up - secure base image, minimal packages, no vulnerabilities.

全面容器镜像安全分析指南，涵盖操作系统漏洞、应用程序依赖项以及Dockerfile最佳实践。

核心原则：从基础层面加固容器——安全的基础镜像、最小化包、无漏洞。

Quick Start

快速开始

1. Identify image to scan (local, registry, or archive)
2. Run snyk_container_scan with image name
3. Analyze results: OS packages + application deps
4. Provide remediation guidance
5. Optionally fix Dockerfile issues

1. 确定要扫描的镜像（本地、镜像仓库或归档文件）
2. 使用镜像名称运行snyk_container_scan
3. 分析结果：操作系统包 + 应用程序依赖项
4. 提供修复指导
5. （可选）修复Dockerfile问题

Phase 1: Image Identification

阶段1：镜像识别

Step 1.1: Parse User Input

步骤1.1：解析用户输入

Extract the image reference from the user's request (e.g.,

myapp:latest

nginx:1.25

gcr.io/project/app:v1

sha256:abc123...

, or

./image.tar

从用户请求中提取镜像引用（例如：

myapp:latest

、

nginx:1.25

、

gcr.io/project/app:v1

、

sha256:abc123...

或

./image.tar

）。

Step 1.2: Determine Scan Scope

步骤1.2：确定扫描范围

Ask or infer:

App vulns: Include application dependencies? (default: yes for v1.1090.0+)
Base image: Separate base image vulns? (useful for understanding what you control)
Platform: For multi-arch images, which platform? (linux/amd64, linux/arm64)

询问或推断：

应用程序漏洞：是否包含应用程序依赖项？（默认：v1.1090.0及以上版本为是）
基础镜像：是否单独分析基础镜像漏洞？（有助于了解可控范围）
平台：对于多架构镜像，选择哪个平台？（linux/amd64、linux/arm64）

Phase 2: Execute Scan

阶段2：执行扫描

Step 2.1: Basic Scan

步骤2.1：基础扫描

Invoke

mcp_snyk_snyk_container_scan

with:

```
image
```
: the image name or path

调用

mcp_snyk_snyk_container_scan

并传入：

```
image
```
：镜像名称或路径

Step 2.2: Advanced Scan Options

步骤2.2：高级扫描选项

For more comprehensive analysis, invoke

mcp_snyk_snyk_container_scan

with:

```
image
```
: the image name
```
file
```
: path to Dockerfile (enables better remediation advice)
```
app_vulns
```
:
```
true
```
(scan app dependencies)
```
severity_threshold
```
:
```
"high"
```
(filter to high/critical only)

如需更全面的分析，调用

mcp_snyk_snyk_container_scan

并传入：

```
image
```
：镜像名称
```
file
```
：Dockerfile路径（可提供更优的修复建议）
```
app_vulns
```
：
```
true
```
（扫描应用程序依赖项）
```
severity_threshold
```
：
```
"high"
```
（仅筛选高/严重级别的漏洞）

Step 2.3: Base Image Analysis

步骤2.3：基础镜像分析

To isolate inherited vs. added vulnerabilities:

Invoke

mcp_snyk_snyk_container_scan

with

image

and

exclude_base_image_vulns: true

— shows only vulnerabilities your layers added.

Invoke again without that flag — shows the full picture including base OS.

为区分继承漏洞与新增漏洞：

调用
```
mcp_snyk_snyk_container_scan
```
并传入
```
image
```
和
```
exclude_base_image_vulns: true
```
——仅显示你的镜像层新增的漏洞。
再次调用该工具，不添加上述参数——显示包含基础操作系统的完整漏洞情况。

Phase 3: Analyze Results

阶段3：分析结果

Step 3.1: Categorize Findings

步骤3.1：分类发现的问题

Source	Description	Your Control
Base OS packages	Installed by base image	Change base image
Additional OS packages	Installed via apt/yum	Update or remove
App dependencies	Node modules, Python packages	Update versions
Dockerfile issues	Misconfigurations	Direct fix

来源	描述	可控性
基础操作系统包	由基础镜像安装	更换基础镜像
额外操作系统包	通过apt/yum安装	更新或移除
应用程序依赖项	Node模块、Python包	更新版本
Dockerfile问题	配置错误	直接修复

Step 3.2: Generate Summary

步骤3.2：生成汇总报告

undefined

undefined

Container Scan Results: [image:tag]

容器扫描结果：[image:tag]

Overview

概览

Category	Critical	High	Medium	Low
OS Packages	X	Y	Z	W
App Dependencies	A	B	C	D
Total	X+A	Y+B	Z+C	W+D

分类	严重	高	中	低
操作系统包	X	Y	Z	W
应用程序依赖项	A	B	C	D
总计	X+A	Y+B	Z+C	W+D

Base Image Analysis

基础镜像分析

Base: [base image detected]
Vulnerabilities from base: [count]
Vulnerabilities you added: [count]

基础镜像：[检测到的基础镜像]
来自基础镜像的漏洞：[数量]
新增的漏洞：[数量]

Top Priority Issues

最高优先级问题

Severity	Package	Vulnerability	Fix Available
Critical	openssl	CVE-2024-XXXX	Yes - 3.0.12
High	libcurl	CVE-2024-YYYY	Yes - 8.5.0

undefined

级别	包	漏洞	是否有修复方案
严重	openssl	CVE-2024-XXXX	是 - 3.0.12
高	libcurl	CVE-2024-YYYY	是 - 8.5.0

undefined

Step 3.3: Identify Fix Strategies

步骤3.3：确定修复策略

OS Packages: Update package in Dockerfile, upgrade base image, or use distroless/minimal base.

App Dependencies: Update in source manifest and rebuild image with updated dependencies.

No Fix Available: Document accepted risk, consider alternative package, or wait for upstream fix.

操作系统包：在Dockerfile中更新包、升级基础镜像，或使用无发行版/极简基础镜像。

应用程序依赖项：在源清单中更新版本，并用更新后的依赖项重新构建镜像。

无修复方案：记录已接受的风险、考虑替代包，或等待上游修复。

Phase 4: Remediation Guidance

阶段4：修复指导

Step 4.1: Base Image Upgrades

步骤4.1：基础镜像升级

If base image has vulnerabilities:

undefined

如果基础镜像存在漏洞：

undefined

Base Image Recommendation

基础镜像推荐

Current: node:16-alpine Vulnerabilities: 15 (3 Critical, 5 High)

Recommended: node:20-alpine Vulnerabilities: 2 (0 Critical, 1 High)

当前镜像：node:16-alpine 漏洞数量：15个（3个严重、5个高风险）

推荐镜像：node:20-alpine 漏洞数量：2个（0个严重、1个高风险）

Dockerfile Change

Dockerfile修改

dockerfile

undefined

dockerfile

undefined

Before

修改前

FROM node:16-alpine

After

修改后

FROM node:20-alpine

undefined

FROM node:20-alpine

undefined

Migration Notes

迁移说明

Node 20 has breaking changes in [list]
Test thoroughly before deploying

undefined

Node 20存在以下破坏性变更[列表]
部署前需全面测试

undefined

Step 4.2: Package Updates

步骤4.2：包更新

For individual package vulnerabilities:

undefined

针对单个包漏洞：

undefined

Package Fix: openssl

包修复：openssl

Current: 3.0.8 Vulnerable to: CVE-2024-XXXX (Critical) Fix Version: 3.0.12

当前版本：3.0.8 受影响漏洞：CVE-2024-XXXX（严重） 修复版本：3.0.12

Dockerfile Addition

Dockerfile新增内容

dockerfile

undefined

dockerfile

undefined

Add before your application layer

在应用层之前添加

RUN apk update && apk upgrade openssl

undefined

RUN apk update && apk upgrade openssl

undefined

Step 4.3: Application Dependency Fixes

步骤4.3：应用程序依赖项修复

undefined

undefined

Application Dependency Fix

应用程序依赖项修复

Package: lodash (via npm) Current: 4.17.15 Fix Version: 4.17.21

包：lodash（通过npm安装） 当前版本：4.17.15 修复版本：4.17.21

Steps

步骤

Update package.json: "lodash": "^4.17.21"
Rebuild image: docker build -t myapp:fixed .
Verify fix: snyk container test myapp:fixed

undefined

更新package.json："lodash": "^4.17.21"
重新构建镜像：docker build -t myapp:fixed .
验证修复：snyk container test myapp:fixed

undefined

Step 4.4: Dockerfile Best Practices

步骤4.4：Dockerfile最佳实践

Key improvements to recommend:

dockerfile

undefined

推荐的关键改进：

dockerfile

undefined

1. Pin specific tags (not latest)

1. 固定具体标签（不要使用latest）

FROM node:20.10.0-alpine3.19

2. Run as non-root

2. 以非root用户运行

RUN addgroup -g 1001 appgroup &&
adduser -u 1001 -G appgroup -D appuser USER appuser

RUN addgroup -g 1001 appgroup && \ adduser -u 1001 -G appgroup -D appuser USER appuser

3. Multi-stage builds (smaller image, fewer vulns)

3. 多阶段构建（镜像更小、漏洞更少）

FROM node:20 AS builder WORKDIR /app COPY . . RUN npm ci && npm run build

FROM node:20-alpine COPY --from=builder /app/dist /app CMD ["node", "/app/index.js"]

FROM node:20 AS builder WORKDIR /app COPY . . RUN npm ci && npm run build

FROM node:20-alpine COPY --from=builder /app/dist /app CMD ["node", "/app/index.js"]

4. Minimize packages

4. 最小化包数量

RUN apt-get install -y --no-install-recommends curl

---

RUN apt-get install -y --no-install-recommends curl

---

Phase 5: Verification

阶段5：验证

Step 5.1: Rebuild Image

步骤5.1：重新构建镜像

bash

undefined

bash

undefined

Rebuild with no cache to ensure fresh packages

禁用缓存重新构建以确保使用最新包

docker build --no-cache -t myapp:fixed .

undefined

docker build --no-cache -t myapp:fixed .

undefined

Step 5.2: Re-scan

步骤5.2：重新扫描

Invoke

mcp_snyk_snyk_container_scan

with:

```
image
```
:
```
myapp:fixed
```
```
file
```
:
```
./Dockerfile
```

调用

mcp_snyk_snyk_container_scan

并传入：

```
image
```
：
```
myapp:fixed
```
```
file
```
：
```
./Dockerfile
```

Step 5.3: Compare Results

步骤5.3：对比结果

undefined

undefined

Fix Verification

修复验证

Metric	Before	After	Change
Critical	3	0	-3 ✅
High	5	1	-4 ✅
Medium	12	8	-4 ✅
Total	20	9	-11 ✅

指标	修复前	修复后	变化
严重	3	0	-3 ✅
高	5	1	-4 ✅
中	12	8	-4 ✅
总计	20	9	-11 ✅

Remaining Issues

剩余问题

1 High: No fix available upstream (document risk)
8 Medium: Low priority (schedule for next sprint)

---

1个高风险：上游无修复方案（记录风险）
8个中风险：低优先级（安排在下一个迭代中处理）

---

End-to-End Example

端到端示例

User: "Scan my app:latest image and help me fix it."

Step 1 — Run the scan:

mcp_snyk_snyk_container_scan(image="app:latest", app_vulns=true)

Step 2 — Tool returns (example output):

json

{
  "summary": "Found 18 vulnerabilities (2 Critical, 6 High, 10 Medium)",
  "baseImage": "node:16-alpine",
  "vulnerabilities": [
    { "severity": "critical", "pkgName": "openssl", "version": "3.0.8",
      "fixedIn": "3.0.12", "id": "CVE-2024-0001" },
    { "severity": "high", "pkgName": "lodash", "version": "4.17.15",
      "fixedIn": "4.17.21", "id": "CVE-2021-23337" }
  ]
}

Step 3 — Deliver structured response:

undefined

用户："扫描我的app:latest镜像并帮我修复问题。"

步骤1 — 运行扫描：

mcp_snyk_snyk_container_scan(image="app:latest", app_vulns=true)

步骤2 — 工具返回（示例输出）：

json

{
  "summary": "发现18个漏洞（2个严重、6个高风险、10个中风险）",
  "baseImage": "node:16-alpine",
  "vulnerabilities": [
    { "severity": "critical", "pkgName": "openssl", "version": "3.0.8",
      "fixedIn": "3.0.12", "id": "CVE-2024-0001" },
    { "severity": "high", "pkgName": "lodash", "version": "4.17.15",
      "fixedIn": "4.17.21", "id": "CVE-2021-23337" }
  ]
}

步骤3 — 提供结构化回复：

undefined

Scan Results: app:latest

扫描结果：app:latest

Base image: node:16-alpine | 2 Critical · 6 High · 10 Medium

基础镜像：node:16-alpine | 2个严重 · 6个高风险 · 10个中风险

Immediate Actions

立即行动

Upgrade base image → node:20-alpine (eliminates ~14 vulns)
Pin openssl ≥ 3.0.12 in Dockerfile (CVE-2024-0001, Critical)
Update lodash to ^4.17.21 in package.json (CVE-2021-23337, High)

升级基础镜像 → node:20-alpine（消除约14个漏洞）
在Dockerfile中固定openssl ≥ 3.0.12（修复CVE-2024-0001，严重级别）
在package.json中更新lodash至^4.17.21（修复CVE-2021-23337，高风险级别）

Dockerfile patch

Dockerfile补丁

FROM node:20-alpine # was node:16-alpine RUN apk add --no-cache openssl>=3.0.12


**Step 4** — After applying fixes, rebuild and re-scan to confirm resolution.

---

FROM node:20-alpine # 原镜像为node:16-alpine RUN apk add --no-cache openssl>=3.0.12


**步骤4** — 应用修复后，重新构建并扫描以确认问题已解决。

---

Common Scenarios

常见场景

Scenario 1: "Scan my Docker image"

场景1："扫描我的Docker镜像"

1. Invoke snyk_container_scan(image="app:latest")
2. Summarize findings by category
3. Recommend highest-priority fixes
4. Provide Dockerfile changes

1. 调用snyk_container_scan(image="app:latest")
2. 按分类汇总发现的问题
3. 推荐最高优先级的修复方案
4. 提供Dockerfile修改建议

Scenario 2: "Secure my Dockerfile"

场景2："加固我的Dockerfile"

1. Review Dockerfile for best practices
2. Build image if not already built
3. Invoke snyk_container_scan(image=..., file="./Dockerfile")
4. Combine scan results with Dockerfile review
5. Provide unified remediation

1. 检查Dockerfile的最佳实践合规性
2. 若未构建镜像则进行构建
3. 调用snyk_container_scan(image=..., file="./Dockerfile")
4. 结合扫描结果与Dockerfile检查情况
5. 提供统一的修复方案

Scenario 3: "Find a more secure base image"

场景3："寻找更安全的基础镜像"

1. Identify current base image and vulnerabilities
2. Scan alternative base images
3. Compare vulnerability counts
4. Recommend best option with migration notes

1. 确定当前基础镜像及其漏洞情况
2. 扫描备选基础镜像
3. 对比漏洞数量
4. 推荐最佳选项及迁移说明

Base Image Quick Reference

基础镜像快速参考

Runtime	Recommended Base	Notes
Node.js	`node:20-alpine`	Smallest, may lack some libs
Node.js	`node:20-slim`	Debian-based, more compatible
Python	`python:3.12-slim`	Good balance
Python	`python:3.12-alpine`	Smallest
Java	`eclipse-temurin:21-jre-alpine`	JRE only
Go	`gcr.io/distroless/static`	No shell, minimal attack surface
.NET	`mcr.microsoft.com/dotnet/aspnet:8.0-alpine`	Runtime only

Distroless options (

gcr.io/distroless/

static

(Go/Rust),

base

(most languages),

java

nodejs

— all offer minimal attack surface with no shell.

运行时	推荐基础镜像	说明
Node.js	`node:20-alpine`	体积最小，可能缺少部分库
Node.js	`node:20-slim`	基于Debian，兼容性更强
Python	`python:3.12-slim`	平衡性能与体积
Python	`python:3.12-alpine`	体积最小
Java	`eclipse-temurin:21-jre-alpine`	仅包含JRE
Go	`gcr.io/distroless/static`	无shell，攻击面最小
.NET	`mcr.microsoft.com/dotnet/aspnet:8.0-alpine`	仅包含运行时

无发行版选项 (

gcr.io/distroless/

)：

static

（Go/Rust）、

base

（多数语言）、

java

、

nodejs

——均无shell，攻击面极小。

Error Handling

错误处理

Error	Solutions
Image not found locally	`docker pull <image>` · check name spelling · verify registry access
Registry authentication required	`docker login <registry>` · verify credentials and permissions
Scan timed out	Retry · pull image locally first · scan a `.tar` archive instead

错误	解决方案
本地未找到镜像	`docker pull <image>` · 检查名称拼写 · 验证镜像仓库访问权限
需要镜像仓库认证	`docker login <registry>` · 验证凭据与权限
扫描超时	重试 · 先拉取镜像到本地 · 改为扫描 `.tar` 归档文件

Constraints

约束条件

Scan before deploy: Never deploy unscanned images
Pin versions: Use specific image tags, not
```
latest
```
Document exceptions: If vulnerabilities can't be fixed, document why
Regular rescans: Images should be rescanned weekly for new CVEs
Multi-stage builds: Prefer smaller production images

部署前扫描：绝不部署未扫描的镜像
固定版本：使用具体镜像标签，不要使用
```
latest
```
记录例外情况：若漏洞无法修复，记录原因
定期重新扫描：每周重新扫描镜像以发现新的CVE
多阶段构建：优先选择体积更小的生产镜像 ",