Skip to Content
Insightcloudsec- Docker Images Commands and Parameters

CLI Tool Commands and Parameters - Docker Images

The mimics sub-command, scan-image, creates vulnerability reports on Docker images intended to be used by developers or in CLI pipelines. After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you’re ready to start using it with your Docker images.

Prerequisites

Before scanning Docker images with the scanning tool, ensure you have a proper setup for the CLI Scanning tool

Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples in our docs use a simplified executable name.

If you have questions or issues, reach out to us using the Customer Support Portal.

Command List & Parameters

The command list and parameters are the same regardless if you’re using mimics via local executable or Docker.

Global Flags and Parameters

Global Flags

NameTypeDescription
--api-keystringinsightCloudSec API key
--base-urlstringinsightCloudSec base url including protocol (e.g., http://localhost/)
--ca-certificatestringSets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify)
--config-filestringConfig file location (default = .mimics.yaml or $HOME/.mimics.yaml)
--log-formatstringSets the log format: "text" or "json" (default = "text")
--log-levelstringSets log level: trace, debug, info, warn, error, fatal (default = info)
--log-pathstringSets the log file path (default = log/mimics.log)
--no-colorDisables color output
--no-verifyDisables SSL verification for all API calls to insightCloudSec (superseded by --ca-certificate)
--request-timeoutintDuration in seconds before the HTTP client should cancel individual HTTP requests (0 = never; default = 3)

Commands

NameDescriptionSub-Commands
scan-imageScans a container imageN/A

Flags and Parameters for scan-image

i. Scan Flags

NameTypeDescription
--file-patternsstringsSpecify config file patterns
--offline-scanN/ADo not issue API requests to identify dependencies
--rekor-urlstring[EXPERIMENTAL] Address of Rekor STL server (default = \<https://rekor.sigstore.dev>)
--sbom-sourcesstrings[EXPERIMENTAL] Attempts to retrieve SBOM from the specified sources (default = "rekor")
--scannersstringsComma-separated list of what security issues to detect: vuln , config , secret, license) (default = vuln,secret)
--skip-dirsstringsSpecify the directories where the traversal is skipped
--skip-filesstringsSpecify the file paths to skip traversal
--slowN/AScan over time with lower CPU and memory utilization

ii. Report Flags

NameTypeDescription
--compliancestringCompliance report to generate (default = docker-cis)
--dependency-tree[EXPERIMENTAL] Show dependency origin tree of vulnerable packages
--exit-codeintSpecify exit code when any security issues are found
-f, --formatstringFormat: table, json, template, sarif, cyclonedxn, spdx, spdx-json, github, cosign-vuln) (default = table`)
--ignore-policystringSpecify the Rego file path to evaluate each vulnerability
--ignorefilestringSpecify .trivyignore file (default = .trivyignore)
--list-all-pkgsOutput all packages regardless of vulnerability
-o,--outputstringOutput file name
--reportstringSpecify a format for the compliance report (default = summary)
-s, --severitystringSeverities of security issues to be displayed (comma separated) (default = UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
-t, --templatestringOutput template

iii. Cache Flags

NameTypeDescription
--cache-backendstringCache backend, for example redis://localhost:6379 (default = fs)
--cache-ttldurationCache TTL when using Redis as cache backend
--clear-cacheClear image caches without scanning
--redis-castringRedis CA file location if using Redis as a cache backend
--redis-certstringRedis certificate file location if using Redis as cache backend
--redis-keystringRedis key file location if using Redis as cache backend

iv. DB Flags

NameTypeDescription
--download-db-onlyDownload/update vulnerability database but don’t run a scan
--download-java-db-onlyDownload/update Java index database but don’t run a scan
--no-progressSuppress progress bar
--resetRemove all caches and database
--skip-db-updateSkip updating vulnerability database
--skip-java-db-updateSkip updating Java index database

v. Image Flags

NameTypeDescription
--image-config-scannersstringComma-separated list of what security issues to detect on container image configurations (default = config,secret)
--inputstringInput file path instead of image name
--platformstringSet platform in the form OS/Architecture if image is multi-platform capable
--removed-pkgsDetect vulnerabilities of removed packages (only for Alpine)

vi. Vulnerability Flags

NameTypeDescription
--ignore-unfixedDisplay only fixed vulnerabilities
--vuln-typestringComma-separated list of vulnerability types: os, library) (default = os,library)

vii. Secret Flags

NameTypeDescription
--secret-configstringSpecify a path to config file for secret scanning (default = trivy-secret.yaml)

viii. License Flags

NameTypeDescription
--ignored-licensesstringsSpecify a list of licenses to ignore
--license-fullLook for licenses in source code headers and license files

ix. Rego Flags

NameTypeDescription
--config-datastringsSpecify paths from which data for the Rego policies will be recursively loaded
--config-policystringsSpecify paths to the Rego policy files directory, applying config files
--policy-namespacesstringsRego namespaces
--skip-policy-updateSkip fetching Rego policy updates
--traceEnable more verbose trace output for custom queries

x. Client/Server Flags

NameTypeDescription
--custom-headersstringsCustom headers in client mode
--serverstringServer address in client mode
--tokenstringFor authentication in client/server mode
--token-headerstringSpecify a header name for token in client/server mode (default = Trivy-Token)

xi. Config Flags

NameTypeDescription
--scan-image-config-filestringConfig file location for scan-image functions (default = scan-image.yaml)

Config File

The scan-image command uses a separate .yaml configuration file (scam-image.yaml by default). As an example, if you wanted to output the report to a JSON file named report.json with only HIGH vulnerabilities and above, the configuration file would look like this:

format: json
output: report.json
severity:
- HIGH
- CRITICAL

Using mimics to scan docker images

Use of the scanning tool depends on how you set it up. Below are examples using the scanning tool with each setup method.

Local Executable

To actually use the local executable, follow the pattern ./mimics [command] [flags] for Mac or mimic.exe [command] [flags] for Windows.

Scan Example

# Scan a container image
  $ mimics scan-image python:3.4-alpine
 
  # Scan a container image from a tar archive
  $ mimics scan-image --input ruby-3.1.tar
 
  # Filter by severities
  $ mimics scan-image --severity HIGH,CRITICAL alpine:3.15
 
  # Ignore unfixed/unpatched vulnerabilities
  $ mimics scan-image --ignore-unfixed alpine:3.15
 
  # Scan a container image in client mode
  $ mimics scan-image --server http://127.0.0.1:4954 alpine:latest
 
  # Generate json result
  $ mimics scan-image --format json --output result.json alpine:3.15
 
  # Generate a report in the CycloneDX format
  $ mimics scan-image --format cyclonedx --output result.cdx alpine:3.15

Docker

Because the scanning tool is invoked using a public Docker image, the base command is more complicated than invoking the local executable:

docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest [mimics command] [mimics flags]

Scan Example

docker run \
-v $(pwd):/data\
-e MIMICS_BASE_URL=$ICS_BASE_URL \
-e MIMICS_API_KEY=$ICS_API_KEY \
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest python:3.4-alpine