This example demonstrates how to run Snyk as part of a build target in a Docker build. This is useful when all workloads in a CI environment are run in containers. The example uses Python, but the general pattern should work for other toolsets as well.
$ docker build --build-arg SNYK_TOKEN=<your-token> --target Security .
Sending build context to Docker daemon 13.82kB
Step 1/18 : FROM python:3.7-alpine3.8 AS parent
---> f11f279751de
Step 2/18 : WORKDIR /app
---> Using cache
---> 15ea6a40787c
Step 3/18 : RUN pip3 install pipenv
---> Using cache
---> dc91d1b0b93a
Step 4/18 : FROM parent AS base
---> dc91d1b0b93a
Step 5/18 : RUN apk add --no-cache --update git=2.18.1-r0
---> Using cache
---> c389f3820f07
Step 6/18 : COPY Pipfile /app/
---> Using cache
---> 4ad53282ce3d
Step 7/18 : COPY Pipfile.lock /app/
---> Using cache
---> b3529f2992de
Step 8/18 : RUN pipenv install --deploy --system
---> Using cache
---> 55e4c01cc00a
Step 9/18 : COPY src /app
---> Using cache
---> 75f6bb916069
Step 10/18 : FROM parent as Security
---> dc91d1b0b93a
Step 11/18 : ARG SNYK_TOKEN
---> Using cache
---> c44d2b80fbc4
Step 12/18 : RUN apk add --no-cache curl wget gcc
---> Using cache
---> e0a35f2f82ff
Step 13/18 : RUN curl -s https://api.github.com/repos/snyk/snyk/releases/latest | grep "browser_download_url" | grep alpine | cut -d '"' -f 4 | wget -i - && sha256sum -c snyk-alpine.sha256 && mv snyk-alpine /usr/local/bin/snyk && chmod +x /usr/local/bin/snyk
---> Using cache
---> b3ae567a9986
Step 14/18 : COPY Pipfile /app/
---> Using cache
---> f5bf0025415d
Step 15/18 : COPY Pipfile.lock /app/
---> Using cache
---> 6f6cf278c567
Step 16/18 : RUN pipenv install
---> Using cache
---> 9e6f31d04b16
Step 17/18 : COPY src /app
---> Using cache
---> 4c9197d98332
Step 18/18 : RUN /usr/local/bin/snyk test
---> Running in 7ae3e4e777ec
Testing /app...
✗ High severity vulnerability found in flask
Description: Improper Input Validation
Info: https://snyk.io/vuln/SNYK-PYTHON-FLASK-42185
Introduced through: flask@0.12
From: flask@0.12
Organisation: garethr
Package manager: pip
Target file: Pipfile
Open source: no
Project path: /app
Tested 7 dependencies for known vulnerabilities, found 1 vulnerability, 1 vulnerable path.