tanzu insight

Post data and query the Supply Chain Security Tools - Store in Tanzu Application Platform (commonly known as TAP) through its secure REST API. Upload source commit and image vulnerability reports using CycloneDX format, XML and JSON, and SPDX format JSON. Query and output source commit, image, package, and vulnerabilities in CycloneDX XML, JSON, and human-readable text formats. For more information, see the TAP documentation.

Installation

Usage

CLI plugin: insight | Plugin version: v1.7.0 | Target: Kubernetes

  tanzu kubernetes insight [command]

Commands

  config          Config commands
  health          Checks if endpoint is reachable
  image           Image commands
  package         Package commands
  source          Source commands
  triage          Vulnerability analysis commands
  vulnerabilities Vulnerabilities commands

Flags

  -h, --help   help for insight

tanzu insight config

Configuration commands.

Usage

  tanzu insight config [command]

Commands

  set-target  Set metadata store endpoint

Flags

  -h, --help   help for config

tanzu insight config set-target

Set the target endpoint for the metadata store

Usage

  tanzu insight config set-target <endpoint> [--ca-cert <ca certificate path to verify peer against>] [--access-token <kubernetes service account access token>] [flags]

Examples

  insight config set-target https://localhost:8443 --ca-cert=/tmp/ca.crt --access-token eyJhbGc...

Flags

      --access-token string   Kubernetes access token. It is recommended to use the Environment Variable METADATA_STORE_ACCESS_TOKEN during the API calls, this will override access token flag. Note: using the the access-token flag stores the token on disk, the Environment Variable is retrieved at the time of the API call
      --ca-cert string        trusted ca certificate
  -h, --help                  help for set-target

tanzu insight health

Checks if endpoint is reachable.

Usage

tanzu insight health [flags]

Examples

insight health

Flags

  -h, --help   help for health

tanzu insight image

Image commands

Usage

  tanzu insight image [command]

Aliases

  image, images, imgs, img

Commands

  add             Add an image report
  get             Get image by digest
  packages        Get image packages
  vulnerabilities Get image vulnerabilities

Flags

  -h, --help   help for image

tanzu insight image add

Adds an image report. Adds an image to the metadata store with the image’s SBOM or vulnerability scan. Shows standard output and errors together. Output and errors can be redirected to files by using 1>out.txt 2>error.txt.

Usage

tanzu insight image add --path <filepath> [flags]

Examples

insight image add --input-format cyclonedx-xml --output-format text --path /path/to/file.xml
  insight image add --input-format spdx-json --output-format api-json --path /path/to/file.json
  insight image add --path /path/to/file.xml
  insight image add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example --artifact-group-label namespace=example-ns
  insight image add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example,namespace=example-ns
  insight image add --input-format spdx-json --output-format api-json --path /path/to/file.json 1>out.txt 2>error.txt (* Output will be redirected to out.txt and error will be redirected to error.txt .)

Flags

      --artifact-group-label strings   specify artifact group labels, must be in key=value format. This flag can be set multiple times to provide multiple labels in one call, or can be passed a list of labels separated by commas. Note: This flag can only be specified if artifact-group-uid flag is set.
      --artifact-group-uid string      uid of artifact group to add to, or create if it doesn't already exist
  -h, --help                           help for add
  -i, --input-format string            specify the file’s SBOM report format and file type, options=[cyclonedx-xml, cyclonedx-json, spdx-json] (default: cyclonedx-xml)
      --original-location string       specify the stored location of the original SBOM vulnerability scan result used to create this report
      --output-format string           specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
  -p, --path string                    path to file, required
      --report-uid string              specify a unique report identifier to tag this vulnerability scan result with. Supported characters: ALPHA DIGIT "-" / "." / "_" / "~"

tanzu insight image get

Gets an image by digest.

Usage

Get image by digest

tanzu insight image get --digest <image-digest> [flags]

Examples

insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
  insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format api-json
  insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format cyclonedx-xml

tanzu insight image packages

Get the image packages.

Usage

tanzu insight image packages [--digest <image-digest>] [--name <name>] [flags]

Examples

insight image packages --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
  insight image packages --name ubuntu --output-format api-json

Flags

  -d, --digest string          image digest
  -h, --help                   help for packages
  -n, --name string            image name
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight image vulnerabilities

Gets image vulnerabilities.

Usage

tanzu insight image vulnerabilities --digest <image-digest> [flags]

Examples

insight image vulnerabilities --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image vulnerabilities --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format api-json

Flags

  -d, --digest string          image digest
  -h, --help                   help for vulnerabilities
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight package

Flags

  -h, --help   help for package

tanzu insight package get

Gets the package by name, version, and package manager.

Usage

To get package by name, version, and package manager, run:

tanzu insight package get --name <package name> --version <package version> --pkgmngr Unknown [flags]

Examples

insight package get --name client --version 1.0.0a --pkgmngr Unknown
  insight package get --name client --version 1.0.0a --pkgmngr Unknown --output-format api-json

Flags

  -h, --help                   help for get
  -n, --name string            name of the package
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
  -p, --pkgmngr string         Package manager of the dependency. 'Unknown' is currently the only supported value (default "Unknown")
  -v, --version string         version of the package

tanzu insight package images

Gets the images that contain a given package by name.

Usage

To get images that contain the given package by name.

tanzu insight package images --name <package name> [flags]

Examples

insight package images --name client
  insight package images --name client --output-format api-json

Flags

  -h, --help                   help for images
  -n, --name string            name of the package
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight package sources

Gets the sources that contain the given package by name.

Usage

To get sources that contain the given package by name, run:

tanzu insight package sources --name <package name> [flags]

Examples

insight package sources --name client
  insight package sources --name client --output-format api-json

Flags

  -h, --help                   help for sources
  -n, --name string            name of the package
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight package vulnerabilities

Gets the package vulnerabilities.

Usage

Get package vulnerabilities

tanzu insight package vulnerabilities --name <package name> [flags]

Examples

insight package vulnerabilities --name client
  insight package vulnerabilities --name client --output-format api-json

Flags

  -h, --help                   help for vulnerabilities
  -n, --name string            name of the package
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight report

Access reports from each scan to find out what packages and vulnerabilities were discovered.

Commands

tanzu insight report get
tanzu insight report list

tanzu insight report get

Get the package vulnerabilities.

Usage

Get a report by its unique identifier:

tanzu insight report get --uid <report-unique-identifier> [flags]

Example

insight report get --uid d38c3962-2351-44d5-8603-1d147f3d2367
  insight report get --uid d38c3962-2351-44d5-8603-1d147f3d2367 --format api-json

Flags

  -h, --help                   help for get
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json, cyclonedx-xml, spdx-json] (default: text)
      --uid string             the unique identifier of the SBOM report

tanzu insight report list

List the package vulnerabilities.

Usage

List reports by image digest, source commit hash, or original location

tanzu insight report list (--digest <image-digest> | --commit <commit-sha> | --original-location <location>) [flags]

Example

insight report list --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
  insight report list --commit b33dfee51 --order ASC
  insight report list --original-location tanzu-java-web-app-my-apps-scan-results@sha256:cd541f747a78a1df3e1055da3e8c1b3bdd9a4aa8b0750bcb7b053a18d3833e81

Flags

  -c, --commit string              commit hash
  -d, --digest string              image digest
  -h, --help                       help for list
      --namespace string           the Kubernetes namespace of the workload that submitted the report. Cannot be used with workload-uid
      --order string               the order in which the list of reports will be returned. When set to 'ASC', will return the list in ascending order (oldest to newest) by date/time the report was generated. When set to 'DESC', will return the list in descending order (newest to oldest) (default: DESC)
      --original-location string   the URI location of where the original SBOM scan results are stored that is associated with the report
      --output-format string       specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
      --workload-name string       the name of the workload associated with the report. Cannot be used with workload-uid
      --workload-uid string        the UID of the workload associated with the report. Cannot be used with workload-name or namespace

tanzu insight source

Gets help for the source commands.

Flags

  -h, --help   help for source

tanzu insight source add

Adds a source report.

Usage

Add a source to the metadata store with the source’s SBOM or vulnerability scan. By default command will show Standard output and errors together. Output and errors can be redirected to files by using 1>out.txt 2>error.txt

tanzu insight source add --path <filepath> [flags]

Examples

insight source add --input-format cyclonedx-xml --output-format text --path /path/to/file.xml
  insight source add --input-format spdx-json --output-format api-json --path /path/to/file.json
  insight source add --path /path/to/file.xml
  insight source add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example --artifact-group-label namespace=example-ns
  insight source add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example,namespace=example-ns
  insight source add --input-format spdx-json --output-format api-json --path /path/to/file.json 1>out.txt 2>error.txt (* Output will be redirected to out.txt and error will be redirected to error.txt .)

Flags

      --artifact-group-label strings   specify artifact group labels, must be in key=value format. This flag can be set multiple times to provide multiple labels in one call, or can be passed a list of labels separated by commas. Note: this flag can only be specified if artifact-group-uid flag is set
      --artifact-group-uid string      uid of artifact group to add to, or create if it doesn't already exist
  -h, --help                           help for add
  -i, --input-format string            specify the file’s SBOM report format and file type, options=[cyclonedx-xml, cyclonedx-json, spdx-json] (default: cyclonedx-xml)
      --original-location string       specify the stored location of the original SBOM vulnerability scan result used to create this report
      --output-format string           specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
  -p, --path string                    path to file, required
      --report-uid string              specify a unique report identifier to tag this vulnerability scan result with. Supported characters: ALPHA DIGIT "-" / "." / "_" / "~"

tanzu insight source get

Gets sources by repository, commit or organization.

Usage

Get sources by repository, commit or organization

tanzu insight source get --repo <repository-name> --commit <commit-hash> --org <organization-name> [flags]

Examples

insight source get --org company --repo example-repo --commit b33dfee51
  insight source get --org company --repo example-repo --commit b33dfee51 --output-format api-json
  insight source get --org company --repo example-repo --commit b33dfee51 --output-format cyclonedx-xml

Flags

  -c, --commit string          commit hash
  -h, --help                   help for get
  -o, --org string             organization that owns the source
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json, cyclonedx-xml, spdx-json] (default: text)
  -r, --repo string            repository name

tanzu insight source packages

Gets the source packages.

Usage

Get source packages

tanzu insight source packages [--commit <commit-hash>] [--repo <repository-name>] [flags]

Examples

insight sources packages --commit 0b1b659907 --repo example-repo
  insight sources packages --commit 0b1b659907 --repo example-repo --output-format api-json

Flags

  -c, --commit string          commit hash
  -h, --help                   help for packages
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
  -r, --repo string            repository name

tanzu insight source vulnerabilities

Gets the source vulnerabilities.

Usage

Get source vulnerabilities. You can specify either commit or repo.

tanzu insight source vulnerabilities [--commit <commit-hash>] [--repo <repository-name>] [flags]

Examples

insight sources vulnerabilities --commit eb55fc13 --repo example-repo
  insight sources vulnerabilities --commit eb55fc13 --repo example-repo --output-format api-json

Flags

  -c, --commit string          commit hash
  -h, --help                   help for vulnerabilities
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
  -r, --repo string            repository name

tanzu insight triage

Gets help for the vulnerability analysis commands.

Flags

  -h, --help                   help for triage
      --output-format string   specify the response's format, options=[text, api-json] (default "text")

tanzu insight triage copy

This topic tells you how to use the Tanzu Insight CLI tanzu insight triage copy command to copy an existing analysis to a new image, source or artifact group.

Usage

This command takes an existing triage and copies the latest analysis to target a new image, source, or artifact group affected by the vulnerability of the existing triage. This allows you to easily copy analysis between images and sources that belong to different artifact groups, or different versions of an image/source that belong to the same artifact group.

If an image or source is provided, validations will run to make sure they contain the affected package and vulnerability, and that they belong to the existing triage’s artifact group. If an artifact group is provided, validations will run to make sure it contains the provided image/source, or the original ones from the existing triage.

tanzu insight triage copy --triage-uid-to-copy <uid> [--img-digest <digest>] [--src-commit <commit>] [--artifact-group-uid <ag-uid>] [flags]

Examples

insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --img-digest sha256:192369123812
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --src-commit 5025112c8b1 --artifact-group-uid AG-00003
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --artifact-group-uid AG-00002

Flags

  -a, --artifact-group-uid string   Artifact group uid
  -h, --help                        help for copy
  -d, --img-digest string           Image digest
      --img-registry string         Image registry
  -c, --src-commit string           Source commit
      --src-org string              Source organization
      --src-repo string             Source repository
  -u, --triage-uid-to-copy string   Triage UID to copy from
  -y, --yes                         Force update

tanzu insight triage list

This topic tells you how to use the Tanzu Insight CLI tanzu insight triage list command to get a list of the existing vulnerability triages.

tanzu insight triage list [flags]

Examples

insight triage list --img-digest sha256:123456789
insight triage list --src-commit a1s2d3f4 --limit 5
insight triage list --output-format api-json
insight triage list --page 5 --limit 20

Flags

  -h, --help                  help for list
  -d, --img-digest string     Image digest
      --img-registry string   Image registry
  -l, --limit uint            Limits the number of analysis to show (default 10)
  -p, --page uint             Allows to paginate the results based on the specified limit (default 1)
  -c, --src-commit string     Source commit
      --src-org string        Source organization
      --src-repo string       Source repository
      --output-format string   specify the response's format, options=[text, api-json] (default "text")

tanzu insight triage rebase

This topic tells you how to use the Tanzu Insight CLI tanzu insight triage rebase command to get a list of the existing vulnerability triages.

Usage

This command takes all the existing analyses within an artifact group that are valid for the target image and copies them over. An analysis is considered valid for an image within an artifact group when the following conditions are met:

  • The analysis exists for a vulnerability that the target image is affected by and is linked to a “previous version” of an image.
  • There is no existing analysis for the same vulnerability and the target image, or their state is ‘in_triage’

For example, Image A is considered to be a previous version of Image B when they have the same name, different digests and Image A was created before Image B.

tanzu insight triage rebase --img-digest <digest> --artifact-group-uid <ag-uid> [flags]

Examples

insight triage rebase --img-digest sha256:192369123812 --artifact-group-uid BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A

Flags

  -a, --artifact-group-uid string   Artifact group uid
  -h, --help                        help for rebase
  -d, --img-digest string           Image digest
      --img-registry string         Image registry
      --output-format string   specify the response's format, options=[text, api-json] (default "text")
  -y, --yes                         Force update

tanzu insight triage update

Create or update a vulnerability analysis.

Usage

Create or update a vulnerability impact analysis. For impact analysis, you must target a specific OS and application package, vulnerability, and image or source belonging to a specific Artifact Group. This tool follows CycloneDX’s VEX specification for impact analysis, that includes flag options for each of the CycloneDX’s VEX fields, and support for only their predefined values. Here is a description of the fields and their supported options:

Impact Analysis States --state

Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.

  • resolved = the vulnerability is remediated.
  • resolved_with_pedigree = the vulnerability is remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history or diffs.
  • exploitable = the vulnerability might be directly or indirectly exploitable.
  • in_triage = the vulnerability is being investigated.
  • false_positive = the vulnerability is not specific to the component or service and was falsely identified or associated.
  • not_affected = the component or service is not affected by the vulnerability.

Impact Analysis Justifications --justification

The rationale of why the impact analysis state was asserted is described here:

  • code_not_present = the code is removed or tree-shaked.
  • code_not_reachable = the vulnerable code is not invoked at runtime.
  • requires_configuration = exploitability requires a configurable option to be set or unset.
  • requires_dependency = exploitability requires a dependency that is not present.
  • requires_environment = exploitability requires a certain environment that is not present.
  • protected_by_compiler = exploitability requires a compiler flag to be set or unset.
  • protected_at_runtime = exploits are prevented at runtime.
  • protected_at_perimeter = attacks are blocked at physical, logical, or network perimeter.
  • protected_by_mitigating_control = preventative measures have been implemented that reduce the likelihood or impact of the vulnerability.
Note

--justification is required when --state is set to not_affected

Impact Analysis Responses --response

A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable

  • can_not_fix
  • will_not_fix
  • update
  • rollback
  • workaround_available
Note

--response is highly encouraged when --state is set to exploitable; however, CycloneDX specification does not require this.

Free form comments --comment

Syntax

tanzu insight triage update --cveid CVE-ID --pkg-name PKG-NAME --pkg-version PKG-VERSION --img-digest DIGEST --artifact-group-uid UID [--state STATE] [--justification JUSTIFICATION] [--response RESPONSE1, RESPONSE2] [--comment COMMENT] [flags]

Examples

insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --artifact-group-uid AG-00001 --state false_positive
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --img-registry internal-hub.docker.io --artifact-group-uid AG-00001 --state not_affected --justification code_not_reachable --comment "The code can't be reached by external users"
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002 --state exploitable --response will_not_fix,update

For more information, see the NIST website.

Flags

  -a, --artifact-group-uid string   Artifact group uid
  -t, --comment string              Analysis comment
  -v, --cveid string                CVE id
  -h, --help                        help for update
  -d, --img-digest string           Image digest
      --img-registry string         Image registry
  -j, --justification string        Analysis justification
  -n, --pkg-name string             Package name
  -p, --pkg-version string          Package version
  -r, --response strings            Analysis response
  -c, --src-commit string           Source commit
      --src-org string              Source organization
      --src-repo string             Source repository
  -s, --state string                Analysis state (default "in_triage")
  -y, --yes                         Force update

tanzu insight vulnerabilities

Gets help for the vulnerabilities commands.

Flags

  -h, --help   help for vulnerabilities

tanzu insight vulnerabilities get

Gets a vulnerability by CVE ID.

Usage

tanzu insight vulnerabilities get --cveid CVE-ID [flags]

Examples

insight vulnerabilities get --cveid CVE-123123-2021
  insight vulnerabilities get --cveid CVE-123123-2021 --output-format api-json

Flags

  -c, --cveid string           CVE id
  -h, --help                   help for get
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight vulnerabilities images

Gets the images with a given vulnerability.

Usage

Get images with a given vulnerability.

tanzu insight vulnerabilities images --cveid <cve-id> [flags]

Examples

insight vulnerabilities images --cveid CVE-123123-2021
  insight vulnerabilities images --cveid CVE-123123-2021 --output-format api-json

Flags

  -c, --cveid string           CVE id
  -h, --help                   help for images
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight vulnerabilities packages

Gets the packages with a given vulnerability.

Usage

Get packages with a given vulnerability.

tanzu insight vulnerabilities packages --cveid <cve-id> [flags]

Examples

insight vulnerabilities packages --cveid CVE-123123-2021
  insight vulnerabilities packages --cveid CVE-123123-2021 --output-format api-json

Flags

  -c, --cveid string           CVE id
  -h, --help                   help for packages
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)

tanzu insight vulnerabilities sources

Gets the sources with a given vulnerability.

Usage

Get sources with a given vulnerability.

tanzu insight vulnerabilities sources --cveid <cve-id> [flags]

Examples

insight vulnerabilities sources --cveid CVE-123123-2021
  insight vulnerabilities sources --cveid CVE-123123-2021 --output-format api-json

Flags

  -c, --cveid string           CVE id
  -h, --help                   help for sources
      --output-format string   specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
check-circle-line exclamation-circle-line close-line
Scroll to top icon