Configure the Mend CLI for Container Images

Overview

Configuring the Mend CLI for a Container Image scan can be done via command line parameters.

Tip: For inline assistance, use the mend image -h or mend image --help commands.

Getting it done

Configure the Mend CLI Container Image scan via command line parameters

You can configure the Mend CLI Container Image scan at runtime by adding flags to the mend image command. The usage of the mend image command is as follows:

CODE

mend image <image_name[:image_tag]> [flags]

Getting Started Examples

CODE

# Getting started quickly
mend image <image:tag>

# Scanning tar format images
mend image myimage.tar --tar

# Adding Scope to the scanned image (To be reflected in Mend UI)
mend image <image:tag> --scope "*//Test-Application//MyProject"


# export results via the CLI
## json export
mend image <image:tag> --format json --filename ./image_results.json

## sbom (spdx-json) export
mend image <image:tag> --format spdx-json --filename ./image_results_sbom.json


# CLI Output filtering (terminal output only)
## filter by severity
mend image <image:tag> --filter critical,high

## filter out base layers
mend image <image:tag> --exclude-base-layers

Reference

Mend CLI Container Image parameters

Mend CLI Container Image- General scan parameters

Parameter

Description

Mend CLI Default Behavior

--basedir

Optional. Provide an alternative location for the local image download function of the Mend CLI scan.
The format is:

CODE

mend image <image_name[:image_tag]> --basedir /path/to/your/directory

Note:

This flag is to be set on a per-scan basis and is most appropriate for scanning larger images that may impact the space where the .mend folder resides.
This parameter is for the scan function only. The .mend folder will still remain and includes all its subfolders, i.e. logging.

This flag is committed by default. The Mend CLI scans your container images using the .mend folder.

--tar

Optional. Scan the specified container image TAR file with the Mend CLI.

Note: the tar file should include a .tar suffix

This flag is omitted by default. The Mend CLI scans container images via the imagename:tag format.

--local-pull

Pull Docker images from the local machine only, bypassing remote pulls.

The Mend CLI pulls Docker images from a remote registry, according to the URL, or from Docker Hub in case of public images.

Mend CLI Container Image - Policy parameters

Parameter

Description

Mend CLI Default Behavior

--fail-policy

Optional. Enable the Mend CLI policy check to fail the scan if a container image component is found that violates a policy defined within your Mend organization, returning an Exit Code 9.

The policy check is enabled and findings are provided in the Cloud Native UI.

To show policy violations in the CLI terminal output, make sure to add the “--show policy" flag to your scan command.

The Mend CLI scan does not fail, even if a policy violation occurs.

Mend CLI Container Image - Report parameters

Parameter

Description

Mend CLI Default Behavior

--filename

Optional. Generate a report locally of the Mend CLI Container Image scan results using the defined file name. The --filename and --format parameters are used together for the creation of this file.

Report generation is disabled.

--format

Optional. When used together with --filename, define the format of the locally-generated report file.

When used alone, the output will be printed to the terminal.

The supported values are:

json
sarif
xml

SBOM export: (CycloneDX, SPDX)

cyclonedx-xml
cyclonedx-json
spdx-json
spdx-tv
spdx-yaml
spdx-csv
spdx-xml

Report generation is disabled.

Examples

CODE

# SARIF export to a file
mend image alpine --format sarif --filename ./alpine-sarif.sarif

# SPDX SBOM export, json format
 mend image alpine --format spdx-json --filename ./alpine-spdx.json

Mend CLI Container Image - Terminal view parameters

Parameter	Description	Mend CLI Default Behavior
`--exclude-base-layer`	Optional. Filter out security findings from the base layers of the container image, allowing you to focus only on your application layers when reviewing your results in the CLI. Note: This behavior only affects the Mend CLI terminal output. The full image scan results are still uploaded the Cloud Native Application.	The CLI terminal output displays the full image scan results (base + application layers).
`--filter`	Optional. Filter vulnerability results by the CVSS score severity value. The supported values are: `critical -` CVSS 3 score of 9.0 - 10.0 `high -` CVSS 3 score of 7.0-8.9 `medium -` CVSS 3 score of 4.0-6.9 `low -` CVSS 3 score of 0.1-3.9 `none` - CVSS 3 score of 0.0	All vulnerability severity levels are shown in the scan results.
`-h, --help`	Optional. Display the available parameters for the `mend image` command.	N/A
`--non-interactive`	Optional. Mend CLI will run in non-interactive mode, suppressing use of colors, progress bar and any other graphic features in STDOUT.	Mend CLI output to STDOUT includes use of colors and progress bars, which are irrelevant in non-interactive session and may cause issues in some environments.
`--show`	Optional. Define a comma-separated list for the types of security findings you want to display in your terminal output. The available values are: `vuln` `secret` `license` `policy`	`vuln,secret`

Mend CLI Container Image - Upload parameters

Parameter

Description

Mend CLI Default Behavior

--no-upload

Optional. Run the Mend CLI scan offline. This parameter disables the upload of the scan results to the Mend Application.

The Mend CLI will update your results within the Mend Application → Cloud Native UI.

-s, --scope

Optional. Set the scan scope for your image by specifying the hierarchy for the Mend Cloud Native UI.

The supported formats are:

Full hierarchy: -s ORG//APP//PROJ
Partial hierarchy: -s APP//PROJ
Single hierarchy: -s PROJ

Examples of --scope configuration:

Application-Project scope:
CODE
```
mend image my:image -s MyApp//MyProj
```

Org-Application-Project scope with spaces:

CODE

mend image my:image -s "My Org//My App//My Proj"

* can be used as a wildcard to autocomplete the scope by the authentication context of the user, for example:

CODE

mend image <Image:Tag> -s "*//My-App//My-Proj"

For Mend CLI scans that do not update the Mend Application, the --scope parameter is still used to direct the Mend CLI on the scope to use for the policy check.

Notes:

Only organization administrators can set scopes and view the Cloud Native UI.
Non-org admin users can still scan images with the Mend CLI, but won’t have their results sent to the Cloud Native UI if --scope is set.
As a result of running a Mend CLI scan with the --scope parameter, an empty project with the same name is also created in the Mend SCA UI. Deleting this project in the Mend SCA UI will delete the project within the Cloud Native UI.
If your Org/App/Proj names include spaces, make sure to set the --scope value within commas ("My Project").
You are able to set the Org scope to any Mend organization that the current user signed in as (via mend auth login) has access to.
If you set an application or project name in --scope that does not exist in the organization prior to the run, it will be created in the Mend Cloud Native UI after the Mend CLI completes the scan.

Within the Mend Cloud Native UI, scans are tiered under an organization → application → project hierarchy.

If --scope is not set, the scan results will be sent and categorized within the Mend Cloud Native UI as follows:

The organization currently logged into from the mend auth login command setup.

Tip: Use the Mend CLI mend auth info command to see what organization you are connected to.

An application will be created and named after the image’s <Registry-Name>/<RepoName>.
A project will be created and named after the image’s <RepoName>.

Mend CLI Container Image - Offline parameters

Container Reachability is not available in local scan mode.

Offline local scan

Parameter	Description	Mend CLI Default Behavior
`--local`	Optional. Save your scan results locally. The default file is saved in the .mend folder. Specific path can be defined using the --export-results flag.	Scan results will not be saved locally.
`--export-results`	Optional. To be used with the `--local` flag to save the scan results locally in the machine.

Usage Example:

CODE

# Save scan results locally (offline scan mode)
mend image alpine --local --export-results ./alpine-scan

Local Scan output: the following message should appear Scan completed in local mode. Results file saved to: <export-file-path>

SBOM file saved to: <export-file-path>

Upload Offline local scan results

Parameter

Description

Mend CLI Default Behavior

--update

Optional. Update the Mend application with your scan results. Should be followed by the --file flag to specify the specific local scan results.

The Mend application will get updated with your scan results.

--file

Optional. Specify a path to the local scan results file.

Usage Example:

CODE

# Save scan results locally (offline scan mode)
mend image alpine --local --export-results ./alpine-scan

# Upload offline scan results
mend image --update --file ./alpine-scan --scope "*//alpine-base//alpine"

Once results are uploaded, you’ll get a scan summary print to the terminal with the scan statistics.

Default scope: Application = My Product, Project= <full-image-name>

To control the scope, use the --scope flag

Mend CLI Container Image-supported distributions

The following distributions are supported by the Mend CLI for Container Image scans:

Distribution	Supported Versions	Mend-supported detection
AlmaLinux	Alma Linux 8	Vulnerability detection OS license detection
Alpine	Alpine 2 Alpine 3.0	Vulnerability detection OS license detection
Amazon Linux	Amazon Linux 1 (AMI) Amazon Linux 2 Amazon Linux 2022	Vulnerability detection OS license detection
Arch Linux	All versions of Arch Linux are supported, as the advisories do not depend on the distribution version.	Vulnerability detection OS license detection
Azure Linux (CBL-Mariner)	1.0 2.0	Vulnerability detection OS license detection
CentOS	CentOS 6 CentOS 7 CentOS 8	Vulnerability detection OS license detection
Debian	Debian 7 (wheezy) Debian 8 (jessie) Debian 9 (stretch) Debian 10 (buster) Debian 11 (bullseye) Debian 12 (bookworm) Debian 13 (trixie)	Vulnerability detection OS license detection
Distroless	All versions of Distroless are supported.	Vulnerability detection
Oracle Linux	Oracle Linux 5 Oracle Linux 6 Oracle Linux 7 Oracle Linux 8	Vulnerability detection OS license detection
PhotonOS	Photon 1 Photon 2 Photon 3 Photon 4	Vulnerability detection OS license detection
Red Hat Enterprise Linux (RHEL)	RHEL 6 RHEL 7 RHEL 8 RHEL 9	Vulnerability detection OS license detection
Rocky Linux	Rocky Linux 8 Rocky Linux 9	Vulnerability detection OS license detection
SUSE Linux Enterprise Server (SLES)	SLES 11 SLES 12 SLES 15	Vulnerability detection OS license detection
Ubuntu	All Canonical-maintained versions of Ubuntu are supported.	Vulnerability detection OS license detection

Mend CLI Container Image-supported registries

Tip: Looking for our private container image registry integration? Visit our documentation: Integrate your private container image registries with Mend.

Notes:

Supported image frameworks: docker, OCI
If the image name is not locally available, Mend CLI checks DockerHub by default, and pulls the version (tag) of that image from the Docker registry.
In case the full image URL is presented, the scanner will pull the image from the specified source. For example:
CODE
```
mend image mcr.microsoft.com/mssql/server:2022-latest
```
Will pull the image from Microsoft Public Regsitry.
Required: If you are scanning an image from a private registry, you will need to connect to the registry beforehand with the docker login command prior to the Mend CLI scan and have Docker daemon running.
Local scans can be done with or without a Docker Daemon running, if the daemon is up, it should be with the default socket open.

Mend CLI Container Image-supported languages

The following runtime environments, frameworks, and languages are supported by the Mend CLI for Container Image scans:

Node.js
C# (.NET framework)
Go
Java
PHP
Python
Ruby

Mend CLI Container Image exit codes

Note: For a comprehensive overview of Mend CLI Container Image exit codes, please refer to our Mend CLI Exit Codes article.