Skip to content

Scanning for vulnerabilities

ts-scan does also assess for known vulnerabilities against the TrustSource vulnerability lake using the check command.

Usage

Scan a directory for dependencies first using SCAN and store results into the scan.json file.

ts-scan scan -o scan.json <DIRECTORY>

Next, check the result for known vulnerabilities: 

ts-scan check --vulns-only -o result.json --api-key <TrustSource API key> scan.json

[!NOTE]

For this action, a TrustSource API key is required, it can be created in the TrustSource application. Free subscriptions are available. See the TrustSource Website for more details.

The option --vulns-confidence <level> can be used to control the confidence level (high, medium, low) for matching components with affected products listed in security bulletins, such as product/vendor tuples in CVEs. The default value is high, minimizing false positives as much as possible. Sometimes it can be useful to apply a lower confidence level, e.g. as a for example use the following command to search with a mediumconfidence level: 

ts-scan check --vulns-only --vulns-confidence medium -o result.json --api-key <TrustSource API key> scan.json