Use an On-Premises Code Scanner
You can use Tenable Cloud Security on-premises code scanner to connect any repositories deployed behind a firewall. The Tenable Cloud Security code scanner scans the repository within the firewall-bound network and sends the processed data to Tenable Cloud Security services for reporting in Tenable Cloud Security.
What data does the on-premises code scanner send to Tenable Cloud Security Cloud?
Tenable Cloud Security collects the metadata on cloud and IaC resources and normalizes it into native format before sending it to the cloud. When Tenable Cloud Security analyzes the IaC or cloud resources, secrets embedded in the configurations are redacted before the Tenable Cloud Security platform stores them. Those secrets remain on the on-premise scanner in terms of roles inside terraform files since the code never leaves the customer boundary.
Note: (Optional) If the state file location is provided during repository configuration, Tenable Cloud Security sends this as well. The content of the state file is only used for improving the accuracy of the mapping algorithm between IAC and cloud.
The following image explains the functionality of an On-premise code scanner.
You can deploy an on-premise scanner on the following SCMs: