1. Documentation
    2. history bug_report picture_as_pdf
×

Image scanning by using the roxctl CLI

You can scan images stored in image registries, including cluster local registries such as the OpenShift Container Platform integrated image registry by using the roxctl CLI.

Scanning images by using a remote cluster

By specifying the appropriate cluster in the delegated scanning configuration or through the cluster parameter described in the following procedure, you can scan images from cluster local registries by using a remote cluster.

For more information about how to configure delegated image scanning, see Configuring delegated image scanning.
Procedure

  • Run the following command to scan the specified image in a remote cluster:

    $ roxctl image scan \
  --image=<image_registry>/<image_name> \(1)
  --cluster=<cluster_detail> \(2)
  [flags] (3)
    1 For <image_registry>, specify the registry where the image is located, for example, image-registry.openshift-image-registry.svc:5000/. For <image_name>, specify the name of the image you want to scan, for example, default/image-stream:latest.
    2 For <cluster_detail>, specify the name or ID of the remote cluster. For example, specify the name remote.
    3 Optional: For [flags], you can specify parameters to modify the behavior of the command.

    For more information about optional parameters, see roxctl image scan command options.
    Example output
    {
  "Id": "sha256:3f439d7d71adb0a0c8e05257c091236ab00c6343bc44388d091450ff58664bf9", (1)
  "name": { (2)
    "registry": "image-registry.openshift-image-registry.svc:5000", (3)
    "remote": "default/image-stream", (4)
    "tag": "latest", (5)
    "fullName": "image-registry.openshift-image-registry.svc:5000/default/image-stream:latest" (6)
  },
[...]
    1 A unique identifier for the image that serves as a fingerprint for the image. It helps ensure the integrity and authenticity of the image.
    2 Contains specific details about the image.
    3 The location of the image registry where the image is stored.
    4 The remote path to the image.
    5 The version or tag associated with this image.
    6 The complete name of the image, combining the registry, remote path, and tag.

roxctl image scan command options

The roxctl image scan command supports the following options:

Option Description

--cluster string

Delegate image scanning to a specific cluster.

--compact-output

Print the JSON output in a compact format. The default value is false.

-f, --force

Ignore Central’s cache for the scan and force a fresh re-pull from Scanner. The default value is false.

--headers strings

Print the headers in a tabular format. Default values include COMPONENT,VERSION,CVE,SEVERITY, and LINK.

--headers-as-comments

Print the headers as comments in a CSV tabular output. The default value is false.

-h, --help

View the help text for the roxctl image scan command.

-i, --image string

Specify the image name and reference you want to scan.

-a, --include-snoozed

Return both snoozed and unsnoozed common vulnerabilities and exposures (CVEs). The default value is false.

--merge-output

Merge duplicate cells in a tabular output. The default value is true.

--no-header

Do not print headers for tabular format. The default value is false.

-o, --output string

Specify the output format. You can select a format to customize the display of results. Formats include table, CSV, JSON, and SARIF.

-r, --retries int

Set the number of retries before the operation is aborted with an error. The default value is 3.

-d, --retry-delay int

Set the time in seconds to wait between retries. The default value is 3.

--row-jsonpath-expressions string

Use the JSON path expressions to create rows from the JSON object. For more details, run the roxctl image scan --help command.