SSD Scanner CLI

A comprehensive security scanning CLI tool that integrates multiple security scanners to analyze source code, container images, and artifacts for vulnerabilities, secrets, licenses, and security best practices.

Table of Contents

• What is SSD Scanner CLI?
• Installation
  • Binary Installation
  • Docker Installation
• Quick Start
• Use Cases & Examples
  • 1. Source Code Scanning
  • 2. Container Image & Artifact Scanning
  • 3. Helm Chart Scanning
  • 4. SBOM Generation
  • 5. Differential Scanning (PR/CI Use Case)
• Scanner-Specific Options
• Authentication Options
  • Git Repository Authentication
  • Container Registry Authentication
• Advanced Configuration
• Common Scanner Combinations
• CI/CD Integration Examples
• Troubleshooting
• Dependencies Installation

What is SSD Scanner CLI?

SSD Scanner CLI is a unified security scanning platform that combines the power of industry-leading security tools:

• Vulnerability Scanning - Trivy, Grype, Snyk
• SAST (Static Analysis) - Semgrep, Opengrep, Codacy
• Security Scorecards - OpenSSF Scorecard
• SBOM Generation - Syft, Trivy, Grype
• Kubernetes Security - Kubescape, Trivy
• Secret Detection - Trivy, Semgrep
• License Compliance - Trivy

Installation

Binary Installation

Download the latest release for your architecture:

Linux AMD64

curl -L -o ssd-scanner-cli https://github.com/OpsMx/ssd-scanner-cli-public/releases/download/v2025.07.12/ssd-scanner-cli-amd64
chmod +x ssd-scanner-cli
sudo mv ssd-scanner-cli /usr/local/bin/

Linux ARM64

curl -L -o ssd-scanner-cli https://github.com/OpsMx/ssd-scanner-cli-public/releases/download/v2025.07.12/ssd-scanner-cli-arm64
chmod +x ssd-scanner-cli
sudo mv ssd-scanner-cli /usr/local/bin/

Docker Installation

Pull Docker Image

# Pull the latest image
docker pull opsmx11/ssd-scanner-cli:v2025.07.12

Quick Start

Scan Local Source Code (Offline)

ssd-scanner-cli \
  --scanners=trivy,semgrep \
  --source-code-path=./my-project \
  --repository-url=https://github.com/user/my-app \
  --branch=main \
  --build-id=local-scan \
  --trivy-scanners=codelicensescan,codesecretscan \
  --offline-mode

Scan Container Image

ssd-scanner-cli \
  --scanners=trivy,grype \
  --artifact-type=image \
  --artifact-name=nginx \
  --artifact-tag=latest \
  --trivy-scanners=imagelicensescan,imagesecretscan,sbom \
  --grype-scanners=sbom \
  --offline-mode

Docker Scan with Mounted Source Code

docker run -v $(pwd):/home/scanner/source opsmx11/ssd-scanner-cli:v2025.07.12 \
  --scanners=semgrep,trivy \
  --source-code-path=/home/scanner/source \
  --repository-url=https://github.com/user/my-app \
  --branch=main \
  --build-id=docker-scan \
  --trivy-scanners=codelicensescan,codesecretscan \
  --offline-mode

Use Cases & Examples

1. Source Code Scanning

Analyze your source code for security vulnerabilities, secrets, license compliance, and code quality issues using static analysis tools.

Local Source Code Scanning

Binary Command

ssd-scanner-cli \
  --scanners=semgrep,trivy,openssf \
  --source-code-path=./my-application \
  --repository-url=https://github.com/user/my-app \
  --branch=main \
  --build-id=local-123 \
  --trivy-scanners=codelicensescan,codesecretscan \
  --offline-mode

Docker Command

docker run -v $(pwd):/home/scanner/source opsmx11/ssd-scanner-cli:v2025.07.12 \
  --scanners=semgrep,trivy,openssf \
  --source-code-path=/home/scanner/source \
  --repository-url=https://github.com/user/my-app \
  --branch=main \
  --build-id=docker-123 \
  --trivy-scanners=codelicensescan,codesecretscan \
  --offline-mode

Remote Git Repository Scanning

Clone and scan remote repositories without having the code locally. Perfect for CI/CD pipelines.

With Token Authentication

ssd-scanner-cli \
  --scanners=semgrep,codacy,snyk \
  --repository-url=https://github.com/user/private-repo \
  --branch=develop \
  --build-id=remote-456 \
  --git-auth-type=token \
  --git-auth-key=ghp_your_token_here \
  --codacy-api-token=your_codacy_token \
  --snyk-api-token=your_snyk_token \
  --upload-url=https://your-ssd-instance.com \
  --ssd-token=your_ssd_token

With Username/Password

ssd-scanner-cli \
  --scanners=semgrep,opengrep \
  --repository-url=https://github.com/user/private-repo \
  --branch=main \
  --build-id=auth-789 \
  --git-auth-type=password \
  --git-username=your_username \
  --git-password=your_password \
  --offline-mode

2. Container Image & Artifact Scanning

Scan container images and local artifacts for vulnerabilities, malware, and security issues. Use --artifact-type=image for container images from registries, or --artifact-type=file for local files and artifacts.

Local Container Image Scanning

Scan container images that are available locally or in accessible registries.

Binary Command

ssd-scanner-cli \
  --scanners=trivy,grype,syft \
  --artifact-type=image \
  --artifact-name=python \
  --artifact-tag=3.9-slim \
  --trivy-scanners=imagelicensescan,imagesecretscan,sbom \
  --grype-scanners=sbom \
  --syft-scanners=sbom \
  --offline-mode

Docker Command

docker run -v /var/run/docker.sock:/var/run/docker.sock opsmx11/ssd-scanner-cli:v2025.07.12 \
  --scanners=trivy,grype \
  --artifact-type=image \
  --artifact-name=nginx \
  --artifact-tag=latest \
  --trivy-scanners=sbom,imagelicensescan \
  --grype-scanners=sbom \
  --offline-mode

Remote Registry Image Scanning

Pull and scan images from remote container registries with authentication.

With Registry Authentication

ssd-scanner-cli \
  --scanners=trivy,syft \
  --artifact-type=image \
  --artifact-name=my-app \
  --artifact-tag=v1.2.3 \
  --image-registry=registry.hub.docker.com \
  --registry-username=user \
  --registry-password=pass \
  --trivy-scanners=sbom,imagelicensescan \
  --syft-scanners=sbom \
  --upload-url=https://your-ssd-instance.com \
  --ssd-token=your_ssd_token

Local File/Artifact Scanning

Scan local files, binaries, archives, or any artifacts stored on the filesystem.

Binary Command

ssd-scanner-cli \
  --scanners=trivy,syft \
  --artifact-type=file \
  --artifact-name=my-binary \
  --artifact-tag=v1.0.0 \
  --artifact-path=./dist/my-binary.tar.gz \
  --trivy-scanners=sbom \
  --syft-scanners=sbom \
  --offline-mode

Docker Command (with file mount)

docker run -v $(pwd):/home/scanner/source opsmx11/ssd-scanner-cli:v2025.07.12 \
  --scanners=semgrep,openssf,trivy,syft \
  --artifact-type=file \
  --artifact-name=supply-chain \
  --artifact-tag=v2 \
  --artifact-path=/home/scanner/source \
  --syft-scanners=sourcecodesbom \
  --trivy-scanners=codelicensescan \
  --source-code-path=/home/scanner/source \
  --repository-url=https://github.com/OpsMx/supplychain-api \
  --branch=main \
  --build-id=test-131 \
  --offline-mode

3. Helm Chart Scanning

Analyze Helm charts for security misconfigurations, vulnerabilities, and compliance issues using Kubernetes security scanners.

Local Helm Template Scanning

Command Example

ssd-scanner-cli \
  --scanners=trivy,kubescape \
  --helm-template-path=./helm-charts/my-app \
  --helm-release-name=my-app \
  --helm-release-version=1.0.0 \
  --trivy-scanners=helmscan \
  --offline-mode

Packaged Helm Chart Scanning

Command Example

ssd-scanner-cli \
  --scanners=kubescape \
  --helm-package-path=./my-app-1.0.0.tgz \
  --helm-release-name=my-app \
  --helm-release-version=1.0.0 \
  --offline-mode

4. SBOM Generation

Generate Software Bill of Materials (SBOM) for container images and source code to track dependencies and supply chain security.

Generate SBOM for Container Image

Command Example

ssd-scanner-cli \
  --scanners=syft,grype,trivy \
  --artifact-type=image \
  --artifact-name=alpine \
  --artifact-tag=latest \
  --syft-scanners=sbom \
  --grype-scanners=sbom \
  --trivy-scanners=sbom \
  --offline-mode

Generate SBOM for Source Code

Command Example

ssd-scanner-cli \
  --scanners=syft,trivy \
  --source-code-path=./my-project \
  --artifact-type=file \
  --artifact-name=my-project \
  --artifact-tag=main \
  --artifact-path=./my-project \
  --syft-scanners=sourcecodesbom \
  --trivy-scanners=sourcecodesbom \
  --repository-url=https://github.com/user/my-project \
  --branch=main \
  --build-id=sbom-gen \
  --offline-mode

5. Differential Scanning (PR/CI Use Case)

Compare security findings between branches to identify new issues introduced in pull requests. This helps maintain security standards by catching issues before they reach production.

Basic Differential Scan

Command Example

ssd-scanner-cli \
  --scanners=semgrep,trivy \
  --source-code-path=./my-project \
  --repository-url=https://github.com/user/my-project \
  --branch=feature-branch \
  --build-id=pr-123 \
  --diff-scan=true \
  --base-branch=main \
  --base-commit=abc123def \
  --head-commit=xyz789uvw \
  --interrupt-condition=critical,high \
  --trivy-scanners=codelicensescan,codesecretscan \
  --upload-url=https://your-ssd-instance.com \
  --ssd-token=your_ssd_token

Advanced Differential Scan with Interruption

Command Example

ssd-scanner-cli \
  --scanners=semgrep,trivy,snyk \
  --repository-url=https://github.com/user/my-project \
  --branch=feature-branch \
  --build-id=pr-456 \
  --diff-scan=true \
  --base-branch=main \
  --base-commit=abc123def \
  --head-commit=xyz789uvw \
  --interrupt-condition=all \
  --interrupt-for-old-issues=true \
  --git-auth-type=token \
  --git-auth-key=your_token \
  --snyk-api-token=your_snyk_token \
  --trivy-scanners=codelicensescan,codesecretscan \
  --upload-url=https://your-ssd-instance.com \
  --ssd-token=your_ssd_token

Scanner-Specific Options

Available Scanners

Scanner	Purpose	Special Flags
trivy	Vulnerability, License, Secret scanning	--trivy-scanners
semgrep	Static Analysis Security Testing (SAST)	-
opengrep	Open-source SAST	-
grype	Vulnerability scanning	--grype-scanners
syft	SBOM generation	--syft-scanners
snyk	Vulnerability and license scanning	--snyk-api-token
codacy	Code quality and security	--codacy-api-token
openssf	Security scorecards	-
kubescape	Kubernetes security	-

Trivy Scanner Options

Available Modes

--trivy-scanners=codelicensescan,codesecretscan,imagelicensescan,imagesecretscan,sbom,sourcecodesbom,helmscan

Available modes:

• codelicensescan - License scanning for source code
• codesecretscan - Secret detection in source code
• imagelicensescan - License scanning for container images
• imagesecretscan - Secret detection in container images
• sbom - Generate SBOM for images
• sourcecodesbom - Generate SBOM for source code
• helmscan - Security scanning for Helm charts

Grype Scanner Options

Available Modes

--grype-scanners=sbom,sourcecodesbom

Syft Scanner Options

Available Modes

--syft-scanners=sbom,sourcecodesbom

Authentication Options

Git Repository Authentication

Token-based Authentication (Recommended)

Command Example

--git-auth-type=token \
--git-auth-key=ghp_your_github_token

Username/Password Authentication

Command Example

--git-auth-type=password \
--git-username=your_username \
--git-password=your_password

Container Registry Authentication

Token-based Registry Authentication

Command Example

--image-registry=registry.hub.docker.com \
--registry-token=your_registry_token

Username/Password Registry Authentication

Command Example

--image-registry=registry.hub.docker.com \
--registry-username=your_username \
--registry-password=your_password

Supported Registries:

• Docker Hub

More registry support coming soon

Advanced Configuration

Artifact Types

--artifact-type=image: For container images stored in registries (Docker Hub, etc.). No --artifact-path required.

--artifact-type=file: For local files, binaries, archives, or any filesystem artifacts. Requires --artifact-path to specify the local file location.

Offline Mode

Usage

Run scans without uploading results:

--offline-mode=true

Debug Mode

Usage

Enable detailed logging:

--debug=true

Custom Scanner Binary Path

Usage

--scanners-path=/custom/path/to/scanners

Keep Results Locally

Usage

--keep-results=true

Common Scanner Combinations

Comprehensive Security Scan

Command Example

--scanners=semgrep,trivy,openssf,snyk \
--trivy-scanners=codelicensescan,codesecretscan

SBOM + Vulnerability Analysis

Command Example

--scanners=syft,grype,trivy \
--syft-scanners=sbom \
--grype-scanners=sbom \
--trivy-scanners=sbom

Code Quality + Security

Command Example

--scanners=semgrep,codacy,opengrep

Container Security Focus

Command Example

--scanners=trivy,grype \
--trivy-scanners=imagelicensescan,imagesecretscan,sbom \
--grype-scanners=sbom

CI/CD Integration Examples

GitHub Actions

Complete Workflow Example

Create .github/workflows/security-scan.yml:

name: Security Scan

on:
  pull_request:
    branches: [ main, develop ]
  push:
    branches: [ main ]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
      with:
        fetch-depth: 0  # Needed for diff scanning
    
    - name: Run SSD Scanner CLI
      run: |
        curl -L -o ssd-scanner-cli https://github.com/OpsMx/ssd-scanner-cli-public/releases/download/v2025.07.12/ssd-scanner-cli-amd64
        chmod +x ssd-scanner-cli
        
        ./ssd-scanner-cli \
          --scanners=semgrep,trivy,openssf \
          --source-code-path=. \
          --repository-url=${{ github.server_url }}/${{ github.repository }} \
          --branch=${{ github.ref_name }} \
          --build-id=${{ github.run_number }} \
          --trivy-scanners=codelicensescan,codesecretscan \
          --upload-url=${{ secrets.SSD_UPLOAD_URL }} \
          --ssd-token=${{ secrets.SSD_TOKEN }}

  differential-scan:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request'
    
    steps:
    - name: Checkout code
      uses: actions/checkout@v3
      with:
        fetch-depth: 0
    
    - name: Run Differential Scan
      run: |
        curl -L -o ssd-scanner-cli https://github.com/OpsMx/ssd-scanner-cli-public/releases/download/v2025.07.12/ssd-scanner-cli-amd64
        chmod +x ssd-scanner-cli
        
        ./ssd-scanner-cli \
          --scanners=semgrep,trivy \
          --source-code-path=. \
          --repository-url=${{ github.server_url }}/${{ github.repository }} \
          --branch=${{ github.head_ref }} \
          --build-id=pr-${{ github.event.number }} \
          --diff-scan=true \
          --base-branch=${{ github.base_ref }} \
          --base-commit=${{ github.event.pull_request.base.sha }} \
          --head-commit=${{ github.event.pull_request.head.sha }} \
          --interrupt-condition=critical,high \
          --git-auth-type=token \
          --git-auth-key=${{ secrets.GITHUB_TOKEN }} \
          --trivy-scanners=codelicensescan,codesecretscan \
          --upload-url=${{ secrets.SSD_UPLOAD_URL }} \
          --ssd-token=${{ secrets.SSD_TOKEN }}

  container-scan:
    runs-on: ubuntu-latest
    
    steps:
    - name: Build Docker image
      run: |
        docker build -t my-app:${{ github.sha }} .
    
    - name: Scan Container Image
      run: |
        docker run -v /var/run/docker.sock:/var/run/docker.sock \
          opsmx11/ssd-scanner-cli:v2025.07.12 \
          --scanners=trivy,grype \
          --artifact-type=image \
          --artifact-name=my-app \
          --artifact-tag=${{ github.sha }} \
          --trivy-scanners=imagelicensescan,imagesecretscan,sbom \
          --grype-scanners=sbom \
          --upload-url=${{ secrets.SSD_UPLOAD_URL }} \
          --ssd-token=${{ secrets.SSD_TOKEN }}

Troubleshooting

Common Issues

Permission denied when running binary

chmod +x ssd-scanner-cli

Docker socket permission issues

# Add your user to docker group
sudo usermod -aG docker $USER
# Or run with sudo
sudo docker run...

Git authentication failures

• Ensure your token has appropriate repository permissions
• For private repositories, use a token with repo scope
• Check that the repository URL is correct

Scanner-specific failures

• Ensure API tokens are valid for Snyk and Codacy
• Check that the source code path exists and is readable
• Verify artifact paths and names are correct

Memory issues with large repositories

• Use --sub-directory to scan specific parts
• Consider running scanners individually rather than all at once

Getting Help

• Check scanner logs with --debug=true
• Verify all required flags are provided
• Ensure you have sufficient disk space for scan results
• For upload issues, verify your SSD instance URL and token

Dependencies Installation

Install Scanner Dependencies

ssd-scanner-cli install-deps --scanners=trivy,semgrep,opengrep,kubescape

---

Version: v2025.07.12
Support: For issues and questions, please create an issue in the GitHub repository.