Skip to main content
Skip table of contents

Scan your container images with the Mend CLI

Overview

The Mend CLI Container Image scans container images to help you evaluate their overall security risk to your organization. You can quickly identify vulnerable packages in an image down to the layer, gauge the impact of specific vulnerabilities, and see whether they have been resolved in newer versions.

Note: In order to update the results of a previously scanned image within the Mend Platform Application, it must be rescanned with the Mend CLI. For example, if new CVEs are identified after the image’s original scan date, a new Mend CLI scan must be completed on the image in order to show the new findings in the Cloud Platform Application.

Use cases for scanning your container images with the Mend CLI

Let’s look at the following real-life examples that industry personas commonly run into:

  • As an AppSec Manager, you are in charge of the decision-making for selecting a tool that can detect vulnerable packages in your teams' container images and provide fixed version options. You also need the ability to identify vulnerable secrets. Finally, you want to monitor the security posture of your organization’s container images in the form of dashboards and exported reports.

  • As a DevOps Engineer, you are tasked with implementing a security tool into your teams' CI/CD solutions that can provide insights on vulnerable secrets and packages in your teams' container images directly within the pipeline console.

Mend’s Answer: Utilizing the Mend CLI Container Image scan, you can effortlessly assess your container images for security vulnerabilities and at-risk secrets. The results are conveniently presented in a well-organized table format within the Mend CLI or via dashboards in the Mend Application, and can also be exported into reports in various supported file formats.

Getting it done

Prerequisites before getting started with the Mend CLI Container Image scan

The following prerequisites are required before running a Mend CLI Container Image scan:

  • Download the Mend CLI.

  • Authenticate your login for the Mend CLI.

  • Provide the Mend CLI with access to read your application’s source code on a file system.

  • Make sure the user running the scan has the necessary permissions to execute image scans. In the context of a product, for example, the user will need to have either the Product Administrators or the Product Integrators role in the Mend Platform Application. More information about product roles is available here.

Configure your Mend CLI Container Image scan

The Mend CLI Container Image scan is configurable via command line parameters. To learn more about our Container Image-supported languages and configurations, visit our Configure the Mend CLI for Container Images article.

Run your Mend CLI Container Image scan

To trigger the Mend CLI Container Image scan, execute the following command:

CODE
mend image

The usage of the mend image command is as follows:

CODE
mend image <image_name[:image_tag]> [flags]

View the steps of your Mend CLI Container Image scan

The Mend CLI has five default steps you will see it complete before it displays its findings from the Container Image scan:

Step Name

Description

Initializing

The scan is starting on your container image.

Pulling

The Mend CLI checks to see if the image is available locally. If it is not, the Mend CLI communicates to Docker to execute docker pull to grab the image.

Extracting

The scan extracts each layer of the image locally.

Scanning

Each layer of the image is scanned for vulnerable packages and at-risk secrets.

Retrieving

If any vulnerabilities are found, the Mend CLI reaches out to the Mend Application for the information on these vulnerabilities to prepare them for the scan summary.

View your Mend CLI Container Image scan results

Visit our View the results of your Mend CLI Container Image scan article for more details on how to navigate the Container Image findings provided by the Mend CLI.

Reference

Mend CLI Container Image features

In this article, we cover the instructions on how to kick off a base Mend CLI Container Image scan. We also offer examples of the Mend CLI Container Image feature(s) below:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.