docs: synchronizing help from snyk/user-docs (#4876)

Co-authored-by: PeterSchafer <noreply@snyk.io>

help/cli-commands/code-test.md

@@ -89,6 +89,8 @@ Save test output in SARIF format directly to the \<OUTPUT_FILE_PATH> file, regar
 
 Use to display the human-readable test output using stdout and at the same time save the SARIF format output to a file.
 
-### `--severity-threshold=<low|medium|high|critical>`
+### `--severity-threshold=<low|medium|high>`
 
-Report only vulnerabilities at the specified level or higher. Note that the Snyk Code configuration issues do not currently use the `critical` severity level.
+Report only vulnerabilities at the specified level or higher.
+
+**Note**: The Snyk Code configuration issues do not use the `critical` severity level.

help/cli-commands/container-sbom.md

@@ -0,0 +1,92 @@
+# Container SBOM
+
+## Prerequisites
+
+**Feature availability:** This feature currently in Open Beta and is available to customers on Snyk Enterprise plans.
+
+**Note:** In order to run the SBOM generation feature, you must use a minimum of CLI version 1.1226.0.
+
+The `snyk container sbom` feature requires an internet connection.
+
+## Usage
+
+`$ snyk container sbom --format=<cyclonedx1.4+json|cyclonedx1.4+xml|spdx2.3+json> [--org=<ORG_ID>] [--exclude-app-vulns] <IMAGE>`
+
+## Description
+
+The `snyk container sbom` command generates an SBOM for a container image.
+
+Supported formats includes CycloneDX v1.4 (JSON or XML) and SPDX v2.3 (JSON).
+
+A SBOM can be generated for operating system dependencies as well as application dependencies within the image. Unmanned dependencies are currently not supported.
+
+## Exit codes
+
+Possible exit codes and their meaning:
+
+**0**: success (process completed), SBOM created successfully\
+**2**: failure, try to re-run command
+
+## Debug
+
+Use the `-d` or `--debug` option to output the debug logs.
+
+## Options
+
+### `--format=<cyclonedx1.4+json|cyclonedx1.4+xml|spdx2.3+json>`
+
+Required. Specify the output format for the SBOM to be produced.
+
+Set the desired SBOM output format. Available options are `cyclonedx1.4+json`, `cyclonedx1.4+xml`, and `spdx2.3+json`
+
+### `[--org=<ORG_ID>]`
+
+Specify the `<ORG_ID>` (name or UUID) to run Snyk commands tied to a specific organization. The `<ORG_ID>` influences some features availability and private test limits.
+
+Use this option when your default organization does not have API entitlement.
+
+If this option is omitted, the default organization for your account will be used.
+
+This is the `<ORG_ID>` that is the current preferred organization in your [Account settings](https://app.snyk.io/account)&#x20;
+
+Set a default to ensure all newly tested projects are tested under your default organization. If you need to override the default, use the `--org=<ORG_ID>` option.
+
+If you have multiple organizations, you can set a default from the CLI using:
+
+`$ snyk config set org=<ORG_ID>`
+
+**Note:** You can also use `--org=<orgslugname>.` The `ORG_ID` works in both the CLI and the API. The organization slug name works in the CLI, but not in the API.
+
+For more information see the article [How to select the organization to use in the CLI](https://support.snyk.io/hc/en-us/articles/360000920738-How-to-select-the-organization-to-use-in-the-CLI)
+
+### `[--exclude-app-vulns]`
+
+Snyk scans and generates an SBOM for operating system dependencies as well as application dependencies in your image by default.
+
+You can disable generation for application dependencies by adding `--exclude-app-vulns`.
+
+For more information about application scanning, see [Detect application vulnerabilities in container images](https://docs.snyk.io/scan-applications/snyk-container/use-snyk-container/detect-application-vulnerabilities-in-container-images)
+
+### `<IMAGE>`
+
+Required. The image for which you will generate an SBOM document.
+
+**Note:** The image should be specified in the format of `repo:tag`.
+
+## Examples for the snyk container sbom command
+
+### Create a CycloneDX JSON document for an image
+
+`$ snyk container sbom --format=cyclonedx1.4+json redis:latest`
+
+### Create a CycloneDX JSON document for an image and redirect stdout to a file
+
+`$ snyk container sbom --format=cyclonedx1.4+json redis:latest > mySBOM.json`
+
+### Create a SPDX JSON document for an image while excluding application dependencies
+
+`$ snyk container sbom --format=spdx2.3+json redis:latest ----exclude-app-vulns`
+
+### Refer to a container image by its digest
+
+`$ snyk container sbom --format=cyclonedx1.4+xml alpine@sha256:c5c5fda71656f28e49ac9c5416b3643eaa6a108a8093151d6d1afc9463be8e33`

help/cli-commands/container-test.md

@@ -98,7 +98,9 @@ Fail only when there are vulnerabilities that can be fixed.
 - `all`: fail when there is at least one vulnerability that can be either upgraded or patched.
 - `upgradable`: fail when there is at least one vulnerability that can be upgraded.
 
-To fail on any vulnerability (the default behavior), do not use the `--fail-on` option. If vulnerabilities do not have a fix and this option is being used, tests pass.
+To fail on any Snyk discoverable vulnerability (the default behavior), do not use the `--fail-on` option. If vulnerabilities do not have a Snyk-computed fix and this option is being used, tests pass.
+
+**Note**: If you test code constrained by metadata that Snyk cannot respect with `snyk test`, Snyk will not propose a fix, in order to avoid breaking your code. You may be able to identify and apply a fix manually.
 
 ### `--app-vulns`
 

help/cli-commands/ignore.md

@@ -44,6 +44,10 @@ exclude:
       created: <CREATION TIME>
 ```
 
+**Note**: The `--file-path` \[exclude] option is available only for Snyk Code (SAST) tests or Open Source `--unmanaged` tests and will not work for other test types.
+
+Ignoring issues or vulnerabilities using the .snyk file is not supported for Snyk Code
+
 ## Debug
 
 Use the `-d` option to output the debug logs.
@@ -156,15 +160,17 @@ Ignore a specific file, used by `snyk test --unmanaged` until 2031-01-20, with a
 $ snyk ignore --file-path='./deps/curl-7.58.0/src/tool_msgs.c' --expiry='2031-01-20' --reason='patched file'
 ```
 
-### Ignore files or folders using glob expression
+### Ignore files or folders using glob expression - Snyk Code and `unmanaged` only
+
+To ignore files matching a glob expression, add them to a specific group.
 
-Ignore files matching a glob expression by adding them to a specific group. Applies to Snyk Code; does not apply to Snyk Open Source, Container, or Infrastructure as Code.
+This applies to Snyk Code; it does not apply to Snyk Open Source except `unmanaged`, to Container, or to IaC.
 
 ```
 $ snyk ignore --file-path='./**/vendor/**/*.cpp' --file-path-group='global'
 ```
 
-## More information about snyk ignore command
+## More information about the `snyk ignore` command
 
 For more information see:
 

help/cli-commands/test.md

@@ -208,13 +208,15 @@ Report only vulnerabilities at the specified level or higher.
 
 ### `--fail-on=<all|upgradable|patchable>`
 
-Fail only when there are vulnerabilities that can be fixed.
+Fail only when there are vulnerabilities that can be fixed. Use one of the values as follows:
 
-- `all`: fail when there is at least one vulnerability that can be either upgraded or patched.
-- `upgradable`: fail when there is at least one vulnerability that can be upgraded.
-- `patchable`: fail when there is at least one vulnerability that can be patched or vulnerabilities that can be either patched or upgraded.
+- `all`: Use to fail when there is at least one vulnerability that can be either upgraded or patched.
+- `upgradable`: Use to fail when there is at least one vulnerability that can be upgraded.
+- `patchable`: Use to fail when there is at least one vulnerability that can be patched. Note that when you use patchable, the test will also fail if at least one vulnerability can be patched and other vulnerabilities found can be upgraded.
 
-To fail on any vulnerability (the default behavior), do not use the `--fail-on` option. If vulnerabilities do not have a fix and this option is being used, tests pass.
+To fail on any Snyk-discoverable vulnerability (the default behavior), do not use the `--fail-on` option. If vulnerabilities do not have a Snyk-computed fix and this option is being used, tests pass.
+
+**Note**: If you test code constrained by metadata that Snyk cannot respect with `snyk test`, Snyk will not propose a fix, in order to avoid breaking your code. You may be able to identify and apply a fix manually.
 
 ## Options for Maven projects