Skip to main content
  1. Blog
  2. Article

Canonical
on 20 March 2026

Canonical partners with Snyk for scanning chiseled Ubuntu containers

chiseled containers Ubuntu

Canonical, the publisher of Ubuntu, is pleased to announce a new partnership with developer-focused cybersecurity company Snyk. Snyk Container, Snyk’s container security solution, now offers native support for scanning chiseled Ubuntu containers. This partnership will create a path to a more secure container ecosystem, where developers will no longer need to compromise on scanning accuracy for their minimal images.

Distro-aware, without the distro

Chiseled Ubuntu images include a manifest, and when Snyk Container’s engine parses chiseled Ubuntu slices, it can correctly identify the corresponding Ubuntu components. With a direct pipeline to Canonical’s security team, you can rest assured that Snyk’s scan results of a chiseled Ubuntu image reflect the latest vulnerability information.

Support for chiseled Ubuntu images is implemented seamlessly into Snyk Container, so developers can use the same commands to scan chiseled Ubuntu images as they would for any other image. Snyk does the work behind the scenes to identify the chiseled slices, without requiring separate commands or scanning workflows.

“Snyk now automatically recognizes chiseled Ubuntu slices, giving developers the precise vulnerability data they need to ship fast and stay secure, without any extra configuration or overhead,” said Pratip Banerji, Product Manager at Snyk.

Bridging the distroless security gap

Standard container images, whilst great for development, have clear drawbacks when it comes to production. The inclusion of a full OS, shell, package manager, and utilities results in chunky containers and a wide attack surface, meaning higher network costs and an increased likelihood of vulnerabilities.

Distroless images contain only the application and its runtime dependencies, making them much smaller and, in theory, more secure. But at what cost?

The typical approach to building distroless images is top-down, inflating the base image and cherry-picking to trim it down. The complex builds, specialized tooling, and deep distro knowledge required to build a distroless image with full accuracy mean that package metadata, crucial for precise security scanning, is often omitted, leading to inaccurate CVE reporting.

To solve the challenges of the distroless security gap, Canonical created chiseled Ubuntu containers.

Unlike typical distroless images, chiseled Ubuntu images are managed bottom-up using Chisel, a novel package manager that slices packages to create compact, secure software. Built using packages available in the Ubuntu archives, chiseled Ubuntu images are minimal in size, but retain the metadata needed for accurate security scans.

Get production-ready, securely-maintained container images

With Snyk and chiseled Ubuntu images, developers now have the ultimate toolset for production-ready security. Snyk’s native support for scanning chiseled Ubuntu images means greater precision, reduced noise, and a faster CI/CD.

“Chiseled Ubuntu containers are ultra-small and secure-by-design, shipping without a shell, root user, or package manager by default,” said Mark Lewis, VP of Application Services at Canonical. “The advent of distroless images has led to scanners struggling to detect software components and thus vulnerabilities; Canonical’s new partnership with Snyk means a more complete audit of production containers. Our mutual customers and community can have confidence in a complete and comprehensive approach to container security.”

When Snyk Container scans chiseled Ubuntu images, the slices are correctly identified, reducing the risk of false negative results that is prevalent with typical distroless images. This heightened visibility into the software supply chain means that Snyk can accurately report and remediate CVEs for chiseled Ubuntu images. The minimal size of these images also results in less vulnerability bloat, and faster scanning compared to standard container images. While chiseled images harden the foundation, Snyk provides visibility into the application layer, securing everything running on top, including application code, open-source dependencies, and configurations.

Learn more

Get started with Snyk Container

Learn how you can rethink your containerization strategy with chiseled Ubuntu

Related posts

Canonical
16 March 2026

Canonical announces it will distribute NVIDIA DOCA-OFED in Ubuntu

AI Article

Today Canonical, the publishers of Ubuntu, announced that it will integrate and distribute the NVIDIA DOCA-OFED networking driver with Ubuntu. ...

Canonical
16 March 2026

Meet Canonical at NVIDIA GTC 2026

Ubuntu Article

Previewing at the event: NVIDIA CUDA support in Ubuntu 26.04 LTS, NVIDIA Vera Rubin NVL72 architecture support in Ubuntu 26.04 LTS, Canonical’s official Ubuntu image for NVIDIA Jetson Thor, upcoming support for NVIDIA DGX Station and NVIDIA DOCA-OFED, and NVIDIA RTX PRO 4500 support. NVIDIA GTC 2026 is here, bringing together the technolo ...

Massimiliano Gori
2 March 2026

Supporting more identity providers on Ubuntu with the new Authd OIDC broker

Cloud and server Article

Today we are announcing the general availability of the new generic OpenID Connect (OIDC) broker for Authd. With enterprises needing to centralise access management controls, the ability to choose your own identity solution is paramount. This new broker snap is our answer to that need, allowing Ubuntu Desktop and Server to integrate with ...