feat: [CN-296] Support Container Base Image Recommendations

Adding a new Container LS to support the upgrading the container base images in a docker file.

Author: dan-arpino

application/config/client_settings.go

@@ -22,12 +22,13 @@ import (
 )
 
 const (
-	ActivateSnykOssKey     = "ACTIVATE_SNYK_OPEN_SOURCE"
-	ActivateSnykCodeKey    = "ACTIVATE_SNYK_CODE"
-	ActivateSnykIacKey     = "ACTIVATE_SNYK_IAC"
-	ActivateSnykAdvisorKey = "ACTIVATE_SNYK_ADVISOR"
-	SendErrorReportsKey    = "SEND_ERROR_REPORTS"
-	Organization           = "SNYK_CFG_ORG"
+	ActivateSnykOssKey       = "ACTIVATE_SNYK_OPEN_SOURCE"
+	ActivateSnykCodeKey      = "ACTIVATE_SNYK_CODE"
+	ActivateSnykIacKey       = "ACTIVATE_SNYK_IAC"
+	ActivateSnykContainerKey = "ACTIVATE_SNYK_CONTAINER"
+	ActivateSnykAdvisorKey   = "ACTIVATE_SNYK_ADVISOR"
+	SendErrorReportsKey      = "SEND_ERROR_REPORTS"
+	Organization             = "SNYK_CFG_ORG"
 )
 
 func (c *Config) clientSettingsFromEnv() {
@@ -56,6 +57,7 @@ func (c *Config) productEnablementFromEnv() {
 	oss := os.Getenv(ActivateSnykOssKey)
 	code := os.Getenv(ActivateSnykCodeKey)
 	iac := os.Getenv(ActivateSnykIacKey)
+	container := os.Getenv(ActivateSnykContainerKey)
 	advisor := os.Getenv(ActivateSnykAdvisorKey)
 
 	if oss != "" {
@@ -82,6 +84,14 @@ func (c *Config) productEnablementFromEnv() {
 		c.SetSnykIacEnabled(parseBool)
 	}
 
+	if container != "" {
+		parseBool, err := strconv.ParseBool(container)
+		if err != nil {
+			c.Logger().Debug().Err(err).Str("method", "clientSettingsFromEnv").Msgf("couldn't parse container config %s", container)
+		}
+		c.SetSnykContainerEnabled(parseBool)
+	}
+
 	if advisor != "" {
 		parseBool, err := strconv.ParseBool(advisor)
 		if err != nil {

application/config/config.go

@@ -163,6 +163,7 @@ type Config struct {
 	isSnykCodeEnabled                bool
 	isSnykOssEnabled                 bool
 	isSnykIacEnabled                 bool
+	isSnykContainerEnabled           bool
 	isSnykAdvisorEnabled             bool
 	manageBinariesAutomatically      bool
 	logPath                          string
@@ -262,6 +263,7 @@ func newConfig(engine workflow.Engine, opts ...ConfigOption) *Config {
 	c.isErrorReportingEnabled = true
 	c.isSnykOssEnabled = true
 	c.isSnykIacEnabled = true
+	c.isSnykContainerEnabled = true
 	c.manageBinariesAutomatically = true
 	c.logPath = ""
 	c.snykCodeAnalysisTimeout = c.snykCodeAnalysisTimeoutFromEnv()
@@ -432,6 +434,13 @@ func (c *Config) IsSnykIacEnabled() bool {
 	return c.isSnykIacEnabled
 }
 
+func (c *Config) IsSnykContainerEnabled() bool {
+	c.m.RLock()
+	defer c.m.RUnlock()
+
+	return c.isSnykContainerEnabled
+}
+
 func (c *Config) IsSnykAdvisorEnabled() bool {
 	c.m.RLock()
 	defer c.m.RUnlock()
@@ -604,6 +613,13 @@ func (c *Config) SetSnykIacEnabled(enabled bool) {
 	c.isSnykIacEnabled = enabled
 }
 
+func (c *Config) SetSnykContainerEnabled(enabled bool) {
+	c.m.Lock()
+	defer c.m.Unlock()
+
+	c.isSnykContainerEnabled = enabled
+}
+
 func (c *Config) SetSnykAdvisorEnabled(enabled bool) {
 	c.m.Lock()
 	defer c.m.Unlock()

application/config/product.go

@@ -26,6 +26,8 @@ func (c *Config) IsProductEnabled(p product.Product) bool {
 		return c.IsSnykOssEnabled()
 	case product.ProductInfrastructureAsCode:
 		return c.IsSnykIacEnabled()
+	case product.ProductContainer:
+		return c.IsSnykContainerEnabled()
 	default:
 		return false
 	}
@@ -38,6 +40,7 @@ func (c *Config) DisplayableIssueTypes() map[product.FilterableIssueType]bool {
 	// Handle backwards compatibility.
 	enabled[product.FilterableIssueTypeCodeSecurity] = c.IsSnykCodeEnabled() || c.IsSnykCodeSecurityEnabled()
 	enabled[product.FilterableIssueTypeInfrastructureAsCode] = c.IsSnykIacEnabled()
+	enabled[product.FilterableIssueTypeContainer] = c.IsSnykContainerEnabled()
 
 	return enabled
 }

application/di/init.go

@@ -41,6 +41,7 @@ import (
 	"github.com/snyk/snyk-ls/infrastructure/cli/cli_constants"
 	"github.com/snyk/snyk-ls/infrastructure/cli/install"
 	"github.com/snyk/snyk-ls/infrastructure/code"
+	"github.com/snyk/snyk-ls/infrastructure/container"
 	"github.com/snyk/snyk-ls/infrastructure/iac"
 	"github.com/snyk/snyk-ls/infrastructure/learn"
 	"github.com/snyk/snyk-ls/infrastructure/oss"
@@ -55,6 +56,7 @@ import (
 var snykApiClient snyk_api.SnykApiClient
 var snykCodeScanner *code.Scanner
 var infrastructureAsCodeScanner *iac.Scanner
+var containerScanner types.ProductScanner
 var openSourceScanner types.ProductScanner
 var scanInitializer initialize.Initializer
 var authenticationService authentication.AuthenticationService
@@ -88,7 +90,7 @@ func Init() {
 
 func initDomain(c *config.Config) {
 	hoverService = hover.NewDefaultService(c)
-	scanner = scanner2.NewDelegatingScanner(c, scanInitializer, instrumentor, scanNotifier, snykApiClient, authenticationService, notifier, scanPersister, scanStateAggregator, snykCodeScanner, infrastructureAsCodeScanner, openSourceScanner)
+	scanner = scanner2.NewDelegatingScanner(c, scanInitializer, instrumentor, scanNotifier, snykApiClient, authenticationService, notifier, scanPersister, scanStateAggregator, snykCodeScanner, infrastructureAsCodeScanner, containerScanner, openSourceScanner)
 }
 
 func initInfrastructure(c *config.Config) {
@@ -136,6 +138,7 @@ func initInfrastructure(c *config.Config) {
 	)
 
 	infrastructureAsCodeScanner = iac.New(c, instrumentor, errorReporter, snykCli)
+	containerScanner = container.New(c, instrumentor, errorReporter, networkAccess)
 	openSourceScanner = oss.NewCLIScanner(c, instrumentor, errorReporter, snykCli, learnService, notifier)
 	scanNotifier, _ = appNotification.NewScanNotifier(c, notifier)
 	snykCodeScanner = code.New(c, instrumentor, snykApiClient, codeErrorReporter, learnService, notifier, codeClientScanner)

application/server/configuration.go

@@ -402,6 +402,12 @@ func updateProductEnablement(c *config.Config, settings types.Settings) {
 	} else {
 		c.SetSnykIacEnabled(parseBool)
 	}
+	parseBool, err = strconv.ParseBool(settings.ActivateSnykContainer)
+	if err != nil {
+		c.Logger().Debug().Msg("couldn't parse container setting")
+	} else {
+		c.SetSnykContainerEnabled(parseBool)
+	}
 }
 
 func updateIssueViewOptions(c *config.Config, s *types.IssueViewOptions) {

application/server/configuration_test.go

@@ -177,6 +177,7 @@ func Test_UpdateSettings(t *testing.T) {
 			ActivateSnykOpenSource:       "false",
 			ActivateSnykCode:             "false",
 			ActivateSnykIac:              "false",
+			ActivateSnykContainer:        "false",
 			Insecure:                     "true",
 			Endpoint:                     "https://api.snyk.io",
 			AdditionalParams:             "--all-projects -d",
@@ -224,6 +225,7 @@ func Test_UpdateSettings(t *testing.T) {
 		assert.Equal(t, false, c.IsSnykCodeEnabled())
 		assert.Equal(t, false, c.IsSnykOssEnabled())
 		assert.Equal(t, false, c.IsSnykIacEnabled())
+		assert.Equal(t, false, c.IsSnykContainerEnabled())
 		assert.Equal(t, true, c.CliSettings().Insecure)
 		assert.Equal(t, []string{"--all-projects", "-d"}, c.CliSettings().AdditionalOssParameters)
 		assert.Equal(t, "https://api.snyk.io", c.SnykApi())

ast/dockerfile/parser.go

@@ -0,0 +1,110 @@
+/*
+ * © 2025 Snyk Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dockerfile
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/rs/zerolog"
+
+	"github.com/snyk/snyk-ls/ast"
+	"github.com/snyk/snyk-ls/internal/types"
+)
+
+type Parser struct {
+	logger zerolog.Logger
+}
+
+var (
+	// fromRegex matches FROM instructions in Dockerfile
+	fromRegex = regexp.MustCompile(`(?i)^\s*FROM\s+([^\s]+)`)
+)
+
+func New(logger *zerolog.Logger) Parser {
+	return Parser{
+		logger: *logger,
+	}
+}
+
+func (p *Parser) Parse(content []byte, uri string) *ast.Tree {
+	tree := p.initTree(types.FilePath(uri), string(content))
+
+	lines := strings.Split(strings.ReplaceAll(string(content), "\r", ""), "\n")
+	for lineNum, line := range lines {
+		matches := fromRegex.FindStringSubmatch(line)
+		if matches == nil {
+			continue
+		}
+
+		baseImage := matches[1]
+		// Skip scratch base image
+		if baseImage == "scratch" {
+			continue
+		}
+
+		node := p.addFromNode(tree.Root, lineNum, line, baseImage)
+		p.logger.Debug().Interface("nodeName", node.Name).Str("path", tree.Document).Msg("Added FROM node")
+	}
+
+	return tree
+}
+
+func (p *Parser) initTree(path types.FilePath, content string) *ast.Tree {
+	root := ast.Node{
+		Line:      0,
+		StartChar: 0,
+		EndChar:   -1,
+		DocOffset: 0,
+		Parent:    nil,
+		Children:  nil,
+		Name:      string(path),
+		Value:     content,
+	}
+
+	root.Tree = &ast.Tree{
+		Root:     &root,
+		Document: string(path),
+	}
+	return root.Tree
+}
+
+func (p *Parser) addFromNode(parent *ast.Node, lineNum int, line string, baseImage string) *ast.Node {
+	// Find the position of the base image in the line
+	fromIndex := strings.Index(strings.ToLower(line), "from")
+	imageStart := fromIndex + 4 // "FROM" length
+	for imageStart < len(line) && line[imageStart] == ' ' {
+		imageStart++ // Skip whitespace
+	}
+	endChar := imageStart + len(baseImage)
+
+	node := ast.Node{
+		Line:       lineNum,
+		StartChar:  imageStart,
+		EndChar:    endChar,
+		DocOffset:  int64(fromIndex),
+		Parent:     parent,
+		Children:   nil,
+		Name:       "FROM",
+		Value:      baseImage,
+		Attributes: make(map[string]string),
+		Tree:       parent.Tree,
+	}
+
+	parent.Add(&node)
+	return &node
+}