Use an On-Premises Code Scanner to Scan GitHub Enterprise IaCs
You can connect your GitHub repositories to an on-premises code scanner and scan your code for violations. Perform the following tasks to connect your GitHub repositories to an on-premises scanner:
-
Authorize the on-premises code scanner to access GitHub Enterprise Server.
-
Connect an IaC from GitHub Enterprise Server to a Tenable Cloud Security project.

-
Sign in to your GitHub Enterprise Server console with an administrator account.
-
Navigate to User Settings > Developer Settings > OAuth Apps > New Application.
The Register a new OAuth application page appears.
Note: The on-premises code scanner requires port 9020 to authorize SCM applications. Ensure you have the correct network configuration in place for port 9020 on the on-premises code scanner machine to allow the SCM authorizer to access on-premises code scanner. -
Create a new application by providing the following information:
-
In the Application name box, type a name for the application.
-
In the Homepage URL box, type the Tenable Cloud Security URL.
-
In the Authorization callback URL box, type: http(s)://<on-premise_code_scanner_host_fqdn>.com:9020/v1/auth/oauth/github/callback
on-premise_code_scanner_host_fqdn is the fully qualified domain name of the on-premises code scanner.
Where:
-
-
Click Register application.
-
Note the Client ID and Client Secret displayed after the creation of OAuth Application.

-
Launch the URL displayed in the output after the on-premises code scanner deployment. For more information, see Deploy an On-Premises Code Scanner.
The On Premise Scanner Management Console page appears. In the On Premise Scanner Management Console page, you can authorize the on-premises code scanner with different Source Code Management (SCM) providers.
-
In the Configure servers section, provide the following:
-
In the Repository Server Address box, type the repository server address.
-
In the On-premise code scanner address (use port:9020) box, type the code scanner address.
-
-
Click Continue.
The Configure cloud (Optional) section appears.
-
(Optional) In the Select cloud provider drop-down box, select one of the following options:
-
AWS
-
In the AWS Access Key box, type the AWS access key.
-
In the AWS Secret Key box, type the AWS secret key.
-
-
GCP
-
Click Upload to upload your service account credentials file.
-
-
Azure
-
In the Azure Client ID box, type the Azure client ID.
-
In the Azure Tenant ID box, type the Azure tenant ID.
-
In the Azure Subscription ID box, type the Azure subscription ID.
-
In the Azure Client Secret box, type the Azure client secret.
-
-
- Click Continue.
The Setup authentication section appears.
-
In the Select repository server drop-down box, select GitHub.
Tenable Cloud Security displays an information form for GitHub. -
Provide the following:
-
In the Client ID box, type the client ID.
-
In the Client Secret box, type the client secret.
Note: For information about how to obtain Client ID and Client Secret, see Create an OAuth Application in GitHub Enterprise Server.
-
Click Submit.
-
-
(Optional) In the Other Settings section, click the Allow on-premise code scanner to send logs to Tenable Cloud Security toggle.
Tenable Cloud Security redirects you to the GitHub Enterprise server to authorize the permissions on the OAuth Application. A message confirms successful authorization and GitHub redirects you to the On-premise code scanner page.

-
In the left navigation bar, click the
icon.
-
Click Connection > Repository.
The Connect to repository page appears. - In the Choose a workflow to discover repo(s) section, select Version control.
- Click Continue.
The Connect to a version control provider section appears.
-
In the Connect to a version control provider section, select GitHub and On-Premise Code Scanner.
- Click Continue.
The Choose onboarding repositories section appears.
-
Select the required repository.
-
Hover over the selected repository and click
to configure the advanced settings.
For more information, see Repository Configuration Parameters.
- Click Continue.
The Choose projects to add the repository to section appears.
-
Select the project that you want to connect to the repository.
-
Click Connect.
A message confirms that Tenable Cloud Security connected the GitHub IaC repository to the selected project.