Scanning an artifact
tmas scan <artifact to scan>
Using the region flag to switch to a different region
tmas scan docker:yourrepo/yourimage:tag --region=ap-southeast-2
 |
NoteA mismatch between the Trend Micro Artifact Scanner API key and the region used to
scan
causes the scan command to fail with a 403 forbidden error or
APIKeyPlatformMismatchError.
|
Scanning an image in a remote registry
tmas scan registry:yourrepo/yourimage:tag
Using a registry as an artifact source does not require a container runtime. In addition,
scan
results from registry artifact sources can be used for policy evaluations in Container Security.
Scanning images from private registries requires that you log in to the registry using
tools
such as
docker login before attempting the scan. Trend Micro Artifact
Scanner follows Docker's authentication behavior in order to use Docker's preconfigured
credentials.Enabling info mode
tmas scan docker:yourrepo/yourimage:tag -v
Saving the SBOM used for vulnerability analysis to disk
tmas scan docker:yourrepo/yourimage:tag --saveSBOM
When the
--saveSBOM flag is enabled, the generated SBOM is saved in the local
directory before it is sent to Trend Vision One for scanning.Using the platform flag to specify platform or architecture of container images
This flag allows you to specify which platform or architecture to use when scanning
multiple-architecture container images:
tmas scan registry:yourrepo/yourimage:tag@sha256:<multiple-architecture-digest> --platform=arm64
Attempting to specify an architecture for multi-arch registry images without support
for that
architecture will result in an error. When scanning architecture-specific registry
images,
the platform flag is ignored.
This flag is necessary when attempting to scan images from the Docker or Podman daemon
with
different architectures than the host that is running Trend Micro Artifact Scanner:
tmas scan docker:yourrepo/yourimage:tag@sha256:<arm64-specific-digest> --platform=arm64
Overriding vulnerability findings
To override false positives or other vulnerability findings you want to ignore, use
the
following command. For more information, see Override vulnerability findings.
tmas scan <artifact_to_scan> --override path/to/tmas_overrides.yml
Overriding secret findings
To override false positives or other findings you want to ignore, use the following
command. For more information, see Override secret
findings.
tmas scan secrets <artifact_to_scan> --override path/to/tmas_overrides.yml