CLI Tool Commands and Parameters - Docker Images

CLI Tool Commands and Parameters Overview for Docker Images

With release version 23.4.11, InsightCloudSec has introduced a new mimics sub-command: scan-image. This sub-command creates vulnerability reports on Docker images intended to be used by developers or in CLI pipelines. After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Docker images.


Before scanning Docker images with the scanning tool, ensure you have the following:


Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples in our docs use a simplified executable name.

If you have questions or issues, reach out to us using the Customer Support Portal.

Command List & Parameters

The command list and parameters are the same regardless if you're using mimics via local executable or Docker.

Global Flags and Parameters

Global Flags

--api-keystringinsightCloudSec API key
--base-urlstringinsightCloudSec base url including protocol (e.g., http://localhost/)
--ca-certificatestringSets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify)
--config-filestringConfig file location (default = .mimics.yaml or $HOME/.mimics.yaml)
--log-formatstringSets the log format: "text" or "json" (default = "text")
--log-levelstringSets log level: trace, debug, info, warn, error, fatal (default = info)
--log-pathstringSets the log file path (default = log/mimics.log)
--no-colorDisables color output
--no-verifyDisables SSL verification for all API calls to insightCloudSec (superseded by --ca-certificate)
--request-timeoutintDuration in seconds before the HTTP client should cancel individual HTTP requests (0 = never; default = 3)


scan-imageScans a container imageN/A
  1. Flags and Parameters for scan-image

    1. Scan Flags

      --file-patternsstringsSpecify config file patterns
      `--offline-scanN/ADo not issue API requests to identify dependencies
      --rekor-urlstring[EXPERIMENTAL] Address of Rekor STL server (default = <>)
      --sbom-sourcesstrings[EXPERIMENTAL] Attempts to retrieve SBOM from the specified sources (default = "rekor")
      --scannersstringsComma-separated list of what security issues to detect: vuln , config , secret, license) (default = vuln,secret)
      --skip-dirsstringsSpecify the directories where the traversal is skipped
      --skip-filesstringsSpecify the file paths to skip traversal
      --slowN/AScan over time with lower CPU and memory utilization
    2. Report Flags

      --compliancestringCompliance report to generate (default = docker-cis)
      --dependency-tree[EXPERIMENTAL] Show dependency origin tree of vulnerable packages
      --exit-codeintSpecify exit code when any security issues are found
      -f, --formatstringFormat: table, json, template, sarif, cyclonedxn, spdx, spdx-json, github, cosign-vuln) (default = table`)
      --ignore-policystringSpecify the Rego file path to evaluate each vulnerability
      --ignorefilestringSpecify .trivyignore file (default = .trivyignore)
      --list-all-pkgsOutput all packages regardless of vulnerability
      -o,--outputstringOutput file name
      --reportstringSpecify a format for the compliance report (default = summary)
      -s, --severitystringSeverities of security issues to be displayed (comma separated) (default = UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
      -t, --templatestringOutput template
    3. Cache Flags

      --cache-backendstringCache backend, for example redis://localhost:6379 (default = fs)
      --cache-ttldurationCache TTL when using Redis as cache backend
      --clear-cacheClear image caches without scanning
      --redis-castringRedis CA file location if using Redis as a cache backend
      --redis-certstringRedis certificate file location if using Redis as cache backend
      --redis-keystringRedis key file location if using Redis as cache backend
    4. DB Flags

      --download-db-onlyDownload/update vulnerability database but don't run a scan
      --download-java-db-onlyDownload/update Java index database but don't run a scan
      --no-progressSuppress progress bar
      --resetRemove all caches and database
      --skip-db-updateSkip updating vulnerability database
      --skip-java-db-updateSkip updating Java index database
    5. Image Flags

      --image-config-scannersstringComma-separated list of what security issues to detect on container image configurations (default = config,secret)
      --inputstringInput file path instead of image name
      --platformstringSet platform in the form OS/Architecture if image is multi-platform capable
      --removed-pkgsDetect vulnerabilities of removed packages (only for Alpine)
    6. Vulnerability Flags

      --ignore-unfixedDisplay only fixed vulnerabilities
      --vuln-typestringComma-separated list of vulnerability types: os, library) (default = os,library)
    7. Secret Flags

      --secret-configstringSpecify a path to config file for secret scanning (default = trivy-secret.yaml)
    8. License Flags

      --ignored-licensesstringsSpecify a list of licenses to ignore
      --license-fullLook for licenses in source code headers and license files
    9. Rego Flags

      --config-datastringsSpecify paths from which data for the Rego policies will be recursively loaded
      --config-policystringsSpecify paths to the Rego policy files directory, applying config files
      --policy-namespacesstringsRego namespaces
      --skip-policy-updateSkip fetching Rego policy updates
      --traceEnable more verbose trace output for custom queries
    10. Client/Server Flags

      --custom-headersstringsCustom headers in client mode
      --serverstringServer address in client mode
      --tokenstringFor authentication in client/server mode
      --token-headerstringSpecify a header name for token in client/server mode (default = Trivy-Token)
    11. Config Flags

      --scan-image-config-filestringConfig file location for scan-image functions (default = scan-image.yaml)


      Config File

      The scan-image command uses a separate .yaml configuration file (scam-image.yaml by default). As an example, if you wanted to output the report to a JSON file named report.json with only HIGH vulnerabilities and above, the configuration file would look like this:

      format: json
      output: report.json
        - HIGH
        - CRITICAL

Using mimics to scan docker images

Use of the scanning tool depends on how you set it up. Below are examples using the scanning tool with each setup method.

Local Executable

To actually use the local executable, follow the pattern ./mimics [command] [flags] for Mac or mimic.exe [command] [flags] for Windows.

  1. Scan Example

    # Scan a container image
      $ mimics scan-image python:3.4-alpine
      # Scan a container image from a tar archive
      $ mimics scan-image --input ruby-3.1.tar
      # Filter by severities
      $ mimics scan-image --severity HIGH,CRITICAL alpine:3.15
      # Ignore unfixed/unpatched vulnerabilities
      $ mimics scan-image --ignore-unfixed alpine:3.15
      # Scan a container image in client mode
      $ mimics scan-image --server alpine:latest
      # Generate json result
      $ mimics scan-image --format json --output result.json alpine:3.15
      # Generate a report in the CycloneDX format
      $ mimics scan-image --format cyclonedx --output result.cdx alpine:3.15


Because the scanning tool is invoked using a public Docker image, the base command is more complicated than invoking the local executable:

docker run [docker flags] [mimics command] [mimics flags]
  1. Scan Example

    docker run \
    -v $(pwd):/data\
    -e MIMICS_API_KEY=$ICS_API_KEY \ python:3.4-alpine