General usage
For examples of commands using Trend Micro Artifact Scanner, see Examples.
tmas [command] [flags]
Available commands
|
Command
|
Description
|
scan |
Scan an artifact
|
version |
Get current CLI version (long)
|
help |
Help
|
Global flags
| Flag | Description |
--version |
Get current CLI version (short)
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
Scan command usage
tmas scan [artifact] [flags]Scan command flags
| Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1Default is
us-east-1. |
|
Specify the file path to the file containing the override rules (optional). For
example:
/path/to/tmas_vuln_overrides.yml |
--saveSBOM |
Save SBOM in the local directory (optional)
|
--malwareScan |
Enable malware scan (optional), supports docker,
docker-archive, oci-archive,
oci-dir, and registry artifact types. |
Supported artifacts
|
Artifact
|
Description
|
docker:yourrepo/yourimage:tag |
Use images from the Docker daemon
|
podman:yourrepo/yourimage:tag |
Use images from the Podman daemon
|
docker-archive:path/to/yourimage.tar |
Use a tarball from disk for archives created from docker save.
|
oci-archive:path/to/yourimage.tar |
Use a tarball from disk for OCI archives (from Skopeo or otherwise).
|
oci-dir:path/to/yourimage |
Read directly from a path on disk for OCI layout directories (from Skopeo or
otherwise).
|
singularity:path/to/yourimage.sif |
Read directly from a Singularity Image Format (SIF) container on disk.
|
registry:yourrepo/yourimage:tag |
Pull image directly from a registry (no container runtime required).
|
dir:path/to/yourproject |
Read directly from a path on disk (any directory).
|
file:path/to/yourproject/file |
Read directly from a path on disk (any single file).
|
Scans are limited to artifacts for which the generated SBOM data is less than 10 MB.
The malware scan only supports
docker, docker-archive,
oci-archive, oci-dir, and registry
artifact types.Enabling malware scans
The AntiMalware as a Service (AMaaS) SDK allows Trend Micro Artifact Scanner to scan
container images for malware scans. The malware scan only supports
docker,
docker-archive, oci-archive, oci-dir,
and registry artifact types. To use the AMaaS, use the
--malwareScan command flag. |
ImportantScan limitations:
|
 |
NoteWhen scanning images from private registries with the
--malwareScan flag
enabled, ensure that you have already logged in to the registry using tools such as
docker login.If you are using Docker credsStore (
.docker/config.json), add the
credential-helpers=<your credsStore> in
.config/containers/registries.conf. For example, if docker
credsStore is desktop, add the following:credential-helpers = ["desktop"] |
|
NoteTo run the AntiMalware scan, you must be using Trend Micro Artifact Scanner 1.55.0
or
later.
|
Subcommand scan usage
tmas scan [subcommand] [artifact] [flags]|
Subcommand
|
Description
|
vulnerabilities |
Perform a vulnerability scan on an artifact.
|
malware |
Perform a malware scan on an artifact.
|
secrets |
Perform a secrets scan on an artifact.
|
Vulnerabilities subcommand
tmas scan vulnerabilities <artifact_to_scan>| Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1Default is
us-east-1. |
|
Specify the file path to the file containing the override rules (optional). For
example:
/path/to/tmas_overrides.yml |
--saveSBOM |
Save SBOM in the local directory (optional)
|
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
Malware subcommand
tmas scan malware <artifact_to_scan>| Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1Default is
us-east-1. |
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
The malware scan only supports
docker, docker-archive,
oci-archive, oci-dir and registry
artifact types.Secrets subcommand
tmas scan secrets <artifact_to_scan>| Flag | Description |
-p, --platform |
(string) Platform specifier for multi-platform container image sources. For
example
linux/arm64, linux/arm64/v8,
arm64, linux. Default is
linux/amd64. |
-r, --region |
(string) Trend Vision One
service regions:
ap-southeast-2, eu-central-1,
ap-south-1, ap-northeast-1,
ap-southeast-1, us-east-1Default is
us-east-1. |
-r, --override |
Specify the file path to the file containing the override rules (optional). For
example:
/path/to/tmas_overrides.yml. |
-v, --verbose |
Increase verbosity (-v = info, -vv = debug)
|
-h, --help |
Help
|
|
Note
|
Proxy configuration
The CLI tool loads the proxy configuration from the following set of optional environment
variables:
|
Environment Variable
|
Required/Optional
|
Description
|
NO_PROXY |
Optional
|
Add the Artifact Scanning as a Service and Malware Scanning as a Service
endpoints to the comma-separated list of host names if you want to skip proxy
settings for the CLI tool. Note: Only an asterisk (*) matches all hosts
|
HTTP_PROXY |
Optional
|
|
HTTPS_PROXY |
Optional
|
If the proxy server is a SOCKS5 proxy, you must specify the SOCKS5 protocol in
the URL as socks5://socks_proxy.example.com
|
PROXY_USER |
Optional
|
Optional username for authentication header used in
Proxy-Authorization |
PROXY_PASS |
Optional
|
Optional password for authentication header used in
Proxy-Authorization used only when a
PROXY_USER is configured |