Deploy an On-Premises Code Scanner
To deploy an on-premises code scanner, you must first download the deployment package for Ubuntu Linux from Tenable Cloud Security and then deploy the package on a virtual machine.
To download the on-premises code scanner package:
-
In the left navigation bar, click Integrations.
The All Integrations page appears. -
Click On-premise code scanner.
The On-premise code scanner window appears. -
In the upper-right corner, click Download new.
The New On-premise code scanner window appears. -
In the Select deployment option section, select Ubuntu Linux.
-
Click Continue.
Tenable Cloud Security displays the setup instructions for Ubuntu Linux.
Note: Depending on the number of enterprise repository servers, you can deploy multiple on-premises code scanners. You must have one code scanner per virtual machine instance.
- Click Download.
Tenable Cloud Security downloads the tenable-code-scanner-docker.zip file.
-
Extract the on-premises code scanner deployment zip file.
Note: Do not alter the extracted contents.
To configure your on-premises code scanner to work with a self-signed certificate, see Configure an On-Premise Code Scanner to Use Self-Signed Certificate.
What to do next:

Before you begin:
-
You must have a virtual machine or system with the following minimum requirements:
-
A virtual machine with 4 GB RAM
-
20 GB Solid State Drive (SSD)
-
Ubuntu 18 or later
Examples of virtual machine include Amazon Elastic Compute Cloud (Amazon EC2) instance, Azure virtual machine, VMware, and so on.
-
-
Install Docker Engine. For more information, see Install Docker Engine on Ubuntu.
Tenable recommends the following installation methods:
-
(Optional) Perform the post-installation steps for Docker. For more information, see Post-installation steps for Linux.
Note: The latest version installs Compose V2, which uses the docker compose command. For more information, see Compose V2 Overview. -
Add the Terraform versions to your firewall whitelist. To test that the on-premises scanner works for Terraform, do the following:
-
Run cURL on the Terraform version URL.
cURL https://releases.hashicorp.com/terraform/
- Clone a repository.
- Run the terraform init command on the repository.
-
To deploy the on-premises code scanner on a virtual machine:
-
Copy the on-premises code scanner configuration files that you extracted in Deploy an On-Premises Code Scanner.
-
Open a terminal on the virtual machine created for the on-premises scanner and run the following commands:
Copycd <path_configuration_files_are_located>
chmod +x tenable-cs-code-scanner
sudo./tenable-cs-code-scannerCaution: Tenable Cloud Security uses the docker-compose command that is supported with Compose V1. If you have Docker Compose V2, run the following command after executing the commands in Step 2 to deploy the on-premises code scanner:sudo docker compose up -d
The following is a sample output after a deployment:
-
In a browser, type the URL displayed in the output to launch the On Premise Scanner Management Console.
The On Premise Scanner Management Console page opens.
Note: If you have the IP address for the on-premises code scanner host virtual machine, you can manually launch the On Premise Code Scanner Management Console using the following URL:https://<ip-address>/<dns-name>:9020
Where:ip-address is the IP address of host virtual machine.
dns-name is the domain name of the host virtual machine.
Tenable Cloud Security deploys the on-premises code scanner.
To configure the on-premises scanner on your repositories, see the following topics:
-
To check the status of the on-premises code scanner in Tenable Cloud Security, navigate to Integrations > On-premise code scanner.
-
Hover over the on-premises code scanner.
-
Click the
button to view more options:
Option Description Download weekly logs Download the on-premises scanner logs for the last seven days.
Note: Enable the Allow on-premise code scanner to send logs to Tenable Cloud Security option when configuring the on-premises scanner.Download installer Download the configuration file. Edit Modify the name of the on-premises scanner. Delete Delete the on-premises scanner. The following is a sample log from the on-premises scanner.
-