Snyk container monitor vs test (gate not blocking) in CI
A common misconfiguration: the pipeline runs snyk container monitor and passes even when the image has critical CVEs. monitor uploads a point-in-time snapshot to Snyk for tracking and always exits 0. Only snyk container test returns a non-zero exit that gates the build.
What this error means
The Snyk step is green on every run, and vulnerabilities show up in the Snyk UI but never fail CI, so bad images still deploy.
Monitoring myimage:latest...
Explore this snapshot at https://app.snyk.io/org/...
Notifications about newly disclosed issues related to these dependencies
will be emailed to you.
# exit code 0 - build is NOT gatedCommon causes
monitor is used where test is intended
snyk container monitor records a snapshot and exits 0 by design. It is for continuous tracking, not for blocking a build.
No severity threshold on the gating command
Even with test, omitting --severity-threshold may not gate the way you expect for low-severity noise.
How to fix it
Gate with test, track with monitor
- Use
snyk container test --severity-threshold=highas the blocking gate. - Optionally add
snyk container monitorafterward for ongoing tracking. - Confirm the pipeline fails when the image has qualifying CVEs.
snyk container test myimage:latest --severity-threshold=high --file=Dockerfile
snyk container monitor myimage:latest --file=Dockerfile # tracking onlySet an explicit threshold on the gate
Pick the severity that should block so the exit code reflects your policy.
snyk container test myimage:latest --severity-threshold=criticalHow to prevent it
- Use test to gate and monitor to track; do not confuse them.
- Always set --severity-threshold on the gating command.
- Verify the step actually fails on a known-vulnerable image.