Snyk Container (Snyk's container-image scanner) scans the final built image for installed packages and known vulnerabilities. The image can be checked without starting a container.

A scan can say checkout-api contains CVE-2026-4172 (a public vulnerability identifier). It also gives an image digest: an immutable identifier for one exact image, such as sha256:... (Docker docs). Security still needs the runtime facts: is that exact image live in production, exposed to the internet, tied to a rollout, owned by a team, and still open?

In this example, Snyk flags CVE-2026-4172 on checkout-api, image registry.demo.local/checkout-api@sha256:checkout-prod-9f31, in target demo-retail/checkout-api.

That image digest is the handoff. Anyshift looks it up in Kubernetes runtime, event history, cloud exposure, and ownership, then writes the verified fields back to the Snyk Project (the Snyk record for that scanned target) as attributes and tags.

Snyk digest joined to Anyshift runtime proof fields

The runtime data comes from Anyshift's event-based Kubernetes graph. It stores the live cluster topology and the changes behind it: pods, containers, services, ingresses, deployments, ReplicaSets, namespaces, owner references, and rollouts.

Event-based Kubernetes graph
Five facts from one graph
DIGESTsha256:checkoutprod-9f31LIVE POD3 podsprodROUTEpublicingressROLLOUT2026-06-0910:12ZOWNERcheckoutplatform

Snyk Finding

Anyshift does not rely on the service name alone. It matches the Snyk image digest to the image digest on running Kubernetes containers.

Snyk
Snyk Container finding
One vulnerable image digest
Critical
CVE
CVE-2026-4172
Project
checkout-api
Image
registry.demo.local/checkout-api@sha256:checkout-prod-9f31

Runtime Evidence

Before Anyshift writes tags back to Snyk, it queries its Kubernetes graph for the runtime evidence behind each tag:

Anyshift
Anyshift graph evidence
Facts required before a Snyk tag is written
Digest match
same digest is live
docker-pullable://registry.demo.local/checkout-api@sha256:checkout-prod-9f31
Prod scope
3 pods in checkout-prod
checkout-api-7f9c-1, checkout-api-7f9c-2, checkout-api-7f9c-3
Exposure
internet-facing route
ingress/checkout-public -> service/checkout-api
Arrival
rollout introduced digest
rollout/checkout-api-7f9c at 2026-06-09T10:12:00Z
Owner + window
actor and status
release-bot@github-actions -> checkout-platform, window=open

If no live pod has that digest, Anyshift leaves live_prod off. If the graph has no rollout event, it leaves arrival time and actor blank.

CLI Review

roxane@demo-retail:~/checkout-api
%annie do --show-yaml "review Snyk Container issue CVE-2026-4172 for digest sha256:checkout-prod-9f31"
> snyk project: checkout-api
> image digest: sha256:checkout-prod-9f31
> join key: exact digest match required
snyk_finding:
cve: CVE-2026-4172
project: checkout-api
digest: sha256:checkout-prod-9f31
runtime_evidence:
status: live_prod
pods: 3 in checkout-prod
exposure: ingress/checkout-public
rollout: checkout-api-7f9c @ 2026-06-09T10:12Z
actor: release-bot@github-actions
owner: checkout-platform
snyk_write_back:
- runtime_status=live_prod
- internet_facing=true
- owner=checkout-platform
- window=open
[done] digest joined to runtime evidence; Snyk update ready

Snyk Update

Snyk project overview for checkout-api, imported by CI/CLI with production, Backend, Critical, and Production attributes.

The Snyk project stays the triage surface. It shows the imported checkout-api target, the production reference, and the priority attributes. Anyshift writes the verified runtime fields back to that same project through the Snyk API: live production status, internet exposure, owner, rollout, actor, and open window.

The finding now carries both sides: vulnerable artifact and production path.

Security Outcome

When triaging container CVEs, security can route on facts instead of severity alone:

  • live or build-only
  • prod or non-prod
  • exposed or internal
  • tied to a rollout or not
  • open or already rolled back
  • which owner should fix it

A critical image finding becomes a runtime-backed remediation target.

If your team uses Snyk and wants runtime-backed vulnerability routing, contact us.