tanzu insight
Post data and query the Supply Chain Security Tools - Store in Tanzu Application Platform (commonly known as TAP) through its secure REST API. Upload source commit and image vulnerability reports using CycloneDX format, XML and JSON, and SPDX format JSON. Query and output source commit, image, package, and vulnerabilities in CycloneDX XML, JSON, and human-readable text formats. For more information, see the TAP documentation.
Installation
Usage
CLI plugin: insight | Target: Kubernetes | Primarily used for: App development | Release Notes
tanzu kubernetes insight [command]
Commands
config Config commands
health Checks if endpoint is reachable
image Image commands
package Package commands
source Source commands
triage Vulnerability analysis commands
vulnerabilities Vulnerabilities commands
Flags
-h, --help help for insight
tanzu insight config
Configuration commands.
Usage
tanzu insight config [command]
Commands
set-target Set metadata store endpoint
Flags
-h, --help help for config
tanzu insight config set-target
Set the target endpoint for the metadata store
Usage
tanzu insight config set-target <endpoint> [--ca-cert <ca certificate path to verify peer against>] [--access-token <kubernetes service account access token>] [flags]
Examples
insight config set-target https://localhost:8443 --ca-cert=/tmp/ca.crt --access-token eyJhbGc...
Flags
--access-token string Kubernetes access token. It is recommended to use the Environment Variable METADATA_STORE_ACCESS_TOKEN during the API calls, this will override access token flag. Note: using the the access-token flag stores the token on disk, the Environment Variable is retrieved at the time of the API call
--ca-cert string trusted ca certificate
-h, --help help for set-target
tanzu insight health
Checks if endpoint is reachable.
Usage
tanzu insight health [flags]
Examples
insight health
Flags
-h, --help help for health
tanzu insight image
Image commands
Usage
tanzu insight image [command]
Aliases
image, images, imgs, img
Commands
add Add an image report
get Get image by digest
packages Get image packages
vulnerabilities Get image vulnerabilities
Flags
-h, --help help for image
tanzu insight image add
Adds an image report. Adds an image to the metadata store with the image’s SBOM or vulnerability scan. Shows standard output and errors together. Output and errors can be redirected to files by using 1>out.txt 2>error.txt.
Usage
tanzu insight image add --path <filepath> [flags]
Examples
insight image add --input-format cyclonedx-xml --output-format text --path /path/to/file.xml
insight image add --input-format spdx-json --output-format api-json --path /path/to/file.json
insight image add --path /path/to/file.xml
insight image add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example --artifact-group-label namespace=example-ns
insight image add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example,namespace=example-ns
insight image add --input-format spdx-json --output-format api-json --path /path/to/file.json 1>out.txt 2>error.txt (* Output will be redirected to out.txt and error will be redirected to error.txt .)
Flags
--artifact-group-label strings specify artifact group labels, must be in key=value format. This flag can be set multiple times to provide multiple labels in one call, or can be passed a list of labels separated by commas. Note: This flag can only be specified if artifact-group-uid flag is set.
--artifact-group-uid string uid of artifact group to add to, or create if it doesn't already exist
-h, --help help for add
-i, --input-format string specify the file’s SBOM report format and file type, options=[cyclonedx-xml, cyclonedx-json, spdx-json] (default: cyclonedx-xml)
--original-location string specify the stored location of the original SBOM vulnerability scan result used to create this report
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-p, --path string path to file, required
--report-uid string specify a unique report identifier to tag this vulnerability scan result with. Supported characters: ALPHA DIGIT "-" / "." / "_" / "~"
tanzu insight image get
Gets an image by digest.
Usage
Get image by digest
tanzu insight image get --digest <image-digest> [flags]
Examples
insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format api-json
insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format cyclonedx-xml
tanzu insight image packages
Get the image packages.
Usage
tanzu insight image packages [--digest <image-digest>] [--name <name>] [flags]
Examples
insight image packages --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image packages --name ubuntu --output-format api-json
Flags
-d, --digest string image digest
-h, --help help for packages
-n, --name string image name
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight image vulnerabilities
Gets image vulnerabilities.
Usage
tanzu insight image vulnerabilities --digest <image-digest> [flags]
Examples
insight image vulnerabilities --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image vulnerabilities --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format api-json
Flags
-d, --digest string image digest
-h, --help help for vulnerabilities
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight package
Flags
-h, --help help for package
tanzu insight package get
Gets the package by name, version, and package manager.
Usage
To get package by name, version, and package manager, run:
tanzu insight package get --name <package name> --version <package version> --pkgmngr Unknown [flags]
Examples
insight package get --name client --version 1.0.0a --pkgmngr Unknown
insight package get --name client --version 1.0.0a --pkgmngr Unknown --output-format api-json
Flags
-h, --help help for get
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-p, --pkgmngr string Package manager of the dependency. 'Unknown' is currently the only supported value (default "Unknown")
-v, --version string version of the package
tanzu insight package images
Gets the images that contain a given package by name.
Usage
To get images that contain the given package by name.
tanzu insight package images --name <package name> [flags]
Examples
insight package images --name client
insight package images --name client --output-format api-json
Flags
-h, --help help for images
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight package sources
Gets the sources that contain the given package by name.
Usage
To get sources that contain the given package by name, run:
tanzu insight package sources --name <package name> [flags]
Examples
insight package sources --name client
insight package sources --name client --output-format api-json
Flags
-h, --help help for sources
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight package vulnerabilities
Gets the package vulnerabilities.
Usage
Get package vulnerabilities
tanzu insight package vulnerabilities --name <package name> [flags]
Examples
insight package vulnerabilities --name client
insight package vulnerabilities --name client --output-format api-json
Flags
-h, --help help for vulnerabilities
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight report
Access reports from each scan to find out what packages and vulnerabilities were discovered.
Commands
tanzu insight report get
tanzu insight report list
tanzu insight report get
Get the package vulnerabilities.
Usage
Get a report by its unique identifier:
tanzu insight report get --uid <report-unique-identifier> [flags]
Example
insight report get --uid d38c3962-2351-44d5-8603-1d147f3d2367
insight report get --uid d38c3962-2351-44d5-8603-1d147f3d2367 --format api-json
Flags
-h, --help help for get
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json, cyclonedx-xml, spdx-json] (default: text)
--uid string the unique identifier of the SBOM report
tanzu insight report list
List the package vulnerabilities.
Usage
List reports by image digest, source commit hash, or original location
tanzu insight report list (--digest <image-digest> | --commit <commit-sha> | --original-location <location>) [flags]
Example
insight report list --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight report list --commit b33dfee51 --order ASC
insight report list --original-location tanzu-java-web-app-my-apps-scan-results@sha256:cd541f747a78a1df3e1055da3e8c1b3bdd9a4aa8b0750bcb7b053a18d3833e81
Flags
-c, --commit string commit hash
-d, --digest string image digest
-h, --help help for list
--namespace string the Kubernetes namespace of the workload that submitted the report. Cannot be used with workload-uid
--order string the order in which the list of reports will be returned. When set to 'ASC', will return the list in ascending order (oldest to newest) by date/time the report was generated. When set to 'DESC', will return the list in descending order (newest to oldest) (default: DESC)
--original-location string the URI location of where the original SBOM scan results are stored that is associated with the report
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
--workload-name string the name of the workload associated with the report. Cannot be used with workload-uid
--workload-uid string the UID of the workload associated with the report. Cannot be used with workload-name or namespace
tanzu insight source
Gets help for the source commands.
Flags
-h, --help help for source
tanzu insight source add
Adds a source report.
Usage
Add a source to the metadata store with the source’s SBOM or vulnerability scan. By default command will show Standard output and errors together. Output and errors can be redirected to files by using 1>out.txt 2>error.txt
tanzu insight source add --path <filepath> [flags]
Examples
insight source add --input-format cyclonedx-xml --output-format text --path /path/to/file.xml
insight source add --input-format spdx-json --output-format api-json --path /path/to/file.json
insight source add --path /path/to/file.xml
insight source add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example --artifact-group-label namespace=example-ns
insight source add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example,namespace=example-ns
insight source add --input-format spdx-json --output-format api-json --path /path/to/file.json 1>out.txt 2>error.txt (* Output will be redirected to out.txt and error will be redirected to error.txt .)
Flags
--artifact-group-label strings specify artifact group labels, must be in key=value format. This flag can be set multiple times to provide multiple labels in one call, or can be passed a list of labels separated by commas. Note: this flag can only be specified if artifact-group-uid flag is set
--artifact-group-uid string uid of artifact group to add to, or create if it doesn't already exist
-h, --help help for add
-i, --input-format string specify the file’s SBOM report format and file type, options=[cyclonedx-xml, cyclonedx-json, spdx-json] (default: cyclonedx-xml)
--original-location string specify the stored location of the original SBOM vulnerability scan result used to create this report
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-p, --path string path to file, required
--report-uid string specify a unique report identifier to tag this vulnerability scan result with. Supported characters: ALPHA DIGIT "-" / "." / "_" / "~"
tanzu insight source get
Gets sources by repository, commit or organization.
Usage
Get sources by repository, commit or organization
tanzu insight source get --repo <repository-name> --commit <commit-hash> --org <organization-name> [flags]
Examples
insight source get --org company --repo example-repo --commit b33dfee51
insight source get --org company --repo example-repo --commit b33dfee51 --output-format api-json
insight source get --org company --repo example-repo --commit b33dfee51 --output-format cyclonedx-xml
Flags
-c, --commit string commit hash
-h, --help help for get
-o, --org string organization that owns the source
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json, cyclonedx-xml, spdx-json] (default: text)
-r, --repo string repository name
tanzu insight source packages
Gets the source packages.
Usage
Get source packages
tanzu insight source packages [--commit <commit-hash>] [--repo <repository-name>] [flags]
Examples
insight sources packages --commit 0b1b659907 --repo example-repo
insight sources packages --commit 0b1b659907 --repo example-repo --output-format api-json
Flags
-c, --commit string commit hash
-h, --help help for packages
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-r, --repo string repository name
tanzu insight source vulnerabilities
Gets the source vulnerabilities.
Usage
Get source vulnerabilities. You can specify either commit or repo.
tanzu insight source vulnerabilities [--commit <commit-hash>] [--repo <repository-name>] [flags]
Examples
insight sources vulnerabilities --commit eb55fc13 --repo example-repo
insight sources vulnerabilities --commit eb55fc13 --repo example-repo --output-format api-json
Flags
-c, --commit string commit hash
-h, --help help for vulnerabilities
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-r, --repo string repository name
tanzu insight triage
Gets help for the vulnerability analysis commands.
Flags
-h, --help help for triage
--output-format string specify the response's format, options=[text, api-json] (default "text")
tanzu insight triage copy
This topic tells you how to use the Tanzu Insight CLI tanzu insight triage copy command to copy an existing analysis to a new image, source or artifact group.
Usage
This command takes an existing triage and copies the latest analysis to target a new image, source, or artifact group affected by the vulnerability of the existing triage. This allows you to easily copy analysis between images and sources that belong to different artifact groups, or different versions of an image/source that belong to the same artifact group.
If an image or source is provided, validations will run to make sure they contain the affected package and vulnerability, and that they belong to the existing triage’s artifact group. If an artifact group is provided, validations will run to make sure it contains the provided image/source, or the original ones from the existing triage.
tanzu insight triage copy --triage-uid-to-copy <uid> [--img-digest <digest>] [--src-commit <commit>] [--artifact-group-uid <ag-uid>] [flags]
Examples
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --img-digest sha256:192369123812
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --src-commit 5025112c8b1 --artifact-group-uid AG-00003
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --artifact-group-uid AG-00002
Flags
-a, --artifact-group-uid string Artifact group uid
-h, --help help for copy
-d, --img-digest string Image digest
--img-registry string Image registry
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
-u, --triage-uid-to-copy string Triage UID to copy from
-y, --yes Force update
tanzu insight triage list
This topic tells you how to use the Tanzu Insight CLI tanzu insight triage list command to get a list of the existing vulnerability triages.
tanzu insight triage list [flags]
Examples
insight triage list --img-digest sha256:123456789
insight triage list --src-commit a1s2d3f4 --limit 5
insight triage list --output-format api-json
insight triage list --page 5 --limit 20
Flags
-h, --help help for list
-d, --img-digest string Image digest
--img-registry string Image registry
-l, --limit uint Limits the number of analysis to show (default 10)
-p, --page uint Allows to paginate the results based on the specified limit (default 1)
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
--output-format string specify the response's format, options=[text, api-json] (default "text")
tanzu insight triage rebase
This topic tells you how to use the Tanzu Insight CLI tanzu insight triage rebase command to get a list of the existing vulnerability triages.
Usage
This command takes all the existing analyses within an artifact group that are valid for the target image and copies them over. An analysis is considered valid for an image within an artifact group when the following conditions are met:
- The analysis exists for a vulnerability that the target image is affected by and is linked to a “previous version” of an image.
- There is no existing analysis for the same vulnerability and the target image, or their state is ‘in_triage’
For example, Image A is considered to be a previous version of Image B when they have the same name, different digests and Image A was created before Image B.
tanzu insight triage rebase --img-digest <digest> --artifact-group-uid <ag-uid> [flags]
Examples
insight triage rebase --img-digest sha256:192369123812 --artifact-group-uid BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A
Flags
-a, --artifact-group-uid string Artifact group uid
-h, --help help for rebase
-d, --img-digest string Image digest
--img-registry string Image registry
--output-format string specify the response's format, options=[text, api-json] (default "text")
-y, --yes Force update
tanzu insight triage update
Create or update a vulnerability analysis.
Usage
Create or update a vulnerability impact analysis. For impact analysis, you must target a specific OS and application package, vulnerability, and image or source belonging to a specific Artifact Group. This tool follows CycloneDX’s VEX specification for impact analysis, that includes flag options for each of the CycloneDX’s VEX fields, and support for only their predefined values. Here is a description of the fields and their supported options:
Impact Analysis States --state
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
- resolved = the vulnerability is remediated.
- resolved_with_pedigree = the vulnerability is remediated and evidence of the changes are provided in the affected components pedigree containing verifiable commit history or diffs.
- exploitable = the vulnerability might be directly or indirectly exploitable.
- in_triage = the vulnerability is being investigated.
- false_positive = the vulnerability is not specific to the component or service and was falsely identified or associated.
- not_affected = the component or service is not affected by the vulnerability.
Impact Analysis Justifications --justification
The rationale of why the impact analysis state was asserted is described here:
- code_not_present = the code is removed or tree-shaked.
- code_not_reachable = the vulnerable code is not invoked at runtime.
- requires_configuration = exploitability requires a configurable option to be set or unset.
- requires_dependency = exploitability requires a dependency that is not present.
- requires_environment = exploitability requires a certain environment that is not present.
- protected_by_compiler = exploitability requires a compiler flag to be set or unset.
- protected_at_runtime = exploits are prevented at runtime.
- protected_at_perimeter = attacks are blocked at physical, logical, or network perimeter.
- protected_by_mitigating_control = preventative measures have been implemented that reduce the likelihood or impact of the vulnerability.
Note
--justificationis required when--stateis set tonot_affected
Impact Analysis Responses --response
A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable
- can_not_fix
- will_not_fix
- update
- rollback
- workaround_available
Note
--responseis highly encouraged when--stateis set toexploitable; however, CycloneDX specification does not require this.
Free form comments --comment
Syntax
tanzu insight triage update --cveid CVE-ID --pkg-name PKG-NAME --pkg-version PKG-VERSION --img-digest DIGEST --artifact-group-uid UID [--state STATE] [--justification JUSTIFICATION] [--response RESPONSE1, RESPONSE2] [--comment COMMENT] [flags]
Examples
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --artifact-group-uid AG-00001 --state false_positive
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --img-registry internal-hub.docker.io --artifact-group-uid AG-00001 --state not_affected --justification code_not_reachable --comment "The code can't be reached by external users"
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002 --state exploitable --response will_not_fix,update
For more information, see the NIST website.
Flags
-a, --artifact-group-uid string Artifact group uid
-t, --comment string Analysis comment
-v, --cveid string CVE id
-h, --help help for update
-d, --img-digest string Image digest
--img-registry string Image registry
-j, --justification string Analysis justification
-n, --pkg-name string Package name
-p, --pkg-version string Package version
-r, --response strings Analysis response
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
-s, --state string Analysis state (default "in_triage")
-y, --yes Force update
tanzu insight vulnerabilities
Gets help for the vulnerabilities commands.
Flags
-h, --help help for vulnerabilities
tanzu insight vulnerabilities get
Gets a vulnerability by CVE ID.
Usage
tanzu insight vulnerabilities get --cveid CVE-ID [flags]
Examples
insight vulnerabilities get --cveid CVE-123123-2021
insight vulnerabilities get --cveid CVE-123123-2021 --output-format api-json
Flags
-c, --cveid string CVE id
-h, --help help for get
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight vulnerabilities images
Gets the images with a given vulnerability.
Usage
Get images with a given vulnerability.
tanzu insight vulnerabilities images --cveid <cve-id> [flags]
Examples
insight vulnerabilities images --cveid CVE-123123-2021
insight vulnerabilities images --cveid CVE-123123-2021 --output-format api-json
Flags
-c, --cveid string CVE id
-h, --help help for images
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight vulnerabilities packages
Gets the packages with a given vulnerability.
Usage
Get packages with a given vulnerability.
tanzu insight vulnerabilities packages --cveid <cve-id> [flags]
Examples
insight vulnerabilities packages --cveid CVE-123123-2021
insight vulnerabilities packages --cveid CVE-123123-2021 --output-format api-json
Flags
-c, --cveid string CVE id
-h, --help help for packages
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
tanzu insight vulnerabilities sources
Gets the sources with a given vulnerability.
Usage
Get sources with a given vulnerability.
tanzu insight vulnerabilities sources --cveid <cve-id> [flags]
Examples
insight vulnerabilities sources --cveid CVE-123123-2021
insight vulnerabilities sources --cveid CVE-123123-2021 --output-format api-json
Flags
-c, --cveid string CVE id
-h, --help help for sources
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
