Skip to content

feat: container scan support for cgo and stripped Go binaries #6353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
adrobuta wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat: container scan support for cgo and stripped Go binaries #6353

adrobuta wants to merge 1 commit into from
+21 −8

Conversation

@adrobuta
Copy link
Contributor

@adrobuta adrobuta commented Dec 5, 2025
edited
Loading

Pull Request Submission Checklist

  • Follows CONTRIBUTING guidelines
  • Commit messages
    are release-note ready, emphasizing
    what was changed, not how.
  • Includes detailed description of changes
  • Contains risk assessment (Low | Medium | High)
  • Highlights breaking API changes (if applicable)
  • Links to automated tests covering new functionality
  • Includes manual testing instructions (if necessary)
  • Updates relevant GitBook documentation (PR link: ___)
  • Includes product update to be announced in the next stable release notes

What does this PR do?

Upgrades snyk-docker-plugin to add support for detecting CGO-linked and stripped Go binaries in container images. Previously, these binaries could not be analyzed for dependencies. With this update, snyk container will identify and report on Go applications compiled with CGO or built with stripped symbols.

Where should the reviewer start?

  • package.json - dependency version bump
  • Acceptance tests for the new CGO/stripped binary detection

How should this be manually tested?

Run snyk container test against a container image containing a CGO-compiled or stripped Go binary and verify the binary is detected and analyzed. Here is an example of scanning docker.elastic.co/beats/filebeat:8.11.0 public image:

SNYK_API=https://app.snyk.io/api/v1 node index.js container test  docker.elastic.co/beats/filebeat:8.11.0
Organization:      dummy-org
Package manager:   gomodules
Target file:       /usr/share/filebeat/filebeat
Project name:      github.com/elastic/beats/v7
Docker image:      docker.elastic.co/beats/filebeat:8.11.0
Licenses:          enabled

Tested 227 dependencies for known issues, found 7 issues.

Tested 2 projects, 2 contained vulnerable paths.

Without this change, we detect only the base image vulnerabilities:

snyk container test docker.elastic.co/beats/filebeat:8.11.0

Organization:      dummy-org
Package manager:   deb
Project name:      docker-image|docker.elastic.co/beats/filebeat
Docker image:      docker.elastic.co/beats/filebeat:8.11.0
Platform:          linux/arm64
Licenses:          enabled

Tested 129 dependencies for known issues, found 78 issues.

What's the product update that needs to be communicated to CLI users?

Snyk Container now supports detection of CGO and stripped Go binaries, improving vulnerability coverage for Go applications in container images.

@adrobuta adrobuta requested review from a team as code owners December 5, 2025 13:26
@adrobuta adrobuta changed the title Feat/container cgo stripped go binaries support feat: container scan support for cgo and stripped Go binaries Dec 5, 2025
@adrobuta
feat: container scan support for cgo and stripped Go binaries
9b2ee6e 
test: add acceptance test for container cgo/stripped Go binaries
@adrobuta adrobuta force-pushed the feat/container-cgo-stripped-go-binaries-support branch from 9c4e9ec to 9b2ee6e Compare December 5, 2025 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bgardiner bgardiner bgardiner approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@adrobuta @bgardiner