Skip to main content
Skip table of contents

Configure the Mend CLI for Container Images

Overview

Configuring the Mend CLI for a Container Image scan can be done via command line parameters.

Tip: For inline assistance, use the mend image -h or mend image --help commands.

Getting it done

Configure the Mend CLI Container Image scan via command line parameters

You can configure the Mend CLI Container Image scan at runtime by adding flags to the mend image command. The usage of the mend image command is as follows:

CODE
mend image <image_name[:image_tag]> [flags]

Getting Started Examples

CODE
# Getting started quickly
mend image <image:tag>

# Scanning tar format images
mend image --tar myimage.tar

# Adding Scope to the scanned image (To be reflected in Mend UI)
mend image <image:tag> --scope "*//Test-Application//MyProject"


# export results via the CLI
## json export
mend image <image:tag> --format json --filename ./image_results.json

## sbom (spdx-json) export
mend image <image:tag> --format spdx-json --filename ./image_results_sbom.json


# CLI Output filtering (terminal output only)
## filter by severity
mend image <image:tag> --filter critical,high

## filter out base layers
mend image <image:tag> --exclude-base-layers

Reference

Mend CLI Container Image parameters

Mend CLI Container Image- General scan parameters

Parameter

Description

Mend CLI Default Behavior

--basedir

Optional. Provide an alternative location for the local image download function of the Mend CLI scan.
The format is:

CODE
mend image <image_name[:image_tag]> --basedir /path/to/your/directory

Note:

  • This flag is to be set on a per-scan basis and is most appropriate for scanning larger images that may impact the space where the .mend folder resides.

  • This parameter is for the scan function only. The .mend folder will still remain and includes all its subfolders, i.e. logging.

This flag is committed by default. The Mend CLI scans your container images using the .mend folder.

--tar

Optional. Scan the specified container image TAR file with the Mend CLI.

Note: the tar file should include a .tar suffix

This flag is omitted by default. The Mend CLI scans container images via the imagename:tag format.

--local-pull

Pull Docker images from the local machine only, bypassing remote pulls.

The Mend CLI pulls Docker images from a remote registry, according to the URL, or from Docker Hub in case of public images.

Mend CLI Container Image - Policy parameters

Parameter

Description

Mend CLI Default Behavior

--fail-policy

Optional. Enable the Mend CLI policy check to fail the scan if a container image component is found that violates a policy defined within your Mend organization, returning an Exit Code 9.

The policy check is enabled and findings are provided in the Cloud Native UI.

To show policy violations in the CLI terminal output, make sure to add the “--show policy" flag to your scan command.

The Mend CLI scan does not fail, even if a policy violation occurs.

Mend CLI Container Image - Report parameters

Parameter

Description

Mend CLI Default Behavior

--filename

Optional. Generate a report locally of the Mend CLI Container Image scan results using the defined file name. The --filename and --format parameters are used together for the creation of this file.

 Report generation is disabled.

--format

Optional. When used together with --filename, define the format of the locally generated report file.

When used alone, the output will be printed to the terminal.

The supported values are:

  • json

  • sarif

  • xml

SBOM export: (CycloneDX, SPDX)

  • cyclonedx-xml

  • cyclonedx-json

  • spdx-json

  • spdx-tv

  • spdx-yaml

  • spdx-csv

  • spdx-xml

Report generation is disabled.

Examples

CODE
# SARIF export to a file
mend image alpine --format sarif --filename ./alpine-sarif.sarif

# SPDX SBOM export, json format
 mend image alpine --format spdx-json --filename ./alpine-spdx.json

Mend CLI Container Image - Terminal view parameters

Parameter

Description

Mend CLI Default Behavior

--exclude-base-layer

Optional. Filter out security findings from the base layers of the container image, allowing you to focus only on your application layers when reviewing your results in the CLI.

Note: This behavior only affects the Mend CLI terminal output. The full image scan results are still uploaded to the Cloud Native Application.

The CLI terminal output displays the full image scan results (base + application layers).

--filter

Optional. Filter vulnerability results by the CVSS score severity value. The supported values are:

  • critical - CVSS 3 score of 9.0 - 10.0

  • high - CVSS 3 score of 7.0-8.9

  • medium - CVSS 3 score of 4.0-6.9

  • low - CVSS 3 score of 0.1-3.9

  • none - CVSS 3 score of 0.0

All vulnerability severity levels are shown in the scan results.

-h, --help

Optional. Display the available parameters for the mend image command.

N/A

--non-interactive

Optional. Mend CLI will run in non-interactive mode, suppressing the use of colors, progress bar, and any other graphic features in STDOUT.

Mend CLI output to STDOUT includes the use of colors and progress bars, which are irrelevant in non-interactive sessions and may cause issues in some environments.

--show

Optional. Define a comma-separated list of the types of security findings you want to display in your terminal output. The available values are:

  • vuln

  • secret

  • license

  • policy

vuln,secret

Mend CLI Container Image - Upload parameters

Parameter

Description

Mend CLI Default Behavior

--no-upload

Optional. Run the Mend CLI scan offline. This parameter disables the upload of the scan results to the Mend Application.

The Mend CLI will update your results within the Mend Application → Cloud Native UI.

-s, --scope

Optional. Set the scan scope for your image by specifying the hierarchy for the Mend Cloud Native UI.

The supported formats are:

  • Full hierarchy: -s ORG//APP//PROJ

  • Partial hierarchy: -s APP//PROJ

  • Single hierarchy: -s PROJ

Examples of --scope configuration:

  • Application-Project scope:

    CODE
    mend image my:image -s MyApp//MyProj
  • Org-Application-Project scope with spaces:

    CODE
    mend image my:image -s "My Org//My App//My Proj"

* can be used as a wildcard to autocomplete the scope by the authentication context of the user, for example:

CODE
mend image <Image:Tag> -s "*//My-App//My-Proj"

For Mend CLI scans that do not update the Mend Application, the --scope parameter is still used to direct the Mend CLI on the scope to use for the policy check.

Notes:

  • Only organization administrators can set scopes and view the Cloud Native UI.

  • Non-org admin users can still scan images with the Mend CLI, but won’t have their results sent to the Cloud Native UI if --scope is set.

  • As a result of running a Mend CLI scan with the --scope parameter, an empty project with the same name is also created in the Mend SCA UI. Deleting this project in the Mend SCA UI will delete the project within the Cloud Native UI.

  • If your Org/App/Proj names include spaces, make sure to set the --scope value within commas ("My Project").

  • You are able to set the Org scope to any Mend organization that the current user signed in (via mend auth login) has access to.

  • If you set an application or project name in --scope that does not exist in the organization before the run, it will be created in the Mend Cloud Native UI after the Mend CLI completes the scan.

Within the Mend Cloud Native UI, scans are tiered under an organization → application → project hierarchy.

If --scope is not set, the scan results will be sent and categorized within the Mend Cloud Native UI as follows:

  • The organization currently logged into from the mend auth login command setup.

Tip: Use the Mend CLI mend auth info command to see what organization you are connected to.

  • An application will be created and named after the image’s <Registry-Name>/<RepoName>.

  • A project will be created and named after the image’s <RepoName>.

Mend CLI Container Image - Offline parameters

Container Reachability is not available in local scan mode.

Offline local scan

Parameter

Description

Mend CLI Default Behavior

--local

Optional. Save your scan results locally. The default file is saved in the .mend folder.
Specific path can be defined using the --export-results flag.

Scan results will not be saved locally.

--export-results

Optional. To be used with the --local flag to save the scan results locally in the machine.

Usage Example:

CODE
# Save scan results locally (offline scan mode)
mend image alpine --local --export-results ./alpine-scan

Local Scan output: the following message should appear Scan completed in local mode. Results file saved to: <export-file-path>

SBOM file saved to: <export-file-path>

Upload Offline local scan results

Parameter

Description

Mend CLI Default Behavior

--update

Optional. Update the Mend application with your scan results. Should be followed by the --file flag to specify the specific local scan results.

The Mend application will get updated with your scan results.

--file

Optional. Specify a path to the local scan results file.

 

Usage Example:

CODE
# Save scan results locally (offline scan mode)
mend image alpine --local --export-results ./alpine-scan

# Upload offline scan results
mend image --update --file ./alpine-scan --scope "*//alpine-base//alpine"

Once the results are uploaded, you’ll get a scan summary print to the terminal with the scan statistics.

Default scope: Application = My Product, Project= <full-image-name>

To control the scope, use the --scope flag

Mend CLI Container Image-supported distributions

The following distributions are supported by the Mend CLI for Container Image scans:

Distribution

Supported Versions

Mend-supported detection

AlmaLinux

Alma Linux 8
Alma Linux 9

  • Vulnerability detection

  • OS license detection

Alpine

  • Vulnerability detection

  • OS license detection

Amazon Linux

  • Vulnerability detection

  • OS license detection

Arch Linux

All versions of Arch Linux are supported, as the advisories do not depend on the distribution version.

  • Vulnerability detection

  • OS license detection

Azure Linux (CBL-Mariner)

  • 1.0

  • 2.0

  • 3.0

  • Vulnerability detection

  • OS license detection

CentOS

  • Vulnerability detection

  • OS license detection

Debian

  • Vulnerability detection

  • OS license detection

Distroless

All versions of Distroless are supported.

Vulnerability detection

Oracle Linux

  • Vulnerability detection

  • OS license detection

openSUSE

  • Vulnerability detection

  • OS license detection

PhotonOS

  • Vulnerability detection

  • OS license detection

Red Hat Enterprise Linux (RHEL)

  • Vulnerability detection

  • OS license detection

Rocky Linux

  • Vulnerability detection

  • OS license detection

SUSE Linux Enterprise Server (SLES)

  • Vulnerability detection

  • OS license detection

Ubuntu

All Canonical-maintained versions of Ubuntu are supported.

  • Vulnerability detection

  • OS license detection

Mend CLI Container Image-supported registries

Tip: Looking for our private container image registry integration? Visit our documentation: Integrate your private container image registries with Mend.

Notes:

  • Supported image frameworks: docker, OCI

  • If the image name is not locally available, Mend CLI checks DockerHub by default and pulls the version (tag) of that image from the Docker registry.

  • In case the full image URL is presented, the scanner will pull the image from the specified source. For example:

    CODE
    mend image mcr.microsoft.com/mssql/server:2022-latest

    Will pull the image from the Microsoft Public Registry.

  • Required: If you are scanning an image from a private registry, you will need to connect to the registry beforehand with the docker login command before the Mend CLI scan and have Docker daemon running.

  • Local scans can be done with or without a Docker Daemon running, if the daemon is up, it should be with the default socket open.

Mend CLI Container Image-supported languages

The following runtime environments, frameworks, and languages are supported by the Mend CLI for Container Image scans:

  • JavaScript (Node.js)

  • C# (.NET framework)

  • Go

  • Java

  • PHP

  • Python

  • Ruby

Mend CLI Container Image exit codes

Note: For a comprehensive overview of Mend CLI Container Image exit codes, please refer to our Mend CLI Exit Codes article.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.