Docs/CLI/export

reel export

Export artifacts from containers and images. Saves locally for inspection.

For uploading to S3, see reel upload.

export sbom

Generate a Software Bill of Materials using Trivy. Scan container images, local containers, or live pods.

# Scan an image (standalone)

reel export sbom --image nginx:latest

reel export sbom nginx:latest -o sbom.json

# Scan with vulnerability detection

reel export sbom nginx:latest --scanners vuln --severity HIGH,CRITICAL

# Scan a local container (diff layer)

reel export sbom --container my-nginx

# Scan full merged filesystem (all image layers)

sudo reel export sbom --container my-nginx --full

# Scan a live pod (agent)

reel --agent export sbom --pod nginx -n production

Flag	Description	Default
--image	Container image to scan
--container	Local container name/ID
--pod	Kubernetes pod (agent mode)
--local	Scan local image only, no registry pull	false
--scanners	Scanners: vuln, secret, license, config, all	package inventory only
--severity	Filter: LOW, MEDIUM, HIGH, CRITICAL	all
--ignore-unfixed	Ignore vulnerabilities without fixes	false
-f, --format	Output format: cyclonedx, spdx, spdx-json	cyclonedx
-o, --output	Destination file	stdout
--offline	Skip database updates	false
--cache-dir	Override cache directory	~/.cache/reel
--diff-only	Scan only diff layer (agent only)	false
--full	Scan full merged filesystem via /proc (requires --container)	false

export cbom

Generate a Cryptographic Bill of Materials (CycloneDX 1.6). Detects cryptographic algorithms, X.509 certificates, TLS/SSH protocols, and key materials.

reel export cbom --image nginx:latest

reel export cbom --image nginx:latest --include-system-cas

sudo reel export cbom --container my-nginx --full

reel --agent export cbom --pod api-server -n production

Flag	Description	Default
--image	Container image to scan
--container	Local container name/ID
--pod	Kubernetes pod (agent mode)
--include-system-cas	Include system CA trust store certificates	false
--common-paths-only	Scan targeted paths instead of full filesystem	false
--full	Scan full merged filesystem via /proc (requires --container)	false
-o, --output	Destination file	stdout

export sarif

Export security scan results in SARIF 2.1.0 format for CI/CD integration. Runs Trivy with all scanners enabled by default (vuln, secret, license, config). Unlike export sbom which produces a package inventory, export sarif produces security findings.

# Scan image with all scanners (default)

reel export sarif --image nginx:latest

# Vulnerability scanning only, high severity

reel export sarif --image nginx:latest --scanners vuln --severity HIGH,CRITICAL

# Output to file (for CI/CD upload)

reel export sarif --image nginx:latest -o results.sarif

# Scan a local container

reel export sarif --container my-nginx

# Scan a live pod (agent mode)

reel --agent export sarif --pod nginx -n production

Flag	Description	Default
--image	Container image to scan
--container	Local container name/ID
--pod	Kubernetes pod (agent mode)
--local	Scan local image only, no registry pull	false
--scanners	Scanners: vuln, secret, license, config, all	all
--severity	Filter: LOW, MEDIUM, HIGH, CRITICAL	all
--ignore-unfixed	Ignore vulnerabilities without fixes	false
-o, --output	Destination file	stdout
--offline	Skip database updates	false
--cache-dir	Override cache directory	~/.cache/reel
--diff-only	Scan only diff layer (agent only)	false

export malware

Scan for malware using ClamAV. Detects viruses, trojans, rootkits, and suspicious executables.

reel export malware --image nginx:latest

reel export malware --image nginx:latest -o scan.json

sudo reel export malware --container my-nginx --full

reel --agent export malware --pod api-server -n production

Flag	Description	Default
--image	Container image to scan
--container	Local container name/ID
--pod	Kubernetes pod (agent mode)
--path	Path to scan within container	/
-f, --format	Output format: json, yaml	json
-o, --output	Destination file	stdout
--offline	Skip database updates	false
--full	Scan full merged filesystem via /proc (requires --container)	false

Agent Mode

The following subcommands require the --agent flag. All create artifacts on-the-fly, stream them to the destination, and immediately delete server-side copies.

export checkpoint

CRIU process state snapshot. See Checkpoint Reference.

reel --agent export checkpoint --pod nginx -n production -o checkpoint.tar.zst

export layer

Filesystem diff from base image. See Layer Reference.

reel --agent export layer --pod nginx -n production -o layer.tar.zst

export frame

Checkpoint + layer combined into a single archive.

reel --agent export frame --pod nginx -n production -o frame.tar.zst

export memory

GDB-compatible ELF core dump of container processes.

reel --agent export memory --pod nginx -n production -o memory.core.zst

export volatile

Runtime state: process tree, open FDs, network connections, environment.

reel --agent export volatile --pod nginx -n production -o volatile.json

export metadata

Container configuration, image info, resource limits, labels, annotations.

reel --agent export metadata --pod nginx -n production -o metadata.json

export files

Export files/directories from a running container as tar archive.

reel --agent export files --pod nginx --path /var/log -n production -o logs.tar.zst

export inventory

Forensic file inventory in CycloneDX 1.6 format with optional chain-of-custody.

reel --agent export inventory --pod nginx --path / --hash --chain-of-custody -o inventory.json

Common flags for all agent exports: --pod, --container, -n, -o, --compress (none, fast, default, better, best).

list upload