Scanning an artifact for vulnerabilities, malware, and secrets
tmas scan <artifact to scan> -V -M -Sor
tmas scan <artifact to scan> -VMSor
tmas scan <artifact to scan> --vulnerabilities --malware --secrets
NoteWhen you use the
scan command, enable at least
one scanner. |
Using the region flag to switch to a different region
tmas scan docker:yourrepo/yourimage:tag -VMS --region=ap-southeast-2
NoteA mismatch between the TMAS API key and the region used to scan causes the scan command
to
fail with a 403 forbidden error or APIKeyPlatformMismatchError.
|
Scanning an image in a remote registry
tmas scan registry:yourrepo/yourimage:tag -VMS
Using a registry as an artifact source does not require a container runtime. In addition,
scan
results from registry artifact sources can be used for policy evaluations in Container Security.
Scanning images from private registries requires that you log in to the registry using
tools
such as
docker login
before attempting the scan. TMAS follows Docker's
authentication behavior in order to use Docker's preconfigured credentials.
NoteWhen running malware scans on images from private registries and using Docker credsStore
(
.docker/config.json ), add the credential-helpers=<your credsStore> configuration in the .config/containers/registries.conf file. For example, if Docker credsStore is desktop , add credential-helpers = ["desktop"] . When running malware scans on images from private registries on Docker Hub, ensure
you log in with the server name https://docker.io or docker.io . For example, docker login docker.io . |
Enabling info logs
tmas scan docker:yourrepo/yourimage:tag -VMS -v
Saving the SBOM used for vulnerability analysis to disk
tmas scan docker:yourrepo/yourimage:tag -VMS --saveSBOM
When the
--saveSBOM
flag is enabled, the generated SBOM is saved in the local
directory before it is sent to Trend Vision One for scanning.Overriding vulnerability and secret findings
tmas scan <artifact_to_scan> -VMS --override path/to/tmas_overrides.yml
Use the above command to override false positives or other vulnerability or secret
findings
that you want to ignore. The override file uses a YAML structure with rules defined
under
each scan type, like
vulnerabilities
or secrets
, for
example. When providing overrides for both secrets and vulnerabilities, specify all
the
overrides in the same YAML file. For more information, see Override
vulnerability and secret findings.
NoteOverriding malware findings is not supported at this time.
|