Skip to content
Latchkey

Snyk container monitor vs test (gate not blocking) in CI

A common misconfiguration: the pipeline runs snyk container monitor and passes even when the image has critical CVEs. monitor uploads a point-in-time snapshot to Snyk for tracking and always exits 0. Only snyk container test returns a non-zero exit that gates the build.

What this error means

The Snyk step is green on every run, and vulnerabilities show up in the Snyk UI but never fail CI, so bad images still deploy.

Snyk
Monitoring myimage:latest...

Explore this snapshot at https://app.snyk.io/org/...
Notifications about newly disclosed issues related to these dependencies
will be emailed to you.
# exit code 0 - build is NOT gated

Common causes

monitor is used where test is intended

snyk container monitor records a snapshot and exits 0 by design. It is for continuous tracking, not for blocking a build.

No severity threshold on the gating command

Even with test, omitting --severity-threshold may not gate the way you expect for low-severity noise.

How to fix it

Gate with test, track with monitor

  1. Use snyk container test --severity-threshold=high as the blocking gate.
  2. Optionally add snyk container monitor afterward for ongoing tracking.
  3. Confirm the pipeline fails when the image has qualifying CVEs.
Terminal
snyk container test myimage:latest --severity-threshold=high --file=Dockerfile
snyk container monitor myimage:latest --file=Dockerfile   # tracking only

Set an explicit threshold on the gate

Pick the severity that should block so the exit code reflects your policy.

Terminal
snyk container test myimage:latest --severity-threshold=critical

How to prevent it

  • Use test to gate and monitor to track; do not confuse them.
  • Always set --severity-threshold on the gating command.
  • Verify the step actually fails on a known-vulnerable image.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →