feat: More feedback from UI for unsupported images for Snyk Container (IDEA-I-1008)#802
Draft
infrasec-container-sa wants to merge 1 commit intomainfrom
Conversation
…mages Adds a structured imageSupport fact that flows from the scanner to downstream consumers (CLI / registry / app-ui), replacing the silent empty-result that currently gives a false impression of zero vulnerabilities. Changes: - lib/facts.ts: add ImageSupportFact, ImageSupportStatus, and ImageUnsupportedReason exported types - lib/types.ts: add 'imageSupport' to the FactType union - lib/image-support.ts: new helper computeImageSupport() with table- driven logic (windows-image > unknown-os > scratch-image > no-package-manager > supported); exports UNSUPPORTED_OS_NAMES and SUPPORTED_DISTROS_URL constants - lib/static.ts: call computeImageSupport() after parseAnalysisResults and pass the result to buildResponse() - lib/response-builder.ts: accept optional imageSupport parameter and emit the ImageSupportFact right after imageOsReleasePrettyName Tests added: - test/lib/image-support.spec.ts: table-driven unit tests for all support-status outcomes and boundary cases - test/lib/facts.spec.ts: imageSupportFact included in Fact[] round-trip compilation check - test/lib/response-builder.spec.ts: imageSupport fact emission, positioning, data preservation, and undefined-omission cases - test/lib/analyzer/os-release-detector.spec.ts: explicit contract tests for the 'unknown' sentinel returned when no OS release files exist
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Do Not Merge
This PR is for AEGIS. If you are a Snyk employee, you can visit https://github.com/aegis for additional context.
This is a public repo so details have been limited.
Do not merge this PR if this warning is visible. If you have any questions, please reach out to Parker Kuivila or Brian Gardiner
Problem Identified
When Snyk Container scans an image whose base/OS is not supported (e.g. Microsoft Container Registry images such as mcr.microsoft.com/* — unknown distro, no detectable package manager, or distro outside the supported OS list), the scan currently completes silently with zero vulnerabilities, giving customers the false impression that the image is clean. Add an explicit 'unsupported image' signal that flows from scanner to UI: (1) In snyk-docker-plugin, when OS/distro detection fails or returns an unsupported platform (no apk/deb/rpm DB found, unknown os-release, Windows base image, etc.), emit a structured fact on the scan result — e.g.
imageOsReleasePrettyNameplus a newunsupportedReason/supportStatus: 'unsupported'field — with the detected reason (unknown-os, unsupported-distro, no-package-manager, windows-image, etc.) and the originating image reference. Do NOT silently return an empty package list as if the scan succeeded. (2) In snyk/cli, bump the snyk-docker-plugin dependency and surface the unsupported-image warning in CLI text/JSON output (clear non-zero advisory message instead of '0 vulnerabilities'). (3) In snyk/registry, propagate this signal through the scan-ingest path, persist it on the container project's metadata, and expose it via the existing project/issues REST/GraphQL APIs so consumers can render it. (4) In snyk/app-ui, render a prominent banner/state on the container project view (and project list badges) explaining that the image is not supported by Snyk Container, why, and linking to the supported-distros docs — replacing the misleading 'No issues found' empty state for these projects. Scope is feedback only; this change does not add scan support for new base images (Microsoft etc. remain unsupported), it only makes the lack of support visible.Measurable Improvement
The signal must originate where the unsupported state is actually detected — snyk-docker-plugin, which inspects the image and currently swallows the 'no detectable distro/packages' case. The CLI is its primary consumer and needs a version bump plus output handling. registry is the system-of-record that persists project state and exposes the API the UI reads, and app-ui is where the customer-visible feedback (the actual ask in the ticket) is rendered, replacing the misleading empty 'no vulnerabilities' state. Order follows the standard scanner→cli→backend→UI dependency chain documented in the catalog's cross-repo patterns.
Category
feat (confidence: 5/5)
Files Changed
lib/analyzer/static-analyzer.tslib/analyzer/image-inspector.tslib/analyzer/os-release/index.tslib/response-builder.tslib/facts.tslib/types.tslib/scan.tsVerification
This PR was generated by AEGIS
Category: feat | Confidence: 5/5