Trend Micro Artifact Scanner (TMAS) Examples | Trend Micro Service Central

Scanning an artifact for vulnerabilities, malware, and secrets

tmas scan <artifact to scan> -V -M -S

or

tmas scan <artifact to scan> -VMS

or

tmas scan <artifact to scan> --vulnerabilities --malware --secrets

Note

When you use the scan command, enable at least one scanner.

Using the region flag to switch to a different region

tmas scan docker:yourrepo/yourimage:tag -VMS --region=ap-southeast-2

Note

A mismatch between the TMAS API key and the region used to scan causes the scan command to fail with a 403 forbidden error or APIKeyPlatformMismatchError.

Scanning an image in a remote registry

tmas scan registry:yourrepo/yourimage:tag -VMS

Using a registry as an artifact source does not require a container runtime. In addition, scan results from registry artifact sources can be used for policy evaluations in Container Security.

Scanning images from private registries requires that you log in to the registry using tools such as docker login before attempting the scan. TMAS follows Docker's authentication behavior in order to use Docker's preconfigured credentials.

Note

When running malware scans on images from private registries and using Docker credsStore (.docker/config.json), add the credential-helpers=<your credsStore> configuration in the .config/containers/registries.conf file. For example, if Docker credsStore is desktop, add

credential-helpers =
                                 ["desktop"]

.

Enabling info logs

tmas scan docker:yourrepo/yourimage:tag -VMS -v

Saving the SBOM used for vulnerability analysis to disk

tmas scan docker:yourrepo/yourimage:tag -VMS --saveSBOM

When the --saveSBOM flag is enabled, the generated SBOM is saved in the local directory before it is sent to Trend Vision One for scanning.

Using the platform flag to specify platform or architecture of container images

This flag allows you to specify which platform or architecture to use when scanning multiple-architecture container images:

tmas scan registry:yourrepo/yourimage:tag@sha256:<multiple-architecture-digest> -VMS --platform=arm64

Attempting to specify an architecture for multi-arch registry images without support for that architecture will result in an error. When scanning architecture-specific registry images, the platform flag is ignored.

tmas scan docker:yourrepo/yourimage:tag@sha256:<arm64-specific-digest> -VMS --platform=arm64

Note

This flag is necessary when attempting to scan images from the Docker or Podman daemon with different architectures than the host that is running TMAS.

Overriding vulnerability and secret findings

tmas scan <artifact_to_scan> -VMS --override path/to/tmas_overrides.yml

Use the above command to override false positives or other vulnerability or secret findings that you want to ignore. The override file uses a YAML structure with rules defined under each scan type, like vulnerabilities or secrets, for example. When providing overrides for both secrets and vulnerabilities, specify all the overrides in the same YAML file. For more information, see Override vulnerability and secret findings.

Note

Overriding malware findings is not supported at this time.