About the Trend Micro™ Artifact Scanner (TMAS)

The Trend Micro Artifact Scanner (TMAS) is an artifact scanner from Trend Micro. It performs pre-runtime scans on artifacts (List of supported artifacts), enabling you to identify and fix issues before they reach the production environment (for example, Kubernetes® for container images).

It can perform open source vulnerability scanning. The vulnerability database receives up-to-date threat data from open source vulnerability feeds. The scanner can find vulnerabilities in the following:

How does the Trend Micro Artifact Scanner fit into a CI/CD pipeline?

The Trend Micro Artifact Scanner is easily integrated into your continuous integration (CI) or continuous delivery (CD) pipeline.

For example, Jenkins® projects can automatically build, test, and push Docker images to a Docker registry. Once pushed, the image may be instantly available to run in an orchestration environment. If open source vulnerabilities exist in the image, then they are a risk when the image is run. Since images are intended to be immutable, images should be scanned before they're deployed to a cluster.

TMAS is used to scan (supported artifacts) inside your CI/CD pipelines. You can install the TMAS CLI into your CI/CD pipeline to perform vulnerability scanning before artifacts are deployed to production. TMAS takes the artifact that you wish to be scanned and generates a Software Bill of Materials (SBOM). It then uploads the SBOM to Cloud One for processing, and a vulnerability report is returned.

Examples of artifacts that can be scanned using TMAS include:

• Container Images

• Binary Files

• Directories with source code

• OCI Archives

Download/Install

You can check what the latest version is through: metadata.json

Upgrading to the Latest Version of the TMAS CLI

To ensure optimal performance and access to the latest features, it is recommended to upgrade to the most recent version of TMAS on a regular basis.

1. Download the Updated Binary: Navigate to the Download/Install section to locate the download links for the latest version of the TMAS CLI.

2. Adjust your system's binary path settings: Replace the existing TMAS binary with the updated TMAS binary. For information, see Add TMAS CLI to your PATH under the Setup section.

TMAS is now successfully updated to the latest version.

Setup

The CLI requires a valid API key to be stored in the environment variable. It is able to accept either a Vision One API key or a Cloud One API key. Please add the API Key associated with the Vision One or Cloud One region that you wish to call as an environment variable named TMAS_API_KEY.

Example:

export TMAS_API_KEY=<your_vision_one_api_key>

export TMAS_API_KEY=<your_cloud_one_api_key>

How to Obtain a Vision One API Key:

1. Log in to the Vision One Console.

2. Create a new Vision One API key: a. Navigate to the Trend Vision One User Roles page.
   b. Verify that there is a role with the "Run artifact scan" permissions enabled. If not, create a role by clicking on "Add Role" and "Save" once finished.

   
   

   c. Directly configure a new key on the Trend Vision One API Keys page, using the role which contains the "Run artifacts scan" permission. It is advised to set an expiry time for the API key and make a record of it for future reference.

   

When obtaining the API Key, ensure that the API Key is associated with the endpoint you are calling. For instance, create an API Key for the us-east-1 region if you are planning to call the us-east-1 endpoint to ensure proper authorization.

You can manage these keys from the Trend Vision One API Keys Page.

How to obtain a Cloud One API Key:

1. Login to the Cloud One Console
2. Navigate to Cloud One Container Security

3. Remove any existing Deep Security™ Smart Check scanners.

   

4. Create a new API key through any of the following options:

   1. Generate a new key through the Cloud One Container Security scanners page

   

   2. Directly configure a new key on the Cloud One API-Keys page

   a. Navigate to the Cloud One administration page
   b. Verify that the scanner role exists, if not, create a new scanner role

   

   c. Configure a new api key using the scanner role

   

You manage these keys from the Cloud One Administration Console.

Add TMAS CLI to your PATH:

Example:

export PATH="/path/to/tmas/binary/directory:$PATH"

General Usage

tmas [command] [flags]

Available Commands

Global Flags

Scan Command Usage

tmas scan [artifact] [flags]

Scan Command Flags

Supported Artifacts

Scans are limited to artifacts for which the generated SBOM data is less than 10 MB. The malware scan only supports docker, docker-archive, oci-archive, oci-dir and registry artifact types.

Examples

Scanning an artifact:

tmas scan <artifact_to_scan>

Using the region flag to switch to a different Trend Vision One or Trend Cloud One region:

tmas scan docker:yourrepo/yourimage:tag --region=au-1

When switching to a different region, please ensure that the TMAS_API_KEY, which is stored as an environment variable, is associated with that Trend Vision One or Trend Cloud One region. A mismatch causes the scan command to fail with a 403 Forbidden error.

Scanning an image in a remote registry:

tmas scan registry:yourrepo/yourimage:tag

Using a registry as an artifact source does not require a container runtime. As well, scan results from registry artifact sources can be used for policy evaluations in Cloud One Container Security.

Scanning images from private registries requires that you login to the registry using tools such as docker login before attempting the scan. TMAS follows Docker's authentication behavior in order to use Docker's pre-configured credentials.

Enabling info mode:

tmas scan docker:yourrepo/yourimage:tag -v

Save SBOM used for vulnerability analysis to disk:

tmas scan docker:yourrepo/yourimage:tag --saveSBOM

When the --saveSBOM flag is enabled, the generated SBOM is saved in the local directory before it is sent to Trend Cloud One for scanning.

Using the platform flag to specify platform/architecture of container images:

This flag allows you to specify which platform/architecture to use when scanning multiple-architecture container images.

tmas scan registry:yourrepo/yourimage:tag@sha256:<multiple-architecture-digest> --platform=arm64

Attempting to specify an architecture for multi-arch registry images without support for that architecture will result in an error. When scanning architecture-specific registry images, the platform flag is ignored.

tmas scan docker:yourrepo/yourimage:tag@sha256:<arm64-specific-digest> --platform=arm64

This flag is necessary when attempting to scan images from the docker/podman daemon with different architectures than the host that is running TMAS.

Enabling malware scan:

tmas scan docker:yourrepo/yourimage:tag --malwareScan

When scanning images from private registries with the --malwareScan flag enabled, ensure that you have already logged into the registry using tools such as docker login.
If you are using docker credsStore (.docker/config.json), ensure to add the credential-helpers=<your credsStore> in .config/containers/registries.conf. For example, if docker credsStore is desktop, add the following

credential-helpers = ["desktop"]

{: .note }

Proxy Configuration

The cli tool loads the proxy configuration from the following set of optional environment variables

Cleanup temporary files

Each scan initiated against a registry image using the Trend Micro Artifact Scanner generates a new temporary directory under $TEMPDIR to download and analyze the image. Starting with v1.35.0, this tool automatically removes those temporary files after scan execution. In order to cleanup existing temporary files that were generated with prior versions, or with an interrupted scan, please use the following commands (or its platform equivalent) under your discretion.

echo $TEMPDIR
ls $TEMPDIR | grep "stereoscope-"
cd $TMPDIR | rm -rf ./stereoscope-*
ls $TEMPDIR | grep "stereoscope-"