This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Initiate scan using the cli
Reporting results into file
./cli/bin/openclarity-cli scan --config ~/testConf.yaml -o outputfile
If we want to report results to the OpenClarity backend, we need to create asset and asset scan object before scan because it requires asset-scan-id
Reporting results to OpenClarity backend
ASSET_ID=$(./cli/bin/openclarity-cli asset-create --file assets/dir-asset.json --server http://localhost:8080/api) --jsonpath {.id}
ASSET_SCAN_ID=$(./cli/bin/openclarity-cli asset-scan-create --asset-id $ASSET_ID --server http://localhost:8080/api) --jsonpath {.id}
./cli/bin/openclarity-cli scan --config ~/testConf.yaml --server http://localhost:8080/api --asset-scan-id $ASSET_SCAN_ID
Using one-liner:
./cli/bin/openclarity-cli asset-create --file docs/assets/dir-asset.json --server http://localhost:8080/api --update-if-exists --jsonpath {.id} | xargs -I{} ./cli/bin/openclarity-cli asset-scan-create --asset-id {} --server http://localhost:8080/api --jsonpath {.id} | xargs -I{} ./cli/bin/openclarity-cli scan --config ~/testConf.yaml --server http://localhost:8080/api --asset-scan-id {}
1 - Example CLI Configuration
This section provides a sample configuration for scanner families supported by
the OpenClarity CLI tool. Each family can be enabled or disabled, and configured
with specific options. The configuration is used to define which scanners to
run, what inputs to scan, and the configuration for each scanner.
# This file contains a sample configuration for scanner families supported by the OpenClarity CLI tool.
# Each family can be enabled or disabled, and configured with specific options.
# The configuration is used to define the scanners to run, the inputs to scan, and the configuration for each scanner.
# SBOM (Software Bill of Materials) scanner family
sbom:
enabled: false # Enable or disable SBOM scanner family
analyzers_list: # List of analyzers to run
- "syft"
- "trivy"
- "windows"
- "gomod"
inputs: # List of inputs to scan
- input: "node:slim"
input_type: "image" # Type of input (image, rootfs, etc.)
# - input: "/mnt"
# input_type: "rootfs"
# - input: "nginx:1.10"
# input_type: "image"
# merge_with: # Merge multiple SBOMs into one
# - sbom_path: "nginx.11.cdx.json" # Path to SBOM file to merge with
local_image_scan: true # Scan images from local docker daemon (true) or from remote registry (false)
registry:
skip-verify-tls: false # Skip TLS verification
use-http: false # Use HTTP instead of HTTPS
auths: # Registry authentication
authority: "authority"
username: "username"
password: "password"
token: "token"
output_format: "cyclonedx-json" # Output format for SBOMs (cyclonedx-json, cyclonedx-xml, spdx-json, spdx-tv, syft-json)
analyzers_config: # Configuration for each analyzer
syft:
scope: "Squashed" # Scope of the scan (squashed, all-layers)
exclude_paths: # Paths to exclude from the scan
- "./dev"
- "./proc"
## Overrides parent sbom configs
# local_image_scan: ...
# registry: ...
trivy:
timeout: 300 # Timeout in seconds
cache_dir: /tmp/.trivy/cache # Cache directory
temp_dir: /tmp/.trivy/ # Temp directory
## Overrides parent sbom configs
# local_image_scan: ...
# registry: ...
# Vulnerabilities scanner family
vulnerabilities:
enabled: false # Enable or disable vulnerabilities scanner family
scanners_list: # List of scanners to run
- "grype"
- "trivy"
inputs: # List of inputs to scan
- input: "nginx:1.12"
input_type: "image" # Type of input (image, rootfs, etc.)
# - input: "nginx:1.13"
# input_type: "image"
- input: "/mnt/"
input_type: "sbom"
local_image_scan: true # Scan images from local docker daemon (true) or from remote registry (false)
registry: # Registry configuration
skip-verify-tls: false
use-http: false
auths:
authority: "authority"
username: "username"
password: "password"
token: "token"
scanners_config: # Configuration for each scanner
grype:
mode: "LOCAL" # Mode of operation (LOCAL, REMOTE). LOCAL uses local database, REMOTE uses Grype server.
local_grype_config:
update_db: true # Update the database
db_root_dir: "/tmp/" # Database root directory
listing_url: "https://toolbox-data.anchore.io/grype/databases/listing.json" # Listing URL
max_allowed_built_age: "120h" # Max allowed built age
listing_file_timeout: "60s" # Listing file timeout
update_timeout: "60s" # Update timeout
scope: "squashed" # Scope of the scan (squashed, all-layers)
## Overrides parent sbom configs
# local_image_scan: ...
# registry: ...
remote_grype_config:
grype_server_address: "" # Grype server address
grype_server_timeout: "2m" # Grype server timeout
grype_server_schemes: [] # Grype server schemes
trivy:
timeout: 300 # Timeout in seconds
cache_dir: /tmp/.trivy/cache # Cache directory
temp_dir: /tmp/.trivy/ # Temp directory
server_addr: "trivy.example.com" # Trivy server address
server_token: "token" # Trivy server token
## Overrides parent sbom configs
# registry: ...
# Secrets scanner family
secrets:
enabled: false # Enable or disable secrets scanner family
scanners_list: # List of scanners to run
- "gitleaks"
strip_input_paths: false # Strip input paths from the output
inputs: # List of inputs to scan
- input: "/"
input_type: "rootfs"
scanners_config: # Configuration for each scanner
gitleaks:
binary_path: "/usr/local/bin/gitleaks" # Path to gitleaks binary
# Exploits scanner family
exploits:
enabled: false # Enable or disable exploits scanner family
scanners_list: # List of scanners to run
- "exploitdb"
inputs: # List of inputs to scan
- input: "CVE-2024-5535,CVE-2023-3446"
input_type: "csv"
scanners_config: # Configuration for each scanner
exploit_db:
base_url: "http://localhost:1326" # Base URL for the ExploitDB server
# Misconfigurations scanner family
misconfiguration:
enabled: false # Enable or disable misconfigurations scanner family
scanners_list: # List of scanners to run
- "cisdocker"
- "lynis"
- "fake"
strip_input_paths: false # Strip input paths from the output
inputs: # List of inputs to scan
- input: "/"
input_type: "rootfs"
scanners_config: # Configuration for each scanner
cisdocker:
timeout: "60s" # Timeout
registry: # Registry configuration
skip-verify-tls: false
use-http: false
auths:
authority: "authority"
username: "username"
password: "password"
token: "token"
lynis:
binary_path: "/usr/local/bin/lynis" # Path to Lynis binary
# InfoFinder scanner family
infofinder:
enabled: false # Enable or disable infofinder scanner family
scanners_list: # List of scanners to run
- "sshTopology"
strip_input_paths: false # Strip input paths from the output
inputs: # List of inputs to scan
- input: "/"
input_type: "rootfs"
scanners_config: {}
# Malware scanner family
malware:
enabled: false # Enable or disable malware scanner family
scanners_list: # List of scanners to run
- "clam"
- "yara"
strip_input_paths: false # Strip input paths from the output
inputs: # List of inputs to scan
- input: "/"
input_type: "rootfs"
scanners_config: # Configuration for each scanner
clam:
freshclam_binary_path: "/usr/local/bin/freshclam" # Path to freshclam binary
freshclam_config_path: "/etc/clamav/freshclam.conf" # Path to freshclam configuration file
alternative_freshclam_mirror_url: "" # Alternative freshclam mirror URL. Config option cannot include servers under *.clamav.net.
use_native_clamscan: false # Scan using native clamscan command (true) instead of daemon clamdscan (false)
clamscan_binary_path: "/usr/local/bin/clamscan" # Path to clamscan binary
clamscan_exclude_files: # Files to exclude from the scan
- "^.*\\.log$"
clamscan_exclude_dirs: # Directories to exclude from the scan
- "^/sys"
clam_daemon_binary_path: "/usr/local/bin/clamd" # Path to clamd binary
clam_daemon_config_path: "/etc/clamav/clamd.conf" # Path to clamd configuration file
clam_daemon_client_binary_path: "/usr/local/bin/clamdscan" # Path to clamdscan binary
yara:
yara_binary_path: "/usr/local/bin/yara" # Path to yara binary
compiled_rule_url: "" # URL to download compiled rules
rule_sources: # List of rule sources
- name: ""
url: ""
yarac_binary_path: "/usr/local/bin/yarac" # Path to yarac binary
cache_dir: "/tmp/.yara" # Cache directory
directories_to_scan: [] # Directories to scan
# Rootkits scanner family
rootkits:
enabled: false # Enable or disable rootkits scanner family
scanners_list: # List of scanners to run
- "chkrootkit"
strip_input_paths: false # Strip input paths from the output
inputs: # List of inputs to scan
- input: "/"
input_type: "rootfs"
scanners_config: # Configuration for each scanner
chkrootkit:
binary_path: "/usr/local/bin/chkrootkit" # Path to chkrootkit binary
# Plugins scanner family
plugins:
enabled: false # Enable or disable plugins scanner family
binary_mode: false # Use binary mode for plugins
binary_artifacts_path: "" # Path to binary artifacts
binary_artifacts_clean: true # Clean binary artifacts after execution
scanners_list: # List of scanners to run
- "kics"
inputs: # List of inputs to scan
- input: "/"
input_type: "rootfs"
scanners_config: # Configuration for each scanner
kics:
image_name: "ghcr.io/openclarity/openclarity-plugin-kics:latest" # Image name for KICS plugin
config: "{\"preview-lines\": 3, \"report-formats\": [\"json\" ], \"platform\": [], \"max-file-size-flag\": 100, \"disable-secrets\": true, \"query-exec-timeout\": 60, \"silent\": true, \"minimal\": true}" # Configuration example for KICS