Snyk "snyk container test" found N issues fail in CI
Snyk exits 1 when snyk container test finds vulnerabilities meeting your threshold. The summary "found N issues" and a list of CVEs with upgrade advice means the gate fired; the image has qualifying CVEs. Snyk often shows which base-image change would remediate the most.
What this error means
The Snyk step fails with "Tested N dependencies for known issues, found M issues" and a list of vulnerabilities, exiting non-zero at or above --severity-threshold.
Testing myimage:latest...
Tested 210 dependencies for known issues, found 4 issues.
Issues to fix by upgrading:
Upgrade the base image from debian:12-slim to debian:12.6-slim to fix 3 issues.
Base Image debian:12-slim
Vulnerabilities 4 (Critical: 1 High: 2 Medium: 1)Common causes
The image has CVEs at or above the threshold
You ran snyk container test --severity-threshold=high, and HIGH/CRITICAL vulnerabilities exist in the image, so Snyk exits 1.
The base image lags behind an available patch
Snyk's "Upgrade the base image" advice shows most issues come from the base layer; the current tag predates the fix.
How to fix it
Follow Snyk base-image remediation advice
- Read the "Upgrade the base image from X to Y" recommendation.
- Bump the base tag in your Dockerfile and rebuild.
- Re-run
snyk container testto confirm the issue count drops.
snyk container test myimage:latest \
--severity-threshold=high --file=DockerfileIgnore specific reviewed CVEs with an expiry
Suppress an unfixable finding through a policy entry with a reason and expiry, not by dropping the threshold.
snyk ignore --id=SNYK-DEBIAN12-OPENSSL-XXXX \
--reason="no fix yet; review" --expiry=2026-09-01How to prevent it
- Pass --file=Dockerfile so Snyk can suggest base-image upgrades.
- Keep the base image current so most findings clear on rebuild.
- Use .snyk policy entries with reasons and expiries for exceptions.