atomic-scan(1)

1ATOMIC(1)                       September 2015                       ATOMIC(1)
2
3
4

NAME

6       atomic-scan - Scan for CVEs in a container or image
7
8
9

SYNOPSIS

11       atomic scan [-h|--help] [--list] [--scanner] [--scan_type] [--verbose]
12       [--all | --images | --containers | --rootfs rootfs path to scan| IMAGE
13       or CONTAINER names ...]
14
15
16

DESCRIPTION

18       atomic scan will scan the a container or image looking for known Common
19       Vulnerabilities and Exposures(CVEs) by default.  It can also scan paths
20       on the host filesystem as well using the --rootfs option.
21
22
23       The architecture for atomic scan is very plug-in friendly.  You can
24       define additional scanners to use via the plug-in interface.  To list
25       the available scanners setup on your system, you can use --list.  To
26       use a different scanner, you simple pass its name with the --scanner
27       switch.  You can also select a different scan type using the
28       _--scantype switch.
29
30
31

OPTIONS

33       -h --help
34         Print usage statement
35
36
37       --verbose Show more verbose output.  Specifically the stdout from the
38       image scanner itself.
39
40
41       --list Show all scanners configured for atomic and their scan types.
42
43
44       --scanner Select as scanner other than the default.
45
46
47       --scan_type Select a scan_type other than the default.
48
49
50       --scanner_args
51         Provide additional arguments for the scanner, for example specify a
52       compliance profile.
53
54
55       --all
56         Instead of providing image or container names, scan all images
57       (excluding intermediate image layers) and containers
58
59
60       --images
61         Scan all images (excluding intermediate layers).   Similar to the
62       results of docker images.
63
64
65       --containers
66         Scan all containers.  Similar to the results of docker ps -a
67
68
69       --rootfs
70         Rootfs path to scan.  Can provide --rootfs multiple times.
71         Note: SELinux separation will be disabled for --rootfs scans, but all
72       other container
73         separation will still be in place.
74
75
76       --remediate
77         Allows the scanner to run a remediation script when scanning is
78       complete.  The remediation script is provided
79         by the scanner itself.
80
81
82       Note: not all scanners provide remediation scripts.
83
84
85

EXAMPLES

87       List all the scanners atomic knows about and display their default scan
88       types.
89
90
91              atomic scan --list
92
93
94
95       Scan an image named 'foo1'.
96
97
98              atomic scan foo1
99
100
101
102       Scan and remediate an image named 'foo1'.
103
104
105              atomic scan --remediate foo1
106
107
108
109       Scan images named 'foo1' and 'foo2' and produce a detailed report.
110
111
112              atomic scan foo1 foo2
113
114
115
116       Scan all containers.
117
118
119              atomic scan --containers
120
121
122
123       Scan all containers and images and create a detailed report.
124
125
126              atomic scan --all
127
128
129
130       Scan a rootfs mounted at /tmp/chroot
131
132
133              atomic scan --rootfs /tmp/chroot
134
135
136
137       Scan an image called 'foo1' with a scanner called 'custom_scanner' and
138       its default scan_type
139
140
141              atomic scan --scanner custom_scanner foo1
142
143
144
145       Scan an image called 'foo1' with a scanner called 'custom_scanner' and
146       a scan type of 'list_rpms'
147
148
149              atomic scan --scanner custom_scanner --scan_type list_rpms foo1
150
151
152
153

HISTORY

155       Initial revision by Brent Baude (bbaude at redhat dot com) September
156       2015 Updated for new atomic scan architecture by Brent Baude (bbaude at
157       redhat dot com) May 2016
158
159
160
161Brent Baude                     Atomic Man Pages                     ATOMIC(1)