Scan your container images with the Mend CLI
Overview
The Mend CLI Container Image scans container images to help you evaluate their overall security risk to your organization. You can quickly identify vulnerable packages in an image down to the layer, gauge the impact of specific vulnerabilities, and see whether they have been resolved in newer versions.
Note: In order to update the results of a previously scanned image within the Cloud Native UI, it must be rescanned with the Mend CLI. For example, if new CVEs are identified after the image’s original scan date, a new Mend CLI scan must be completed on the image in order to show the new findings in the Cloud Native UI.
Use cases for scanning your container images with the Mend CLI
Let’s look at the following real-life examples that industry personas commonly run into:
As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect vulnerable packages in your teams' container images and provide fixed version options. You also need the ability to identify vulnerable secrets. Finally, you want to monitor the security posture of your organization’s container images in the form of dashboards and exported reports.
As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on vulnerable secrets and packages in your teams' container images directly within the pipeline console.
Mend’s Answer: Utilizing the Mend CLI Container Image scan, you can effortlessly assess your container images for security vulnerabilities and at-risk secrets. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend Application, and can also be exported into reports in various supported file formats.
Getting it done
Prerequisites before getting started with the Mend CLI Container Image scan
The following prerequisites are required before running a Mend CLI Container Image scan:
Provide the Mend CLI with access to read your application’s source code on a file system.
Make sure the user running the scan has the necessary permissions to execute image scans. In the context of a product, for example, the user will need to have either the Product Administrators or the Product Integrators role in the Mend Legacy SCA Application. More information about product roles is available here.
Configure your Mend CLI Container Image scan
The Mend CLI Container Image scan is configurable via command line parameters. To learn more about our Container Image-supported languages and configurations, visit our Configure the Mend CLI for Container Images article.
Run your Mend CLI Container Image scan
To trigger the Mend CLI Container Image scan, execute the following command:
mend imageThe usage of the mend image command is as follows:
mend image <image_name[:image_tag]> [flags]
View the steps of your Mend CLI Container Image scan
The Mend CLI has five default steps you will see it complete before it displays its findings from the Container Image scan:
Step Name | Description |
|---|---|
| The scan is starting on your container image. |
| The Mend CLI checks to see if the image is available locally. If it is not, the Mend CLI communicates to Docker to execute |
| The scan extracts each layer of the image locally. |
| Each layer of the image is scanned for vulnerable packages and at-risk secrets. |
| If any vulnerabilities are found, the Mend CLI reaches out to the Mend Application for the information on these vulnerabilities to prepare them for the scan summary. |
View your Mend CLI Container Image scan results
Visit our View the results of your Mend CLI Container Image scan article for more details on how to navigate the Container Image findings provided by the Mend CLI.
Reference
Mend CLI Container Image features
In this article, we cover the instructions on how to kick off a base Mend CLI Container Image scan. We also offer examples of the Mend CLI Container Image feature(s) below: