General usage
For examples of commands using Trend Micro Artifact Scanner (TMAS), see Examples.
tmas [command] [flags]
Available commands
|
Command
|
Description
|
scan |
Scan an artifact with any combination of scanners (at least one of
vulnerabilities, malware, or secrets).
|
version |
Get current CLI version (long).
|
help |
Display help information.
|
Global flags
| Flag | Description |
--version |
Get current CLI version (short).
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug).
|
-h, --help |
Display help information.
|
Scan command usage
tmas scan [artifact] [flags]Scan command flags
| Flag | Description |
-p, --platform |
Specify platform for multi-platform container image sources. For example:
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
Trend Vision One service
regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1.Default is
us-east-1. |
-V, --vulnerabilities |
Enable scanning for vulnerabilities (optional).
|
-M, --malware |
Enable scanning for malware (optional). Supports
docker,
docker-archive, oci-archive,
oci-dir and registry artifact types. |
-S, --secrets |
Enable scanning for secrets (optional).
|
|
Specify the file path to the file containing the vulnerability and secret
override rules (optional). For example:
/path/to/tmas_overrides.yml. |
--saveSBOM |
Save SBOM in the local directory (optional).
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug).
|
-h, --help |
Display help information.
|
 |
NoteFor more information on available scanners and their flags, see
Scan
subcommands. Using a scanner-specific flag without enabling the associated
scanner does not result in an error, but that flag will have no effect.
|
Supported artifacts
|
Artifact
|
Description
|
docker:yourrepo/yourimage:tag |
Use images from the Docker daemon.
|
podman:yourrepo/yourimage:tag |
Use images from the Podman daemon.
|
docker-archive:path/to/yourimage.tar |
Use a tarball from disk for archives created from docker save.
|
oci-archive:path/to/yourimage.tar |
Use a tarball from disk for OCI archives (from Skopeo or otherwise).
|
oci-dir:path/to/yourimage |
Read directly from a path on disk for OCI layout directories (from Skopeo or
otherwise).
|
singularity:path/to/yourimage.sif |
Read directly from a Singularity Image Format (SIF) container on disk.
|
registry:yourrepo/yourimage:tag |
Pull image directly from a registry (no container runtime required).
|
dir:path/to/yourproject |
Read directly from a path on disk (any directory).
|
file:path/to/yourproject/file |
Read directly from a path on disk (any single file).
|
Scan subcommands
tmas scan [subcommand] [artifact] [flags]|
Subcommand
|
Description
|
vulnerabilities |
Perform a vulnerability scan on an artifact.
|
malware |
Perform a malware scan on an image artifact.
|
secrets |
Perform a secrets scan on an artifact.
|
Vulnerabilities subcommand
tmas scan vulnerabilities <artifact_to_scan>| Flag | Description |
-p, --platform |
Specify platform for multi-platform container image sources. For example:
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
Trend Vision One service
regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1Default is
us-east-1. |
|
Specify the file path to the file containing the vulnerability override rules
(optional). For example:
/path/to/tmas_overrides.yml. |
--saveSBOM |
Save SBOM in the local directory (optional).
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug).
|
-h, --help |
Display help information.
|
|
NoteVulnerability scans are limited to artifacts for which the
generated SBOM data is less than 10 MB.
|
Malware subcommand
tmas scan malware <artifact_to_scan>| Flag | Description |
-p, --platform |
Specify platform for multi-platform container image sources. For example:
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
Trend Vision One service
regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1.Default is
us-east-1. |
-v, --verbose |
Increase verbosity (-v = info, -vv = debug).
|
-h, --help |
Display help information.
|
|
Note
|
Secrets subcommand
tmas scan secrets <artifact_to_scan>| Flag | Description |
-p, --platform |
Specify platform for multi-platform container image sources. For example:
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
Trend Vision One service
regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1.Default is
us-east-1. |
-r, --override |
Specify the file path to the file containing the secret override rules
(optional). For example:
/path/to/tmas_overrides.yml. |
-v, --verbose |
Increase verbosity (-v = info, -vv = debug).
|
-h, --help |
Display help information.
|
|
Note
|
Proxy configuration
The CLI tool loads the proxy configuration from the following set of optional environment
variables:
|
Environment Variable
|
Required/Optional
|
Description
|
||
NO_PROXY |
Optional
|
Add the Artifact Scanning as a Service and Malware Scanning as a Service
endpoints to the comma-separated list of host names if you want to skip proxy
settings for the CLI tool.
|
||
HTTP_PROXY |
Optional
|
|||
HTTPS_PROXY |
Optional
|
If the proxy server is a SOCKS5 proxy, you must specify the SOCKS5 protocol in
the URL as socks5://socks_proxy.example.com.
|
||
PROXY_USER |
Optional
|
Optional username for authentication header used in
Proxy-Authorization. |
||
PROXY_PASS |
Optional
|
Optional password for authentication header used in
Proxy-Authorization used only when a
PROXY_USER is configured. |