Views:

General usage

For examples of commands using Trend Micro Artifact Scanner (TMAS), see Examples.
tmas [command] [flags]

Available commands

Command
Description
scan
Scan an artifact with any combination of scanners (at least one of vulnerabilities, malware, or secrets)
version
Get current CLI version (long)
help
Help

Global flags

Flag Description
--version
Get current CLI version (short)
-v, --verbose
Increase verbosity (-v = info, -vv = debug)
-h, --help
Help

Scan command usage

tmas scan [artifact] [flags]

Scan command flags

Flag Description
-p, --platform
Specify platform for multi-platform container image sources. For example linux/arm64, linux/arm64/v8, arm64, linux.
Default is linux/amd64.
-r, --region
Trend Vision One service regions: ap-southeast-2, eu-central-1, ap-south-1, ap-northeast-1, ap-southeast-1, us-east-1
Default is us-east-1.
-V, --vulnerabilities
Enable scanning for vulnerabilities (optional).
-M, --malware
Enable scanning for malware (optional). Supports docker, docker-archive, oci-archive, oci-dir and registry artifact types.
-S, --secrets
Enable scanning for secrets (optional).
-o, --override
Specify the file path to the file containing the override rules (optional). For example: /path/to/tmas_vuln_overrides.yml
--saveSBOM
Save SBOM in the local directory (optional)
Note
Note
For more information on available scanners and their flags, see Scan subcommands. Using a scanner-specific flag without enabling the associated scanner does not result in an error, but that flag will have no effect.

Supported artifacts

Artifact
Description
docker:yourrepo/yourimage:tag
Use images from the Docker daemon
podman:yourrepo/yourimage:tag
Use images from the Podman daemon
docker-archive:path/to/yourimage.tar
Use a tarball from disk for archives created from docker save.
oci-archive:path/to/yourimage.tar
Use a tarball from disk for OCI archives (from Skopeo or otherwise).
oci-dir:path/to/yourimage
Read directly from a path on disk for OCI layout directories (from Skopeo or otherwise).
singularity:path/to/yourimage.sif
Read directly from a Singularity Image Format (SIF) container on disk.
registry:yourrepo/yourimage:tag
Pull image directly from a registry (no container runtime required).
dir:path/to/yourproject
Read directly from a path on disk (any directory).
file:path/to/yourproject/file
Read directly from a path on disk (any single file).

Scan subcommands

tmas scan [subcommand] [artifact] [flags]
Subcommand
Description
vulnerabilities
Perform a vulnerability scan on an artifact.
malware
Perform a malware scan on an image artifact.
secrets
Perform a secrets scan on an artifact.

Vulnerabilities subcommand

tmas scan vulnerabilities <artifact_to_scan>
Flag Description
-p, --platform
Specify platform for multi-platform container image sources. For example linux/arm64, linux/arm64/v8, arm64, linux.
Default is linux/amd64.
-r, --region
Trend Vision One service regions: ap-southeast-2, eu-central-1, ap-south-1, ap-northeast-1, ap-southeast-1, us-east-1
Default is us-east-1.
-o, --override
Specify the file path to the file containing the override rules (optional). For example: /path/to/tmas_overrides.yml
--saveSBOM
Save SBOM in the local directory (optional)
-v, --verbose
Increase verbosity (-v = info, -vv = debug)
-h, --help
Help
Note
Note
Vulnerability scans are limited to artifacts for which the generated SBOM data is less than 10 MB.

Malware subcommand

tmas scan malware <artifact_to_scan>
Flag Description
-p, --platform
Specify platform for multi-platform container image sources. For example linux/arm64, linux/arm64/v8, arm64, linux.
Default is linux/amd64.
-r, --region
Trend Vision One service regions: ap-southeast-2, eu-central-1, ap-south-1, ap-northeast-1, ap-southeast-1, us-east-1
Default is us-east-1.
-v, --verbose
Increase verbosity (-v = info, -vv = debug)
-h, --help
Help
Note
Note
  • Malware scans only support docker, docker-archive, oci-archive, oci-dir and registry artifact types.
  • The maximum single file size limit is 1 GB. The scan skips files larger than 1 GB.
  • The maximum single layer size limit is 512 MB. The scan skips layers larger than 512 MB.

Secrets subcommand

tmas scan secrets <artifact_to_scan>
Flag Description
-p, --platform
Specify platform for multi-platform container image sources. For example linux/arm64, linux/arm64/v8, arm64, linux.
Default is linux/amd64.
-r, --region
Trend Vision One service regions: ap-southeast-2, eu-central-1, ap-south-1, ap-northeast-1, ap-southeast-1, us-east-1
Default is us-east-1.
-r, --override
Specify the file path to the file containing the override rules (optional). For example: /path/to/tmas_overrides.yml.
-v, --verbose
Increase verbosity (-v = info, -vv = debug)
-h, --help
Help
Note
Note
  • Secret scans are limited to artifacts that generate secret findings reports that are smaller than 10 MB.
  • Binary and ZIP files are not currently supported.
  • Secret scan findings are redacted prior to being sent to Trend Vision One for further processing.

Proxy configuration

The CLI tool loads the proxy configuration from the following set of optional environment variables:
Environment Variable
Required/Optional
Description
NO_PROXY
Optional
Add the Artifact Scanning as a Service and Malware Scanning as a Service endpoints to the comma-separated list of host names if you want to skip proxy settings for the CLI tool. Note: Only an asterisk (*) matches all hosts
HTTP_PROXY
Optional
http://proxy.example.com
HTTPS_PROXY
Optional
https://proxy.example.com
If the proxy server is a SOCKS5 proxy, you must specify the SOCKS5 protocol in the URL as socks5://socks_proxy.example.com
PROXY_USER
Optional
Optional username for authentication header used in Proxy-Authorization
PROXY_PASS
Optional
Optional password for authentication header used in Proxy-Authorization used only when a PROXY_USER is configured