CLI Tool Commands and Parameters - Docker Images

With release version 23.4.11, InsightCloudSec has introduced a new mimics sub-command: scan-image. This sub-command creates vulnerability reports on Docker images intended to be used by developers or in CLI pipelines. After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Docker images.

Prerequisites

Before scanning Docker images with the scanning tool, ensure you have the following:

• A proper setup for the CLI Scanning tool

📘

Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples in our docs use a simplified executable name.

If you have questions or issues, reach out to us using the Customer Support Portal.

Command List & Parameters

The command list and parameters are the same regardless if you're using mimics via local executable or Docker.

Global Flags and Parameters

Global Flags

Commands

1. Flags and Parameters for scan-image

   1. Scan Flags

      Name	Type	Description
      --file-patterns	strings	Specify config file patterns
      `--offline-scan	N/A	Do not issue API requests to identify dependencies
      --rekor-url	string	[EXPERIMENTAL] Address of Rekor STL server (default = <https://rekor.sigstore.dev>)
      --sbom-sources	strings	[EXPERIMENTAL] Attempts to retrieve SBOM from the specified sources (default = "rekor")
      --scanners	strings	Comma-separated list of what security issues to detect: vuln , config , secret, license) (default = vuln,secret)
      --skip-dirs	strings	Specify the directories where the traversal is skipped
      --skip-files	strings	Specify the file paths to skip traversal
      --slow	N/A	Scan over time with lower CPU and memory utilization

   2. Report Flags

      Name	Type	Description
      --compliance	string	Compliance report to generate (default = docker-cis)
      --dependency-tree		[EXPERIMENTAL] Show dependency origin tree of vulnerable packages
      --exit-code	int	Specify exit code when any security issues are found
      -f, --format	string	Format: table, json, template, sarif, cyclonedxn, spdx, spdx-json, github, cosign-vuln) (default = table`)
      --ignore-policy	string	Specify the Rego file path to evaluate each vulnerability
      --ignorefile	string	Specify .trivyignore file (default = .trivyignore)
      --list-all-pkgs		Output all packages regardless of vulnerability
      -o,--output	string	Output file name
      --report	string	Specify a format for the compliance report (default = summary)
      -s, --severity	string	Severities of security issues to be displayed (comma separated) (default = UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
      -t, --template	string	Output template

   3. Cache Flags

      Name	Type	Description
      --cache-backend	string	Cache backend, for example redis://localhost:6379 (default = fs)
      --cache-ttl	duration	Cache TTL when using Redis as cache backend
      --clear-cache		Clear image caches without scanning
      --redis-ca	string	Redis CA file location if using Redis as a cache backend
      --redis-cert	string	Redis certificate file location if using Redis as cache backend
      --redis-key	string	Redis key file location if using Redis as cache backend

   4. DB Flags

      Name	Type	Description
      --download-db-only		Download/update vulnerability database but don't run a scan
      --download-java-db-only		Download/update Java index database but don't run a scan
      --no-progress		Suppress progress bar
      --reset		Remove all caches and database
      --skip-db-update		Skip updating vulnerability database
      --skip-java-db-update		Skip updating Java index database

   5. Image Flags

      Name	Type	Description
      --image-config-scanners	string	Comma-separated list of what security issues to detect on container image configurations (default = config,secret)
      --input	string	Input file path instead of image name
      --platform	string	Set platform in the form OS/Architecture if image is multi-platform capable
      --removed-pkgs		Detect vulnerabilities of removed packages (only for Alpine)

   6. Vulnerability Flags

      Name	Type	Description
      --ignore-unfixed		Display only fixed vulnerabilities
      --vuln-type	string	Comma-separated list of vulnerability types: os, library) (default = os,library)

   7. Secret Flags

      Name	Type	Description
      --secret-config	string	Specify a path to config file for secret scanning (default = trivy-secret.yaml)

   8. License Flags

      Name	Type	Description
      --ignored-licenses	strings	Specify a list of licenses to ignore
      --license-full		Look for licenses in source code headers and license files

   9. Rego Flags

      Name	Type	Description
      --config-data	strings	Specify paths from which data for the Rego policies will be recursively loaded
      --config-policy	strings	Specify paths to the Rego policy files directory, applying config files
      --policy-namespaces	strings	Rego namespaces
      --skip-policy-update		Skip fetching Rego policy updates
      --trace		Enable more verbose trace output for custom queries

   10. Client/Server Flags

       Name	Type	Description
       --custom-headers	strings	Custom headers in client mode
       --server	string	Server address in client mode
       --token	string	For authentication in client/server mode
       --token-header	string	Specify a header name for token in client/server mode (default = Trivy-Token)

   11. Config Flags

       Name	Type	Description
       --scan-image-config-file	string	Config file location for scan-image functions (default = scan-image.yaml)

       📘

       Config File

       The scan-image command uses a separate .yaml configuration file (scam-image.yaml by default). As an example, if you wanted to output the report to a JSON file named report.json with only HIGH vulnerabilities and above, the configuration file would look like this:

       Example YAML Configuration File

       format: json
       output: report.json
       severity:
         - HIGH
         - CRITICAL
       

Using mimics to scan docker images

Use of the scanning tool depends on how you set it up. Below are examples using the scanning tool with each setup method.

Local Executable

To actually use the local executable, follow the pattern ./mimics [command] [flags] for Mac or mimic.exe [command] [flags] for Windows.

1. Scan Example

   Bash

   # Scan a container image
     $ mimics scan-image python:3.4-alpine
   
     # Scan a container image from a tar archive
     $ mimics scan-image --input ruby-3.1.tar
   
     # Filter by severities
     $ mimics scan-image --severity HIGH,CRITICAL alpine:3.15
   
     # Ignore unfixed/unpatched vulnerabilities
     $ mimics scan-image --ignore-unfixed alpine:3.15
   
     # Scan a container image in client mode
     $ mimics scan-image --server http://127.0.0.1:4954 alpine:latest
   
     # Generate json result
     $ mimics scan-image --format json --output result.json alpine:3.15
   
     # Generate a report in the CycloneDX format
     $ mimics scan-image --format cyclonedx --output result.cdx alpine:3.15
   
   
   

Docker

Because the scanning tool is invoked using a public Docker image, the base command is more complicated than invoking the local executable:

docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest [mimics command] [mimics flags]

1. Scan Example

   Bash

   docker run \
   -v $(pwd):/data\
   -e MIMICS_BASE_URL=$ICS_BASE_URL \
   -e MIMICS_API_KEY=$ICS_API_KEY \
   public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest python:3.4-alpine