NoteThis plugin is removed in TAP v1.11.0.
Post data and query the Supply Chain Security Tools - Store in Tanzu Application Platform (commonly known as TAP) through its secure REST API. Upload source commit and image vulnerability reports using CycloneDX format, XML and JSON, and SPDX format JSON. Query and output source commit, image, package, and vulnerabilities in CycloneDX XML, JSON, and human-readable text formats. For more information, see the TAP documentation.
CLI plugin: insight | Target: Kubernetes | Primarily used for: App development | Release Notes
tanzu kubernetes insight [command]
config Config commands
health Checks if endpoint is reachable
image Image commands
package Package commands
source Source commands
triage Vulnerability analysis commands
vulnerabilities Vulnerabilities commands
-h, --help help for insight
Configuration commands.
tanzu insight config [command]
set-target Set metadata store endpoint
-h, --help help for config
Set the target endpoint for the metadata store
tanzu insight config set-target <endpoint> [--ca-cert <ca certificate path to verify peer against>] [--access-token <kubernetes service account access token>] [flags]
insight config set-target https://localhost:8443 --ca-cert=/tmp/ca.crt --access-token eyJhbGc...
--access-token string Kubernetes access token. It is recommended to use the Environment Variable METADATA_STORE_ACCESS_TOKEN during the API calls, this will override access token flag. Note: using the the access-token flag stores the token on disk, the Environment Variable is retrieved at the time of the API call
--ca-cert string trusted ca certificate
-h, --help help for set-target
Checks if endpoint is reachable.
tanzu insight health [flags]
insight health
-h, --help help for health
Image commands
tanzu insight image [command]
image, images, imgs, img
add Add an image report
get Get image by digest
packages Get image packages
vulnerabilities Get image vulnerabilities
-h, --help help for image
Adds an image report. Adds an image to the metadata store with the image’s SBOM or vulnerability scan. Shows standard output and errors together. Output and errors can be redirected to files by using 1>out.txt 2>error.txt
.
tanzu insight image add --path <filepath> [flags]
insight image add --input-format cyclonedx-xml --output-format text --path /path/to/file.xml
insight image add --input-format spdx-json --output-format api-json --path /path/to/file.json
insight image add --path /path/to/file.xml
insight image add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example --artifact-group-label namespace=example-ns
insight image add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example,namespace=example-ns
insight image add --input-format spdx-json --output-format api-json --path /path/to/file.json 1>out.txt 2>error.txt (* Output will be redirected to out.txt and error will be redirected to error.txt .)
--artifact-group-label strings specify artifact group labels, must be in key=value format. This flag can be set multiple times to provide multiple labels in one call, or can be passed a list of labels separated by commas. Note: This flag can only be specified if artifact-group-uid flag is set.
--artifact-group-uid string uid of artifact group to add to, or create if it doesn't already exist
-h, --help help for add
-i, --input-format string specify the file’s SBOM report format and file type, options=[cyclonedx-xml, cyclonedx-json, spdx-json] (default: cyclonedx-xml)
--original-location string specify the stored location of the original SBOM vulnerability scan result used to create this report
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-p, --path string path to file, required
--report-uid string specify a unique report identifier to tag this vulnerability scan result with. Supported characters: ALPHA DIGIT "-" / "." / "_" / "~"
Gets an image by digest.
Get image by digest
tanzu insight image get --digest <image-digest> [flags]
insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format api-json
insight image get --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format cyclonedx-xml
Get the image packages.
tanzu insight image packages [--digest <image-digest>] [--name <name>] [flags]
insight image packages --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image packages --name ubuntu --output-format api-json
-d, --digest string image digest
-h, --help help for packages
-n, --name string image name
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Gets image vulnerabilities.
tanzu insight image vulnerabilities --digest <image-digest> [flags]
insight image vulnerabilities --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight image vulnerabilities --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907 --output-format api-json
-d, --digest string image digest
-h, --help help for vulnerabilities
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-h, --help help for package
Gets the package by name, version, and package manager.
To get package by name, version, and package manager, run:
tanzu insight package get --name <package name> --version <package version> --pkgmngr Unknown [flags]
insight package get --name client --version 1.0.0a --pkgmngr Unknown
insight package get --name client --version 1.0.0a --pkgmngr Unknown --output-format api-json
-h, --help help for get
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-p, --pkgmngr string Package manager of the dependency. 'Unknown' is currently the only supported value (default "Unknown")
-v, --version string version of the package
Gets the images that contain a given package by name.
To get images that contain the given package by name.
tanzu insight package images --name <package name> [flags]
insight package images --name client
insight package images --name client --output-format api-json
-h, --help help for images
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Gets the sources that contain the given package by name.
To get sources that contain the given package by name, run:
tanzu insight package sources --name <package name> [flags]
insight package sources --name client
insight package sources --name client --output-format api-json
-h, --help help for sources
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Gets the package vulnerabilities.
Get package vulnerabilities
tanzu insight package vulnerabilities --name <package name> [flags]
insight package vulnerabilities --name client
insight package vulnerabilities --name client --output-format api-json
-h, --help help for vulnerabilities
-n, --name string name of the package
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Access reports from each scan to find out what packages and vulnerabilities were discovered.
tanzu insight report get
tanzu insight report list
Get the package vulnerabilities.
Get a report by its unique identifier:
tanzu insight report get --uid <report-unique-identifier> [flags]
insight report get --uid d38c3962-2351-44d5-8603-1d147f3d2367
insight report get --uid d38c3962-2351-44d5-8603-1d147f3d2367 --format api-json
-h, --help help for get
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json, cyclonedx-xml, spdx-json] (default: text)
--uid string the unique identifier of the SBOM report
List the package vulnerabilities.
List reports by image digest, source commit hash, or original location
tanzu insight report list (--digest <image-digest> | --commit <commit-sha> | --original-location <location>) [flags]
insight report list --digest sha256:a86859ac1946065d93df9ecb5cb7060adeeb0288fad610b1b659907
insight report list --commit b33dfee51 --order ASC
insight report list --original-location tanzu-java-web-app-my-apps-scan-results@sha256:cd541f747a78a1df3e1055da3e8c1b3bdd9a4aa8b0750bcb7b053a18d3833e81
-c, --commit string commit hash
-d, --digest string image digest
-h, --help help for list
--namespace string the Kubernetes namespace of the workload that submitted the report. Cannot be used with workload-uid
--order string the order in which the list of reports will be returned. When set to 'ASC', will return the list in ascending order (oldest to newest) by date/time the report was generated. When set to 'DESC', will return the list in descending order (newest to oldest) (default: DESC)
--original-location string the URI location of where the original SBOM scan results are stored that is associated with the report
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
--workload-name string the name of the workload associated with the report. Cannot be used with workload-uid
--workload-uid string the UID of the workload associated with the report. Cannot be used with workload-name or namespace
Gets help for the source commands.
-h, --help help for source
Adds a source report.
Add a source to the metadata store with the source’s SBOM or vulnerability scan. By default command will show Standard output and errors together. Output and errors can be redirected to files by using 1>out.txt 2>error.txt
tanzu insight source add --path <filepath> [flags]
insight source add --input-format cyclonedx-xml --output-format text --path /path/to/file.xml
insight source add --input-format spdx-json --output-format api-json --path /path/to/file.json
insight source add --path /path/to/file.xml
insight source add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example --artifact-group-label namespace=example-ns
insight source add --path /path/to/file.xml --artifact-group-uid workload-uid --artifact-group-label name=example,namespace=example-ns
insight source add --input-format spdx-json --output-format api-json --path /path/to/file.json 1>out.txt 2>error.txt (* Output will be redirected to out.txt and error will be redirected to error.txt .)
--artifact-group-label strings specify artifact group labels, must be in key=value format. This flag can be set multiple times to provide multiple labels in one call, or can be passed a list of labels separated by commas. Note: this flag can only be specified if artifact-group-uid flag is set
--artifact-group-uid string uid of artifact group to add to, or create if it doesn't already exist
-h, --help help for add
-i, --input-format string specify the file’s SBOM report format and file type, options=[cyclonedx-xml, cyclonedx-json, spdx-json] (default: cyclonedx-xml)
--original-location string specify the stored location of the original SBOM vulnerability scan result used to create this report
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-p, --path string path to file, required
--report-uid string specify a unique report identifier to tag this vulnerability scan result with. Supported characters: ALPHA DIGIT "-" / "." / "_" / "~"
Gets sources by repository, commit or organization.
Get sources by repository, commit or organization
tanzu insight source get --repo <repository-name> --commit <commit-hash> --org <organization-name> [flags]
insight source get --org company --repo example-repo --commit b33dfee51
insight source get --org company --repo example-repo --commit b33dfee51 --output-format api-json
insight source get --org company --repo example-repo --commit b33dfee51 --output-format cyclonedx-xml
-c, --commit string commit hash
-h, --help help for get
-o, --org string organization that owns the source
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json, cyclonedx-xml, spdx-json] (default: text)
-r, --repo string repository name
Gets the source packages.
Get source packages
tanzu insight source packages [--commit <commit-hash>] [--repo <repository-name>] [flags]
insight sources packages --commit 0b1b659907 --repo example-repo
insight sources packages --commit 0b1b659907 --repo example-repo --output-format api-json
-c, --commit string commit hash
-h, --help help for packages
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-r, --repo string repository name
Gets the source vulnerabilities.
Get source vulnerabilities. You can specify either commit or repo.
tanzu insight source vulnerabilities [--commit <commit-hash>] [--repo <repository-name>] [flags]
insight sources vulnerabilities --commit eb55fc13 --repo example-repo
insight sources vulnerabilities --commit eb55fc13 --repo example-repo --output-format api-json
-c, --commit string commit hash
-h, --help help for vulnerabilities
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
-r, --repo string repository name
Gets help for the vulnerability analysis commands.
-h, --help help for triage
--output-format string specify the response's format, options=[text, api-json] (default "text")
This topic tells you how to use the Tanzu Insight CLI tanzu insight triage copy
command to copy an existing analysis to a new image, source or artifact group.
This command takes an existing triage and copies the latest analysis to target a new image, source, or artifact group affected by the vulnerability of the existing triage. This allows you to easily copy analysis between images and sources that belong to different artifact groups, or different versions of an image/source that belong to the same artifact group.
If an image or source is provided, validations will run to make sure they contain the affected package and vulnerability, and that they belong to the existing triage’s artifact group. If an artifact group is provided, validations will run to make sure it contains the provided image/source, or the original ones from the existing triage.
tanzu insight triage copy --triage-uid-to-copy <uid> [--img-digest <digest>] [--src-commit <commit>] [--artifact-group-uid <ag-uid>] [flags]
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --img-digest sha256:192369123812
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --src-commit 5025112c8b1 --artifact-group-uid AG-00003
insight triage copy --triage-uid-to-copy BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A --artifact-group-uid AG-00002
-a, --artifact-group-uid string Artifact group uid
-h, --help help for copy
-d, --img-digest string Image digest
--img-registry string Image registry
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
-u, --triage-uid-to-copy string Triage UID to copy from
-y, --yes Force update
This topic tells you how to use the Tanzu Insight CLI tanzu insight triage list
command to get a list of the existing vulnerability triages.
tanzu insight triage list [flags]
insight triage list --img-digest sha256:123456789
insight triage list --src-commit a1s2d3f4 --limit 5
insight triage list --output-format api-json
insight triage list --page 5 --limit 20
-h, --help help for list
-d, --img-digest string Image digest
--img-registry string Image registry
-l, --limit uint Limits the number of analysis to show (default 10)
-p, --page uint Allows to paginate the results based on the specified limit (default 1)
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
--output-format string specify the response's format, options=[text, api-json] (default "text")
This topic tells you how to use the Tanzu Insight CLI tanzu insight triage rebase
command to get a list of the existing vulnerability triages.
This command takes all the existing analyses within an artifact group that are valid for the target image and copies them over. An analysis is considered valid for an image within an artifact group when the following conditions are met:
For example, Image A is considered to be a previous version of Image B when they have the same name, different digests and Image A was created before Image B.
tanzu insight triage rebase --img-digest <digest> --artifact-group-uid <ag-uid> [flags]
insight triage rebase --img-digest sha256:192369123812 --artifact-group-uid BEC0F39C-FE99-4F18-A0AF-069A4AA8D71A
-a, --artifact-group-uid string Artifact group uid
-h, --help help for rebase
-d, --img-digest string Image digest
--img-registry string Image registry
--output-format string specify the response's format, options=[text, api-json] (default "text")
-y, --yes Force update
Create or update a vulnerability analysis.
Create or update a vulnerability impact analysis. For impact analysis, you must target a specific OS and application package, vulnerability, and image or source belonging to a specific Artifact Group. This tool follows CycloneDX’s VEX specification for impact analysis, that includes flag options for each of the CycloneDX’s VEX fields, and support for only their predefined values. Here is a description of the fields and their supported options:
Impact Analysis States --state
Declares the current state of an occurrence of a vulnerability, after automated or manual analysis.
Impact Analysis Justifications --justification
The rationale of why the impact analysis state was asserted is described here:
Note
--justification
is required when--state
is set tonot_affected
Impact Analysis Responses --response
A response to the vulnerability by the manufacturer, supplier, or project responsible for the affected component or service. More than one response is allowed. Responses are strongly encouraged for vulnerabilities where the analysis state is exploitable
Note
--response
is highly encouraged when--state
is set toexploitable
; however, CycloneDX specification does not require this.
Free form comments --comment
tanzu insight triage update --cveid CVE-ID --pkg-name PKG-NAME --pkg-version PKG-VERSION --img-digest DIGEST --artifact-group-uid UID [--state STATE] [--justification JUSTIFICATION] [--response RESPONSE1, RESPONSE2] [--comment COMMENT] [flags]
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --artifact-group-uid AG-00001 --state false_positive
insight triage update --cveid CVE-2022-5089 --pkg-name google.golang.org/protobuf --pkg-version 1.23.2 --img-digest sha256:192369123812 --img-registry internal-hub.docker.io --artifact-group-uid AG-00001 --state not_affected --justification code_not_reachable --comment "The code can't be reached by external users"
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002
insight triage update --cveid CVE-2020-1034 --pkg-name libssl --pkg-version 1.3.0-dev.35 --src-commit 5025112c8b1 --artifact-group-uid AG-00002 --state exploitable --response will_not_fix,update
For more information, see the NIST website.
-a, --artifact-group-uid string Artifact group uid
-t, --comment string Analysis comment
-v, --cveid string CVE id
-h, --help help for update
-d, --img-digest string Image digest
--img-registry string Image registry
-j, --justification string Analysis justification
-n, --pkg-name string Package name
-p, --pkg-version string Package version
-r, --response strings Analysis response
-c, --src-commit string Source commit
--src-org string Source organization
--src-repo string Source repository
-s, --state string Analysis state (default "in_triage")
-y, --yes Force update
Gets help for the vulnerabilities commands.
-h, --help help for vulnerabilities
Gets a vulnerability by CVE ID.
tanzu insight vulnerabilities get --cveid CVE-ID [flags]
insight vulnerabilities get --cveid CVE-123123-2021
insight vulnerabilities get --cveid CVE-123123-2021 --output-format api-json
-c, --cveid string CVE id
-h, --help help for get
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Gets the images with a given vulnerability.
Get images with a given vulnerability.
tanzu insight vulnerabilities images --cveid <cve-id> [flags]
insight vulnerabilities images --cveid CVE-123123-2021
insight vulnerabilities images --cveid CVE-123123-2021 --output-format api-json
-c, --cveid string CVE id
-h, --help help for images
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Gets the packages with a given vulnerability.
Get packages with a given vulnerability.
tanzu insight vulnerabilities packages --cveid <cve-id> [flags]
insight vulnerabilities packages --cveid CVE-123123-2021
insight vulnerabilities packages --cveid CVE-123123-2021 --output-format api-json
-c, --cveid string CVE id
-h, --help help for packages
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)
Gets the sources with a given vulnerability.
Get sources with a given vulnerability.
tanzu insight vulnerabilities sources --cveid <cve-id> [flags]
insight vulnerabilities sources --cveid CVE-123123-2021
insight vulnerabilities sources --cveid CVE-123123-2021 --output-format api-json
-c, --cveid string CVE id
-h, --help help for sources
--output-format string specify the response's SBOM report format and file type format, options=[text, api-json] (default: text)