feat: [CN-296] Support Container Base Image Recommendations

Adding a new Container LS to support the upgrading the container base images in a docker file.

Author: dan-arpino

application/config/client_settings.go

@@ -22,12 +22,13 @@ import (
 )
 
 const (
-	ActivateSnykOssKey     = "ACTIVATE_SNYK_OPEN_SOURCE"
-	ActivateSnykCodeKey    = "ACTIVATE_SNYK_CODE"
-	ActivateSnykIacKey     = "ACTIVATE_SNYK_IAC"
-	ActivateSnykAdvisorKey = "ACTIVATE_SNYK_ADVISOR"
-	SendErrorReportsKey    = "SEND_ERROR_REPORTS"
-	Organization           = "SNYK_CFG_ORG"
+	ActivateSnykOssKey       = "ACTIVATE_SNYK_OPEN_SOURCE"
+	ActivateSnykCodeKey      = "ACTIVATE_SNYK_CODE"
+	ActivateSnykIacKey       = "ACTIVATE_SNYK_IAC"
+	ActivateSnykContainerKey = "ACTIVATE_SNYK_CONTAINER"
+	ActivateSnykAdvisorKey   = "ACTIVATE_SNYK_ADVISOR"
+	SendErrorReportsKey      = "SEND_ERROR_REPORTS"
+	Organization             = "SNYK_CFG_ORG"
 )
 
 func (c *Config) clientSettingsFromEnv() {
@@ -56,6 +57,7 @@ func (c *Config) productEnablementFromEnv() {
 	oss := os.Getenv(ActivateSnykOssKey)
 	code := os.Getenv(ActivateSnykCodeKey)
 	iac := os.Getenv(ActivateSnykIacKey)
+	container := os.Getenv(ActivateSnykContainerKey)
 	advisor := os.Getenv(ActivateSnykAdvisorKey)
 
 	if oss != "" {
@@ -82,6 +84,14 @@ func (c *Config) productEnablementFromEnv() {
 		c.SetSnykIacEnabled(parseBool)
 	}
 
+	if container != "" {
+		parseBool, err := strconv.ParseBool(container)
+		if err != nil {
+			c.Logger().Debug().Err(err).Str("method", "clientSettingsFromEnv").Msgf("couldn't parse container config %s", container)
+		}
+		c.SetSnykContainerEnabled(parseBool)
+	}
+
 	if advisor != "" {
 		parseBool, err := strconv.ParseBool(advisor)
 		if err != nil {

application/config/config.go

@@ -163,6 +163,7 @@ type Config struct {
 	isSnykCodeEnabled                bool
 	isSnykOssEnabled                 bool
 	isSnykIacEnabled                 bool
+	isSnykContainerEnabled           bool
 	isSnykAdvisorEnabled             bool
 	manageBinariesAutomatically      bool
 	logPath                          string
@@ -432,6 +433,13 @@ func (c *Config) IsSnykIacEnabled() bool {
 	return c.isSnykIacEnabled
 }
 
+func (c *Config) IsSnykContainerEnabled() bool {
+	c.m.RLock()
+	defer c.m.RUnlock()
+
+	return c.isSnykContainerEnabled
+}
+
 func (c *Config) IsSnykAdvisorEnabled() bool {
 	c.m.RLock()
 	defer c.m.RUnlock()
@@ -604,6 +612,13 @@ func (c *Config) SetSnykIacEnabled(enabled bool) {
 	c.isSnykIacEnabled = enabled
 }
 
+func (c *Config) SetSnykContainerEnabled(enabled bool) {
+	c.m.Lock()
+	defer c.m.Unlock()
+
+	c.isSnykContainerEnabled = enabled
+}
+
 func (c *Config) SetSnykAdvisorEnabled(enabled bool) {
 	c.m.Lock()
 	defer c.m.Unlock()

application/config/product.go

@@ -26,6 +26,8 @@ func (c *Config) IsProductEnabled(p product.Product) bool {
 		return c.IsSnykOssEnabled()
 	case product.ProductInfrastructureAsCode:
 		return c.IsSnykIacEnabled()
+	case product.ProductContainer:
+		return c.IsSnykContainerEnabled()
 	default:
 		return false
 	}
@@ -38,6 +40,7 @@ func (c *Config) DisplayableIssueTypes() map[product.FilterableIssueType]bool {
 	// Handle backwards compatibility.
 	enabled[product.FilterableIssueTypeCodeSecurity] = c.IsSnykCodeEnabled() || c.IsSnykCodeSecurityEnabled()
 	enabled[product.FilterableIssueTypeInfrastructureAsCode] = c.IsSnykIacEnabled()
+	enabled[product.FilterableIssueTypeContainer] = c.IsSnykContainerEnabled()
 
 	return enabled
 }

application/di/init.go

@@ -41,6 +41,7 @@ import (
 	"github.com/snyk/snyk-ls/infrastructure/cli/cli_constants"
 	"github.com/snyk/snyk-ls/infrastructure/cli/install"
 	"github.com/snyk/snyk-ls/infrastructure/code"
+	"github.com/snyk/snyk-ls/infrastructure/container"
 	"github.com/snyk/snyk-ls/infrastructure/iac"
 	"github.com/snyk/snyk-ls/infrastructure/learn"
 	"github.com/snyk/snyk-ls/infrastructure/oss"
@@ -55,6 +56,7 @@ import (
 var snykApiClient snyk_api.SnykApiClient
 var snykCodeScanner *code.Scanner
 var infrastructureAsCodeScanner *iac.Scanner
+var containerScanner types.ProductScanner
 var openSourceScanner types.ProductScanner
 var scanInitializer initialize.Initializer
 var authenticationService authentication.AuthenticationService
@@ -88,7 +90,7 @@ func Init() {
 
 func initDomain(c *config.Config) {
 	hoverService = hover.NewDefaultService(c)
-	scanner = scanner2.NewDelegatingScanner(c, scanInitializer, instrumentor, scanNotifier, snykApiClient, authenticationService, notifier, scanPersister, scanStateAggregator, snykCodeScanner, infrastructureAsCodeScanner, openSourceScanner)
+	scanner = scanner2.NewDelegatingScanner(c, scanInitializer, instrumentor, scanNotifier, snykApiClient, authenticationService, notifier, scanPersister, scanStateAggregator, snykCodeScanner, infrastructureAsCodeScanner, containerScanner, openSourceScanner)
 }
 
 func initInfrastructure(c *config.Config) {
@@ -136,6 +138,7 @@ func initInfrastructure(c *config.Config) {
 	)
 
 	infrastructureAsCodeScanner = iac.New(c, instrumentor, errorReporter, snykCli)
+	containerScanner = container.New(c, instrumentor, errorReporter, networkAccess)
 	openSourceScanner = oss.NewCLIScanner(c, instrumentor, errorReporter, snykCli, learnService, notifier)
 	scanNotifier, _ = appNotification.NewScanNotifier(c, notifier)
 	snykCodeScanner = code.New(c, instrumentor, snykApiClient, codeErrorReporter, learnService, notifier, codeClientScanner)

ast/dockerfile/parser.go

@@ -0,0 +1,110 @@
+/*
+ * © 2025 Snyk Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dockerfile
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/rs/zerolog"
+
+	"github.com/snyk/snyk-ls/ast"
+	"github.com/snyk/snyk-ls/internal/types"
+)
+
+type Parser struct {
+	logger zerolog.Logger
+}
+
+var (
+	// fromRegex matches FROM instructions in Dockerfile
+	fromRegex = regexp.MustCompile(`(?i)^\s*FROM\s+([^\s]+)`)
+)
+
+func New(logger *zerolog.Logger) Parser {
+	return Parser{
+		logger: *logger,
+	}
+}
+
+func (p *Parser) Parse(content []byte, uri string) *ast.Tree {
+	tree := p.initTree(types.FilePath(uri), string(content))
+
+	lines := strings.Split(strings.ReplaceAll(string(content), "\r", ""), "\n")
+	for lineNum, line := range lines {
+		matches := fromRegex.FindStringSubmatch(line)
+		if matches == nil {
+			continue
+		}
+
+		baseImage := matches[1]
+		// Skip scratch base image
+		if baseImage == "scratch" {
+			continue
+		}
+
+		node := p.addFromNode(tree.Root, lineNum, line, baseImage)
+		p.logger.Debug().Interface("nodeName", node.Name).Str("path", tree.Document).Msg("Added FROM node")
+	}
+
+	return tree
+}
+
+func (p *Parser) initTree(path types.FilePath, content string) *ast.Tree {
+	root := ast.Node{
+		Line:      0,
+		StartChar: 0,
+		EndChar:   -1,
+		DocOffset: 0,
+		Parent:    nil,
+		Children:  nil,
+		Name:      string(path),
+		Value:     content,
+	}
+
+	root.Tree = &ast.Tree{
+		Root:     &root,
+		Document: string(path),
+	}
+	return root.Tree
+}
+
+func (p *Parser) addFromNode(parent *ast.Node, lineNum int, line string, baseImage string) *ast.Node {
+	// Find the position of the base image in the line
+	fromIndex := strings.Index(strings.ToLower(line), "from")
+	imageStart := fromIndex + 4 // "FROM" length
+	for imageStart < len(line) && line[imageStart] == ' ' {
+		imageStart++ // Skip whitespace
+	}
+	endChar := imageStart + len(baseImage)
+
+	node := ast.Node{
+		Line:       lineNum,
+		StartChar:  imageStart,
+		EndChar:    endChar,
+		DocOffset:  int64(fromIndex),
+		Parent:     parent,
+		Children:   nil,
+		Name:       "FROM",
+		Value:      baseImage,
+		Attributes: make(map[string]string),
+		Tree:       parent.Tree,
+	}
+
+	parent.Add(&node)
+	return &node
+}

ast/dockerfile/parser_test.go

@@ -0,0 +1,125 @@
+/*
+ * © 2025 Snyk Limited
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package dockerfile
+
+import (
+	"testing"
+
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestParser_Parse_SingleFrom(t *testing.T) {
+	logger := zerolog.Nop()
+	parser := New(&logger)
+
+	content := `FROM ubuntu:20.04
+RUN apt-get update
+COPY . /app
+`
+	tree := parser.Parse([]byte(content), "/test/Dockerfile")
+
+	require.NotNil(t, tree)
+	assert.Equal(t, "/test/Dockerfile", tree.Document)
+	assert.Equal(t, "/test/Dockerfile", tree.Root.Name)
+
+	// Should have one FROM node
+	require.Len(t, tree.Root.Children, 1)
+	fromNode := tree.Root.Children[0]
+	assert.Equal(t, "FROM", fromNode.Name)
+	assert.Equal(t, "ubuntu:20.04", fromNode.Value)
+	assert.Equal(t, 0, fromNode.Line)
+}
+
+func TestParser_Parse_MultipleFrom(t *testing.T) {
+	logger := zerolog.Nop()
+	parser := New(&logger)
+
+	content := `FROM node:14 as builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm install
+
+FROM nginx:alpine
+COPY --from=builder /app/dist /usr/share/nginx/html
+`
+	tree := parser.Parse([]byte(content), "/test/Dockerfile")
+
+	require.NotNil(t, tree)
+
+	// Should have two FROM nodes
+	require.Len(t, tree.Root.Children, 2)
+
+	firstFrom := tree.Root.Children[0]
+	assert.Equal(t, "FROM", firstFrom.Name)
+	assert.Equal(t, "node:14", firstFrom.Value)
+	assert.Equal(t, 0, firstFrom.Line)
+
+	secondFrom := tree.Root.Children[1]
+	assert.Equal(t, "FROM", secondFrom.Name)
+	assert.Equal(t, "nginx:alpine", secondFrom.Value)
+	assert.Equal(t, 5, secondFrom.Line)
+}
+
+func TestParser_Parse_SkipScratch(t *testing.T) {
+	logger := zerolog.Nop()
+	parser := New(&logger)
+
+	content := `FROM scratch
+COPY --from=builder /app /app
+`
+	tree := parser.Parse([]byte(content), "/test/Dockerfile")
+
+	require.NotNil(t, tree)
+
+	// Should have no FROM nodes (scratch is skipped)
+	assert.Len(t, tree.Root.Children, 0)
+}
+
+func TestParser_Parse_CaseInsensitive(t *testing.T) {
+	logger := zerolog.Nop()
+	parser := New(&logger)
+
+	content := `from ubuntu:20.04
+FROM alpine:3.14
+FrOm golang:1.19
+`
+	tree := parser.Parse([]byte(content), "/test/Dockerfile")
+
+	require.NotNil(t, tree)
+
+	// Should have three FROM nodes
+	require.Len(t, tree.Root.Children, 3)
+	assert.Equal(t, "ubuntu:20.04", tree.Root.Children[0].Value)
+	assert.Equal(t, "alpine:3.14", tree.Root.Children[1].Value)
+	assert.Equal(t, "golang:1.19", tree.Root.Children[2].Value)
+}
+
+func TestParser_Parse_WithWindowsLineEndings(t *testing.T) {
+	logger := zerolog.Nop()
+	parser := New(&logger)
+
+	content := "FROM ubuntu:20.04\r\nRUN apt-get update\r\n"
+	tree := parser.Parse([]byte(content), "/test/Dockerfile")
+
+	require.NotNil(t, tree)
+
+	// Should have one FROM node
+	require.Len(t, tree.Root.Children, 1)
+	assert.Equal(t, "ubuntu:20.04", tree.Root.Children[0].Value)
+}

domain/ide/workspace/workspace.go

@@ -106,6 +106,7 @@ func (w *Workspace) HandleConfigChange() {
 func sendPublishDiagnosticsForAllProducts(folder types.Folder) {
 	folder.FilterAndPublishDiagnostics(product.ProductOpenSource)
 	folder.FilterAndPublishDiagnostics(product.ProductInfrastructureAsCode)
+	folder.FilterAndPublishDiagnostics(product.ProductContainer)
 	folder.FilterAndPublishDiagnostics(product.ProductCode)
 }
 

domain/scanstates/scan_state_aggregator.go

@@ -136,10 +136,12 @@ func (agg *ScanStateAggregator) initForAllProducts(folderPath types.FilePath) {
 	agg.referenceScanStates[folderProductKey{Product: product.ProductOpenSource, FolderPath: folderPath}] = &scanState{Status: NotStarted}
 	agg.referenceScanStates[folderProductKey{Product: product.ProductCode, FolderPath: folderPath}] = &scanState{Status: NotStarted}
 	agg.referenceScanStates[folderProductKey{Product: product.ProductInfrastructureAsCode, FolderPath: folderPath}] = &scanState{Status: NotStarted}
+	agg.referenceScanStates[folderProductKey{Product: product.ProductContainer, FolderPath: folderPath}] = &scanState{Status: NotStarted}
 
 	agg.workingDirectoryScanStates[folderProductKey{Product: product.ProductOpenSource, FolderPath: folderPath}] = &scanState{Status: NotStarted}
 	agg.workingDirectoryScanStates[folderProductKey{Product: product.ProductCode, FolderPath: folderPath}] = &scanState{Status: NotStarted}
 	agg.workingDirectoryScanStates[folderProductKey{Product: product.ProductInfrastructureAsCode, FolderPath: folderPath}] = &scanState{Status: NotStarted}
+	agg.workingDirectoryScanStates[folderProductKey{Product: product.ProductContainer, FolderPath: folderPath}] = &scanState{Status: NotStarted}
 }
 
 // AddNewFolder adds new folder to the state scanstates map with initial NOT_STARTED state

domain/snyk/issues.go

@@ -415,6 +415,8 @@ func (i *Issue) GetFilterableIssueType() product.FilterableIssueType {
 		return product.FilterableIssueTypeOpenSource
 	case product.ProductInfrastructureAsCode:
 		return product.FilterableIssueTypeInfrastructureAsCode
+	case product.ProductContainer:
+		return product.FilterableIssueTypeContainer
 	case product.ProductCode:
 		switch i.IssueType {
 		case types.CodeSecurityVulnerability: