Skip to content

fix: support docker hardened images #6320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
parker-snyk wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: support docker hardened images #6320

parker-snyk wants to merge 2 commits into from

Conversation

@parker-snyk
Copy link
Contributor

@parker-snyk parker-snyk commented Nov 18, 2025
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages are release-note ready, emphasizing what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low)
  • Highlights breaking API changes (if applicable) n/a
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary) n/a
  • Updates relevant GitBook documentation (PR link: ___) n/a
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Updates snyk-docker-plugin to version 8.12.0 to add support for Docker Hardened Images (DHI) package identification. DHI packages now use the dhi namespace in their PURLs instead of the distro namespace (debian), allowing the vulnerability service to correctly match vulnerabilities to the package.

Example PURL change:

This prevents false positives from matching DHI's patched packages against vulnerability data for unpatched distro packages.

Where should the reviewer start?

  1. Review the new acceptance tests in test/tap/cli-test/cli-test.docker-dhi.spec.ts to understand the expected behavior
  2. Check the package.json dependency update for snyk-docker-plugin
  3. Verify the tests validate that CLI correctly passes through DHI PURLs from the plugin to the backend

The actual DHI detection logic (parsing the Maintainer field from dpkg database) lives in snyk-docker-plugin - this PR just integrates that change.

What's the product update that needs to be communicated to CLI users?

The CLI now correctly identifies Docker Hardened Images (DHI) packages through snyk-docker-plugin. This prevents false positive vulnerability reports on DHI's patched packages. No action required from users - the detection happens automatically when scanning DHI containers.

Risk assessment (Low)?

Low

  • Change is contained to snyk-docker-plugin dependency update
  • DHI detection uses existing dpkg Maintainer field parsing
  • Non-DHI images are unaffected
  • CLI code doesn't change - it just passes through PURL data from the plugin

Any background context you want to provide?

Docker Hardened Images patches binaries in their container images to fix vulnerabilities. Without namespace differentiation, Snyk was incorrectly matching these patched packages against the standard distro vulnerability feed, causing false positives.

The vulnerability service maintains a separate feed for DHI packages, but needs the PURL namespace (dhi vs debian) to determine which feed to query.

What are the relevant tickets?

CN-488

snyk-docker-plugin diff

snyk/snyk-docker-plugin@v8.10.2...main
Only a few lines changed, the rest of the changes are test fixures and tests

@parker-snyk parker-snyk force-pushed the CN-488-docker-hardened-image-purl branch 2 times, most recently from b0379c9 to 66fedc9 Compare November 18, 2025 16:21
@github-actions
Copy link
Contributor

github-actions bot commented Nov 18, 2025
edited
Loading

Warnings
⚠️

Looks like you added a new Tap test. Consider making it a Jest test instead. See files in test/jest/(unit|acceptance) for examples. Files found:

  • test/tap/cli-test/cli-test.docker-dhi.spec.ts

Generated by 🚫 dangerJS against c7a64ee

@parker-snyk parker-snyk marked this pull request as ready for review November 18, 2025 19:31
@parker-snyk parker-snyk requested review from a team as code owners November 18, 2025 19:31
@parker-snyk parker-snyk force-pushed the CN-488-docker-hardened-image-purl branch from 66fedc9 to 7410166 Compare November 19, 2025 04:12
@parker-snyk parker-snyk force-pushed the CN-488-docker-hardened-image-purl branch from 7410166 to ece6b23 Compare November 19, 2025 18:22
@danlucian danlucian self-requested a review December 4, 2025 10:53
j-luong
j-luong requested changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@j-luong j-luong left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@parker-snyk before merging, please can this be

  • Rebased
  • Commits squashed
  • Update commit from feat: ... to fix: ... (if you want to include this in the next hotfix)

@j-luong j-luong disabled auto-merge December 4, 2025 14:03
@j-luong j-luong force-pushed the CN-488-docker-hardened-image-purl branch 3 times, most recently from 137da7e to c7a64ee Compare December 4, 2025 14:25
@j-luong j-luong changed the title feat: support docker hardened images fix: support docker hardened images Dec 4, 2025
@j-luong j-luong force-pushed the CN-488-docker-hardened-image-purl branch from c7a64ee to 45d8389 Compare December 4, 2025 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@j-luong j-luong j-luong requested changes

@danlucian danlucian Awaiting requested review from danlucian

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@parker-snyk @danlucian @j-luong