I'm currently scanning our Docker images with Snyk, but we recently received a report from a customer who uses JFrog. Their scan detected medium and low vulnerabilities in the base image that our Snyk scan didn't catch. Although these vulnerabilities fall outside our SLA, it's concerning to not have complete information. I've tried adjusting the Snyk settings but haven't been able to replicate JFrog's findings. Are there any tips or tricks for using Snyk more effectively? We are currently working with the default security policy.
3 Answers
Different scanners use separate vulnerability databases, so it's possible that Snyk just isn't mapping certain items. Have you tried updating Snyk’s database? It might help you catch those vulnerabilities that JFrog is reporting.
If the discrepancies continue, consider trying other tools like Grype or Trivy to cross-verify vulnerabilities. They can often highlight different issues that Snyk might miss.
You should double-check your Dockerfile. Are you using a multi-stage build? Also, make sure that the images being scanned from both tools actually match your 'FROM' directive, as that can affect results.
I've noticed a similar issue! For example, our image scans label 'openssl/libssl3' as a dependency, but it seems Snyk only recognizes 'libssl3'. This little discrepancy could be the reason. Does that give you any ideas?