CLI Tool Commands and Parameters - Docker Images

The mimics sub-command, scan-image, creates vulnerability reports on Docker images intended to be used by developers or in CLI pipelines. After you have setup the command line interface (CLI) Infrastructure as Code (IaC) scanning tool via Docker or local executable, you're ready to start using it with your Docker images.

Prerequisites

Before scanning Docker images with the scanning tool, ensure you have a proper setup for the CLI Scanning tool

Rename Executable

When you download the mimics executable initially, the file name will be suffixed with the version and architecture. We recommend renaming the executable to mimics (for Mac/Linux) or mimics.exe (for Windows) for ease of use. The examples in our docs use a simplified executable name.

If you have questions or issues, reach out to us using the Customer Support Portal.

Command List & Parameters

The command list and parameters are the same regardless if you're using mimics via local executable or Docker.

Global Flags and Parameters

Global Flags

NameTypeDescription
--api-keystringinsightCloudSec API key
--base-urlstringinsightCloudSec base url including protocol (e.g., http://localhost/)
--ca-certificatestringSets the trusted authorities for SSL verification using a CA bundle file (.pem) (supersedes --no-verify)
--config-filestringConfig file location (default = .mimics.yaml or $HOME/.mimics.yaml)
--log-formatstringSets the log format: "text" or "json" (default = "text")
--log-levelstringSets log level: trace, debug, info, warn, error, fatal (default = info)
--log-pathstringSets the log file path (default = log/mimics.log)
--no-colorDisables color output
--no-verifyDisables SSL verification for all API calls to insightCloudSec (superseded by --ca-certificate)
--request-timeoutintDuration in seconds before the HTTP client should cancel individual HTTP requests (0 = never; default = 3)

Commands

NameDescriptionSub-Commands
scan-imageScans a container imageN/A

Flags and Parameters for scan-image

  1. Scan Flags
NameTypeDescription
--file-patternsstringsSpecify config file patterns
--offline-scanN/ADo not issue API requests to identify dependencies
--rekor-urlstring[EXPERIMENTAL] Address of Rekor STL server (default = <https://rekor.sigstore.dev>)
--sbom-sourcesstrings[EXPERIMENTAL] Attempts to retrieve SBOM from the specified sources (default = "rekor")
--scannersstringsComma-separated list of what security issues to detect: vuln , config , secret, license) (default = vuln,secret)
--skip-dirsstringsSpecify the directories where the traversal is skipped
--skip-filesstringsSpecify the file paths to skip traversal
--slowN/AScan over time with lower CPU and memory utilization
  1. Report Flags
NameTypeDescription
--compliancestringCompliance report to generate (default = docker-cis)
--dependency-tree[EXPERIMENTAL] Show dependency origin tree of vulnerable packages
--exit-codeintSpecify exit code when any security issues are found
-f, --formatstringFormat: table, json, template, sarif, cyclonedxn, spdx, spdx-json, github, cosign-vuln) (default = table`)
--ignore-policystringSpecify the Rego file path to evaluate each vulnerability
--ignorefilestringSpecify .trivyignore file (default = .trivyignore)
--list-all-pkgsOutput all packages regardless of vulnerability
-o,--outputstringOutput file name
--reportstringSpecify a format for the compliance report (default = summary)
-s, --severitystringSeverities of security issues to be displayed (comma separated) (default = UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL)
-t, --templatestringOutput template
  1. Cache Flags
NameTypeDescription
--cache-backendstringCache backend, for example redis://localhost:6379 (default = fs)
--cache-ttldurationCache TTL when using Redis as cache backend
--clear-cacheClear image caches without scanning
--redis-castringRedis CA file location if using Redis as a cache backend
--redis-certstringRedis certificate file location if using Redis as cache backend
--redis-keystringRedis key file location if using Redis as cache backend
  1. DB Flags
NameTypeDescription
--download-db-onlyDownload/update vulnerability database but don't run a scan
--download-java-db-onlyDownload/update Java index database but don't run a scan
--no-progressSuppress progress bar
--resetRemove all caches and database
--skip-db-updateSkip updating vulnerability database
--skip-java-db-updateSkip updating Java index database
  1. Image Flags
NameTypeDescription
--image-config-scannersstringComma-separated list of what security issues to detect on container image configurations (default = config,secret)
--inputstringInput file path instead of image name
--platformstringSet platform in the form OS/Architecture if image is multi-platform capable
--removed-pkgsDetect vulnerabilities of removed packages (only for Alpine)
  1. Vulnerability Flags
NameTypeDescription
--ignore-unfixedDisplay only fixed vulnerabilities
--vuln-typestringComma-separated list of vulnerability types: os, library) (default = os,library)
  1. Secret Flags
NameTypeDescription
--secret-configstringSpecify a path to config file for secret scanning (default = trivy-secret.yaml)
  1. License Flags
NameTypeDescription
--ignored-licensesstringsSpecify a list of licenses to ignore
--license-fullLook for licenses in source code headers and license files
  1. Rego Flags
NameTypeDescription
--config-datastringsSpecify paths from which data for the Rego policies will be recursively loaded
--config-policystringsSpecify paths to the Rego policy files directory, applying config files
--policy-namespacesstringsRego namespaces
--skip-policy-updateSkip fetching Rego policy updates
--traceEnable more verbose trace output for custom queries
  1. Client/Server Flags
NameTypeDescription
--custom-headersstringsCustom headers in client mode
--serverstringServer address in client mode
--tokenstringFor authentication in client/server mode
--token-headerstringSpecify a header name for token in client/server mode (default = Trivy-Token)
  1. Config Flags
NameTypeDescription
--scan-image-config-filestringConfig file location for scan-image functions (default = scan-image.yaml)

Config File

The scan-image command uses a separate .yaml configuration file (scam-image.yaml by default). As an example, if you wanted to output the report to a JSON file named report.json with only HIGH vulnerabilities and above, the configuration file would look like this:

yaml
1
format: json
2
output: report.json
3
severity:
4
- HIGH
5
- CRITICAL

Using <code>mimics</code> to scan docker images

Use of the scanning tool depends on how you set it up. Below are examples using the scanning tool with each setup method.

Local Executable

To actually use the local executable, follow the pattern ./mimics [command] [flags] for Mac or mimic.exe [command] [flags] for Windows.

Scan Example

bash
1
# Scan a container image
2
  $ mimics scan-image python:3.4-alpine
3


4
  # Scan a container image from a tar archive
5
  $ mimics scan-image --input ruby-3.1.tar
6


7
  # Filter by severities
8
  $ mimics scan-image --severity HIGH,CRITICAL alpine:3.15
9


10
  # Ignore unfixed/unpatched vulnerabilities
11
  $ mimics scan-image --ignore-unfixed alpine:3.15
12


13
  # Scan a container image in client mode
14
  $ mimics scan-image --server http://127.0.0.1:4954 alpine:latest
15


16
  # Generate json result
17
  $ mimics scan-image --format json --output result.json alpine:3.15
18


19
  # Generate a report in the CycloneDX format
20
  $ mimics scan-image --format cyclonedx --output result.cdx alpine:3.15
21


22

Docker

Because the scanning tool is invoked using a public Docker image, the base command is more complicated than invoking the local executable:

bash
1
docker run [docker flags] public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest [mimics command] [mimics flags]

Scan Example

bash
1
docker run \
2
-v $(pwd):/data\
3
-e MIMICS_BASE_URL=$ICS_BASE_URL \
4
-e MIMICS_API_KEY=$ICS_API_KEY \
5
public.ecr.aws/rapid7-insightcloudsec/ics/mimics:latest python:3.4-alpine