Table of contents

About the Trend Micro™ Artifact Scanner (TMAS)

The Trend Micro Artifact Scanner (TMAS) is an artifact scanner from Trend Micro. It performs pre-runtime scans on artifacts (List of supported artifacts), enabling you to identify and fix issues before they reach the production environment (for example, Kubernetes® for container images).

It can perform open source vulnerability scanning. The vulnerability database receives up-to-date threat data from open source vulnerability feeds. The scanner can find vulnerabilities in the following:

Operating systems
Amazon™ Linux™
Oracle® Linux
Red Hat® (RHEL)
Ruby (Gems)
JavaScript® (NPM, Yarn)
Python® (Egg, Wheel, Poetry, requirements.txt/ files)
Dotnet® (deps.json)
Golang® (go.mod)
PHP® (Composer)
Rust® (Cargo)

How does the Trend Micro Artifact Scanner fit into a CI/CD pipeline?

The Trend Micro Artifact Scanner is easily integrated into your continuous integration (CI) or continuous delivery (CD) pipeline.

For example, Jenkins® projects can automatically build, test, and push Docker images to a Docker registry. Once pushed, the image may be instantly available to run in an orchestration environment. If open source vulnerabilities exist in the image, then they are a risk when the image is run. Since images are intended to be immutable, images should be scanned before they're deployed to a cluster.

TMAS is used to scan (supported artifacts) inside your CI/CD pipelines. You can install the TMAS CLI into your CI/CD pipeline to perform vulnerability scanning before artifacts are deployed to production. TMAS takes the artifact that you wish to be scanned and generates a Software Bill of Materials (SBOM). It then uploads the SBOM to Cloud One for processing, and a vulnerability report is returned.

Examples of artifacts that can be scanned using TMAS include:

  • Container Images

  • Binary Files

  • Directories with source code

  • OCI Archives


You can check what the latest version is through: metadata.json

Darwin_arm64 (MacOS - Apple Silicon chipset)
Darwin_x86_64 (MacOS - Intel chipset)

Upgrading to the Latest Version of the TMAS CLI

To ensure optimal performance and access to the latest features, it is recommended to upgrade to the most recent version of TMAS on a regular basis.

  1. Download the Updated Binary: Navigate to the Download/Install section to locate the download links for the latest version of the TMAS CLI.

  2. Adjust your system's binary path settings: Replace the existing TMAS binary with the updated TMAS binary. For information, see Add TMAS CLI to your PATH under the Setup section.

TMAS is now successfully updated to the latest version.


The CLI requires a valid API key to be stored in the environment variable. It is able to accept either a Vision One API key or a Cloud One API key. Please add the API Key associated with the Vision One or Cloud One region that you wish to call as an environment variable named TMAS_API_KEY.


export TMAS_API_KEY=<your_vision_one_api_key>
export TMAS_API_KEY=<your_cloud_one_api_key>

How to Obtain a Vision One API Key:

  1. Log in to the Vision One Console.
  2. Create a new Vision One API key: a. Navigate to the Trend Vision One User Roles page.
    b. Verify that there is a role with the "Run artifact scan" permissions enabled. If not, create a role by clicking on "Add Role" and "Save" once finished.

    Create a user role with run artifacts permission enabled
    Create a user role with run artifacts permission enabled

    c. Directly configure a new key on the Trend Vision One API Keys page, using the role which contains the "Run artifacts scan" permission. It is advised to set an expiry time for the API key and make a record of it for future reference.

    Manual creation of API key

When obtaining the API Key, ensure that the API Key is associated with the endpoint you are calling. For instance, create an API Key for the us-east-1 region if you are planning to call the us-east-1 endpoint to ensure proper authorization.

You can manage these keys from the Trend Vision One API Keys Page.

How to obtain a Cloud One API Key:

  1. Login to the Cloud One Console
  2. Navigate to Cloud One Container Security
  3. Remove any existing Deep Security™ Smart Check scanners.

    A screen showing what happens when you delete the last scanner

  4. Create a new API key through any of the following options:

    1. Generate a new key through the Cloud One Container Security scanners page

    A screen showing the create api key button

    2. Directly configure a new key on the Cloud One API-Keys page

    a. Navigate to the Cloud One administration page
    b. Verify that the scanner role exists, if not, create a new scanner role

    Create a new scanner role

    c. Configure a new api key using the scanner role

    Manual creation of api key

You manage these keys from the Cloud One Administration Console.

Add TMAS CLI to your PATH:


export PATH="/path/to/tmas/binary/directory:$PATH"

General Usage

tmas [command] [flags]

Available Commands

Command Description
scan scan an artifact
version get current CLI version (long)
help help

Global Flags

Flag Description
--version get current CLI version (short)
-v, --verbose increase verbosity (-v = info, -vv = debug)
-h, --help help

Scan Command Usage

tmas scan [artifact] [flags]

Scan Command Flags

Flag Description
-p, --platform (string) platform specifier for multi-platform container image sources (e.g. 'linux/arm64', 'linux/arm64/v8', 'arm64', 'linux') (default 'linux/amd64')
-r, --region (string) vision one region options=[us-east-1 eu-central-1 ap-northeast-1 ap-southeast-2 ap-southeast-1 ap-south-1], cloud one regions options=[au-1 ca-1 de-1 gb-1 in-1 jp-1 sg-1 us-1] (default "us-1")
--saveSBOM save SBOM in the local directory (optional)
--malwareScan enable malware scan (optional), supports docker, docker-archive, oci-archive, oci-dir and registry artifact types

Supported Artifacts

Artifact Artifact description
docker:yourrepo/yourimage:tag use images from the Docker daemon
podman:yourrepo/yourimage:tag use images from the Podman daemon
docker-archive:path/to/yourimage.tar use a tarball from disk for archives created from "docker save"
oci-archive:path/to/yourimage.tar use a tarball from disk for OCI archives (from Skopeo or otherwise)
oci-dir:path/to/yourimage read directly from a path on disk for OCI layout directories (from Skopeo or otherwise)
singularity:path/to/yourimage.sif read directly from a Singularity Image Format (SIF) container on disk
registry:yourrepo/yourimage:tag pull image directly from a registry (no container runtime required)
dir:path/to/yourproject read directly from a path on disk (any directory)
file:path/to/yourproject/file read directly from a path on disk (any single file)

Scans are limited to artifacts for which the generated SBOM data is less than 10 MB. The malware scan only supports docker, docker-archive, oci-archive, oci-dir and registry artifact types.


Scanning an artifact:

tmas scan <artifact_to_scan>

Using the region flag to switch to a different Trend Vision One or Trend Cloud One region:

tmas scan docker:yourrepo/yourimage:tag --region=au-1

When switching to a different region, please ensure that the TMAS_API_KEY, which is stored as an environment variable, is associated with that Trend Vision One or Trend Cloud One region. A mismatch causes the scan command to fail with a 403 Forbidden error.

Scanning an image in a remote registry:

tmas scan registry:yourrepo/yourimage:tag

Using a registry as an artifact source does not require a container runtime. As well, scan results from registry artifact sources can be used for policy evaluations in Cloud One Container Security.

Scanning images from private registries requires that you login to the registry using tools such as docker login before attempting the scan. TMAS follows Docker's authentication behavior in order to use Docker's pre-configured credentials.

Enabling info mode:

tmas scan docker:yourrepo/yourimage:tag -v

Save SBOM used for vulnerability analysis to disk:

tmas scan docker:yourrepo/yourimage:tag --saveSBOM

When the --saveSBOM flag is enabled, the generated SBOM is saved in the local directory before it is sent to Trend Cloud One for scanning.

Using the platform flag to specify platform/architecture of container images:

This flag allows you to specify which platform/architecture to use when scanning multiple-architecture container images.

tmas scan registry:yourrepo/yourimage:tag@sha256:<multiple-architecture-digest> --platform=arm64

Attempting to specify an architecture for multi-arch registry images without support for that architecture will result in an error. When scanning architecture-specific registry images, the platform flag is ignored.

tmas scan docker:yourrepo/yourimage:tag@sha256:<arm64-specific-digest> --platform=arm64

This flag is necessary when attempting to scan images from the docker/podman daemon with different architectures than the host that is running TMAS.

Enabling malware scan:

tmas scan docker:yourrepo/yourimage:tag --malwareScan

When scanning images from private registries with the --malwareScan flag enabled, ensure that you have already logged into the registry using tools such as docker login.
If you are using docker credsStore (.docker/config.json), ensure to add the credential-helpers=<your credsStore> in .config/containers/registries.conf. For example, if docker credsStore is desktop, add the following

credential-helpers = ["desktop"]

{: .note }

Proxy Configuration

The cli tool loads the proxy configuration from the following set of optional environment variables

Environment Variable Required/Optional Description
NO_PROXY Optional Add the Artifact Scanning as a Service and Malware Scanning as a Service endpoints to the comma-separated list of host names if you want to skip proxy settings for the cli tool. Note: only an asterisk, '*' matches all hosts
HTTPS_PROXY Optional, If the proxy server is a SOCKS5 proxy, you must specify the SOCKS5 protocol in the URL, as follows : socks5://
PROXY_USER Optional Optional username for authentication header used in Proxy-Authorization
PROXY_PASS Optional Optional password for authentication header used in Proxy-Authorization, used only when PROXY_USER is configured

Cleanup temporary files

Each scan initiated against a registry image using the Trend Micro Artifact Scanner generates a new temporary directory under $TEMPDIR to download and analyze the image. Starting with v1.35.0, this tool automatically removes those temporary files after scan execution. In order to cleanup existing temporary files that were generated with prior versions, or with an interrupted scan, please use the following commands (or its platform equivalent) under your discretion.

ls $TEMPDIR | grep "stereoscope-"
cd $TMPDIR | rm -rf ./stereoscope-*
ls $TEMPDIR | grep "stereoscope-"