Configure the Mend CLI for Container Images
Overview
Configuring the Mend CLI for a Container Image scan can be done via command line parameters.
Tip: For inline assistance, use the mend image -h
or mend image --help
commands.
Getting it done
Configure the Mend CLI Container Image scan via command line parameters
You can configure the Mend CLI Container Image scan at runtime by adding flags to the mend image
command. The usage of the mend image
command is as follows:
mend image <image_name[:image_tag]> [flags]
Getting Started Examples
# Getting started quickly
mend image <image:tag>
# Scanning tar format images
mend image --tar myimage.tar
# Adding Scope to the scanned image (To be reflected in Mend UI)
mend image <image:tag> --scope "*//Test-Application//MyProject"
# export results via the CLI
## json export
mend image <image:tag> --format json --filename ./image_results.json
## sbom (spdx-json) export
mend image <image:tag> --format spdx-json --filename ./image_results_sbom.json
# CLI Output filtering (terminal output only)
## filter by severity
mend image <image:tag> --filter critical,high
## filter out base layers
mend image <image:tag> --exclude-base-layers
Reference
Mend CLI Container Image parameters
Mend CLI Container Image- General scan parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Provide an alternative location for the local image download function of the Mend CLI scan.
CODE
Note:
| This flag is committed by default. The Mend CLI scans your container images using the .mend folder. |
| Optional. Scan the specified container image TAR file with the Mend CLI. Note: the tar file should include a .tar suffix | This flag is omitted by default. The Mend CLI scans container images via the |
| Pull Docker images from the local machine only, bypassing remote pulls. | The Mend CLI pulls Docker images from a remote registry, according to the URL, or from Docker Hub in case of public images. |
Mend CLI Container Image - Policy parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Enable the Mend CLI policy check to fail the scan if a container image component is found that violates a policy defined within your Mend organization, returning an | The policy check is enabled and findings are provided in the Cloud Native UI. To show policy violations in the CLI terminal output, make sure to add the “ The Mend CLI scan does not fail, even if a policy violation occurs. |
Mend CLI Container Image - Report parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Generate a report locally of the Mend CLI Container Image scan results using the defined file name. The | Report generation is disabled. |
| Optional. When used together with When used alone, the output will be printed to the terminal. The supported values are:
SBOM export: (CycloneDX, SPDX)
| Report generation is disabled. |
Examples
# SARIF export to a file
mend image alpine --format sarif --filename ./alpine-sarif.sarif
# SPDX SBOM export, json format
mend image alpine --format spdx-json --filename ./alpine-spdx.json
Mend CLI Container Image - Terminal view parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Filter out security findings from the base layers of the container image, allowing you to focus only on your application layers when reviewing your results in the CLI. Note: This behavior only affects the Mend CLI terminal output. The full image scan results are still uploaded to the Cloud Native Application. | The CLI terminal output displays the full image scan results (base + application layers). |
| Optional. Filter vulnerability results by the CVSS score severity value. The supported values are:
| All vulnerability severity levels are shown in the scan results. |
| Optional. Display the available parameters for the | N/A |
| Optional. Mend CLI will run in non-interactive mode, suppressing the use of colors, progress bar, and any other graphic features in STDOUT. | Mend CLI output to STDOUT includes the use of colors and progress bars, which are irrelevant in non-interactive sessions and may cause issues in some environments. |
| Optional. Define a comma-separated list of the types of security findings you want to display in your terminal output. The available values are:
|
|
Mend CLI Container Image - Upload parameters
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Run the Mend CLI scan offline. This parameter disables the upload of the scan results to the Mend Application. | The Mend CLI will update your results within the Mend Application → Cloud Native UI. |
| Optional. Set the scan scope for your image by specifying the hierarchy for the Mend Cloud Native UI. The supported formats are:
Examples of
CODE
For Mend CLI scans that do not update the Mend Application, the Notes:
| Within the Mend Cloud Native UI, scans are tiered under an organization → application → project hierarchy. If
Tip: Use the Mend CLI
|
Mend CLI Container Image - Offline parameters
Container Reachability is not available in local scan mode.
Offline local scan
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Save your scan results locally. The default file is saved in the .mend folder. | Scan results will not be saved locally. |
| Optional. To be used with the |
Usage Example:
# Save scan results locally (offline scan mode)
mend image alpine --local --export-results ./alpine-scan
Local Scan output: the following message should appear Scan completed in local mode. Results file saved to: <export-file-path>
SBOM file saved to: <export-file-path>
Upload Offline local scan results
Parameter | Description | Mend CLI Default Behavior |
---|---|---|
| Optional. Update the Mend application with your scan results. Should be followed by the --file flag to specify the specific local scan results. | The Mend application will get updated with your scan results. |
| Optional. Specify a path to the local scan results file. |
|
Usage Example:
# Save scan results locally (offline scan mode)
mend image alpine --local --export-results ./alpine-scan
# Upload offline scan results
mend image --update --file ./alpine-scan --scope "*//alpine-base//alpine"
Once the results are uploaded, you’ll get a scan summary print to the terminal with the scan statistics.
Default scope: Application = My Product
, Project= <full-image-name>
To control the scope, use the --scope
flag
Mend CLI Container Image-supported distributions
The following distributions are supported by the Mend CLI for Container Image scans:
Distribution | Supported Versions | Mend-supported detection |
---|---|---|
AlmaLinux |
| |
Alpine |
| |
Amazon Linux |
| |
Arch Linux | All versions of Arch Linux are supported, as the advisories do not depend on the distribution version. |
|
Azure Linux (CBL-Mariner) |
|
|
CentOS |
| |
Debian |
| |
Distroless | All versions of Distroless are supported. | Vulnerability detection |
Oracle Linux |
| |
openSUSE |
| |
PhotonOS |
| |
Red Hat Enterprise Linux (RHEL) |
| |
Rocky Linux |
| |
SUSE Linux Enterprise Server (SLES) |
| |
Ubuntu | All Canonical-maintained versions of Ubuntu are supported. |
|
Mend CLI Container Image-supported registries
Tip: Looking for our private container image registry integration? Visit our documentation: Integrate your private container image registries with Mend.
Notes:
Supported image frameworks: docker, OCI
If the image name is not locally available, Mend CLI checks DockerHub by default and pulls the version (tag) of that image from the Docker registry.
In case the full image URL is presented, the scanner will pull the image from the specified source. For example:
CODEmend image mcr.microsoft.com/mssql/server:2022-latest
Will pull the image from the Microsoft Public Registry.
Required: If you are scanning an image from a private registry, you will need to connect to the registry beforehand with the
docker login
command before the Mend CLI scan and haveLocal scans can be done with or without a Docker Daemon running, if the daemon is up, it should be with the default socket open.
Mend CLI Container Image-supported languages
The following runtime environments, frameworks, and languages are supported by the Mend CLI for Container Image scans:
JavaScript (Node.js)
C# (.NET framework)
Go
Java
PHP
Python
Ruby
Mend CLI Container Image exit codes
Note: For a comprehensive overview of Mend CLI Container Image exit codes, please refer to our Mend CLI Exit Codes article.