Local Filesystem Scan Mode in Mend Container
Overview
The Local Filesystem Scan Mode for images in the Mend CLI enables users to scan raw local filesystems, such as virtual machines (VMs), without requiring containerized images. This feature extends Mend.io’s security detection capabilities, providing enhanced flexibility for users managing VM security.
Key Capabilities
Scan entire local filesystems with full OS & language coverage.
Results are presented identically to container image scans.
Export scan results via CLI in SBOM & other formats.
Integrated into the Mend AppSec Platform under the Container section.
CLI computing requirements in the hosting machine: 16GB RAM, 4 cores.
Getting it done
Triggering a local filesystem scan is done by running the following Mend CLI command inside the VM or on the local filesystem:
mend image --filesystem /path/to/origin --scope "ORG//APP//PROJ"
This will scan the entire filesystem, detecting OS packages and dependencies.
Prerequisites & Best Practices
--filesystem: Result accuracy is optimal when the HOME directory is set as the path.
--scope: A Project definition is a minimum requirement for the scan to execute.
OS detection is mandatory, and requires running the scan from the VM’s Home Directory.
Supported Modes
Supported CLI modes include:
localno-upload
Non-supported modes include:
exclude-base-layersskip-security-checks(skipped anyway in this mode)
Results
Results are displayed similarly to container image scans, including:
SBOM generation
Export formats
Security posture insights
Scans in filesystem mode will be denoted in the Mend AppSec Platform user interface as shown below:
System Constraints
Secret scanning is disabled by default (to prevent long scan times on large filesystems).
No support for proprietary packages
Exclusion rules (e.g., path exclusions, file patterns) are not currently supported.
Layer data is not applicable in this mode. The layer number will be set to the default of 1 in the Mend AppSec Platform and the layer view will be disabled.