General usage
For examples of commands using Trend Micro Artifact Scanner, see Examples.
tmas [command] [flags]
Available commands
Command
|
Description
|
scan |
Scan an artifact
|
version |
Get current CLI version (long)
|
help |
Help
|
Global flags
Flag | Description |
--version |
Get current CLI version (short)
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
Scan command usage
tmas scan [artifact] [flags]
Scan command flags
Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64 , linux/arm64/v8 ,
arm64 , linux . Default is
linux/amd64 . |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2 , eu-central-1 ,
ap-south-1 , ap-northeast-1 ,
ap-southeast-1 , us-east-1 Default is
us-east-1 . |
|
Specify the file path to the file containing the override rules (optional). For
example:
/path/to/tmas_vuln_overrides.yml |
--saveSBOM |
Save SBOM in the local directory (optional)
|
--malwareScan |
Enable malware scan (optional), supports docker ,
docker-archive , oci-archive ,
oci-dir , and registry artifact types. |
Supported artifacts
Artifact
|
Description
|
docker:yourrepo/yourimage:tag |
Use images from the Docker daemon
|
podman:yourrepo/yourimage:tag |
Use images from the Podman daemon
|
docker-archive:path/to/yourimage.tar |
Use a tarball from disk for archives created from docker save.
|
oci-archive:path/to/yourimage.tar |
Use a tarball from disk for OCI archives (from Skopeo or otherwise).
|
oci-dir:path/to/yourimage |
Read directly from a path on disk for OCI layout directories (from Skopeo or
otherwise).
|
singularity:path/to/yourimage.sif |
Read directly from a Singularity Image Format (SIF) container on disk.
|
registry:yourrepo/yourimage:tag |
Pull image directly from a registry (no container runtime required).
|
dir:path/to/yourproject |
Read directly from a path on disk (any directory).
|
file:path/to/yourproject/file |
Read directly from a path on disk (any single file).
|
Scans are limited to artifacts for which the generated SBOM data is less than 10 MB.
The malware scan only supports
docker
, docker-archive
,
oci-archive
, oci-dir
, and registry
artifact types.Enabling malware scans
The AntiMalware as a Service (AMaaS) SDK allows Trend Micro Artifact Scanner to scan
container images for malware scans. The malware scan only supports
docker
,
docker-archive
, oci-archive
, oci-dir
,
and registry
artifact types. To use the AMaaS, use the
--malwareScan
command flag.![]() |
ImportantScan limitations:
|
![]() |
NoteWhen scanning images from private registries with the
--malwareScan flag
enabled, ensure that you have already logged in to the registry using tools such as
docker login .If you are using Docker credsStore (
.docker/config.json ), add the
credential-helpers=<your credsStore> in
.config/containers/registries.conf . For example, if docker
credsStore is desktop , add the following:credential-helpers = ["desktop"] |
![]() |
NoteTo run the AntiMalware scan, you must be using Trend Micro Artifact Scanner 1.55.0
or
later.
|
Subcommand scan usage
tmas scan [subcommand] [artifact] [flags]
Subcommand
|
Description
|
vulnerabilities |
Perform a vulnerability scan on an artifact.
|
malware |
Perform a malware scan on an artifact.
|
secrets |
Perform a secrets scan on an artifact.
|
Vulnerabilities subcommand
tmas scan vulnerabilities <artifact_to_scan>
Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64 , linux/arm64/v8 ,
arm64 , linux . Default is
linux/amd64 . |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2 , eu-central-1 ,
ap-south-1 , ap-northeast-1 ,
ap-southeast-1 , us-east-1 Default is
us-east-1 . |
|
Specify the file path to the file containing the override rules (optional). For
example:
/path/to/tmas_overrides.yml |
--saveSBOM |
Save SBOM in the local directory (optional)
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
Malware subcommand
tmas scan malware <artifact_to_scan>
Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64 , linux/arm64/v8 ,
arm64 , linux . Default is
linux/amd64 . |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2 , eu-central-1 ,
ap-south-1 , ap-northeast-1 ,
ap-southeast-1 , us-east-1 Default is
us-east-1 . |
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
The malware scan only supports
docker
, docker-archive
,
oci-archive
, oci-dir
and registry
artifact types.Secrets subcommand
tmas scan secrets <artifact_to_scan>
Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64 , linux/arm64/v8 ,
arm64 , linux . Default is
linux/amd64 . |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2 , eu-central-1 ,
ap-south-1 , ap-northeast-1 ,
ap-southeast-1 , us-east-1 Default is
us-east-1 . |
-r, --override |
Specify the file path to the file containing the override rules (optional). For
example:
/path/to/tmas_overrides.yml . |
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
![]() |
Note
|
Proxy configuration
The CLI tool loads the proxy configuration from the following set of optional environment
variables:
Environment Variable
|
Required/Optional
|
Description
|
NO_PROXY |
Optional
|
Add the Artifact Scanning as a Service and Malware Scanning as a Service
endpoints to the comma-separated list of host names if you want to skip proxy
settings for the CLI tool. Note: Only an asterisk (*) matches all hosts
|
HTTP_PROXY |
Optional
|
|
HTTPS_PROXY |
Optional
|
If the proxy server is a SOCKS5 proxy, you must specify the SOCKS5 protocol in
the URL as socks5://socks_proxy.example.com
|
PROXY_USER |
Optional
|
Optional username for authentication header used in
Proxy-Authorization |
PROXY_PASS |
Optional
|
Optional password for authentication header used in
Proxy-Authorization used only when a
PROXY_USER is configured |