Running the Scan Engine

After you configure the Image Assurance policy and install the Scan Engine, you can run it on your CI/CD pipeline.

The Scan Engine scans container images for security risks and vulnerabilities.

Usage

shiftleft [-t timeout] image-scan [OPTIONS] -e <ENVIRONMENT_ID> -i <IMAGE_PATH>

Image-Scan Arguments
Argument Description

-e, --environment <string>

CloudGuard ShiftLeftClosed The ShiftLeft tool scans source code, containers and serverless functions, looking for vulnerabilities including those associated with the Log4j tool. This tool alerts the security and DevOps teams if any vulnerabilities are detected in the pre-build phase, ensuring that vulnerable code is not deployed. environment ID

-h, --help

Show help

-i, --image <string>

Path to docker image TAR file

-j, --json

JSONClosed JavaScript Object Notation. A lightweight data interchange format. output

-o, --output <string>

Full CLI output to the provided file path

-t, --timeout <int>

Scan timeout in seconds (default: 3600)

Note: Make sure to use the -t flag before the image-scan expression.

-v, --version

Show version
Exit Codes

The exit code of the command is non-zero in case of a policy violation or an error.

Exit Code Description
0

Image scan succeeded, empty assessment /

Assessment passed, no rules failed. Image is compliant.
1 Network error
3 Authentication error
4 Missing arguments
5 Internal error
6

Image scan succeeded, assessment is not empty /

Assessment failed at least on one rule. Image is not compliant.
11 Error in getting the assessment result. Try again or contact support.
99 Insufficient memory for image scanning

101

Insufficient disk space for image scanning
253 Scan timeout

Scanning a Container Image TAR File

To scan a container image myrepo/myimage:version for vulnerabilities and security threats, run:

docker save -o /home/my_container.tar myrepo/myimage:version

shiftleft image-scan -i /home/mycontainer.tar -e <ENVIRONMENT_ID>

The Scan Engine scans the container TAR file at the provided path /home/mycontainer.tar. For the assessment, the policy uses all CloudGuard rulesets attached to the provided environment. The assessment results are published as findings associated with the applicable ShiftLeft image entity in the ShiftLeft environment. Use the Scan Engine flags to print the results as text or JSON.

Scan Timeout

When you scan a large image, you can receive a timeout error from the program.

To solve the issue, increase the default one-hour timeout with the -t flag.

For example, if the scan in the above example fails after a one-hour timeout, run this command to start another scan with a two-hour timeout:

shiftleft –t 7200 image-scan -i /home/mycontainer.tar -e <ENVIRONMENT_ID>