Scan IaC Files Using CLI

You can use Tenable Cloud Security CLI to scan and list the vulnerabilities in the IaC code. There are two ways to scan your IaC code:

• Plan-based analysis (accurics plan)

• Static analysis (accurics scan)

You can run the Tenable Cloud Security CLI in the following modes:

• Pipeline mode — In this mode, specify all the required parameters with the accurics plan or accurics scan command to run the scan.

• With configuration file — In this mode, specify the configuration file. Tenable Cloud Security uses the configuration file parameters and automatically runs the scan.

Plan-based Analysis

You can run a plan-based analysis using the accurics plan command. Plan-based analysis supports only Terraform files. You can view the scan results in the Tenable Cloud Security Console.

Before you begin:

• Download the configuration file.

• Install Terraform.

To run a plan-based analysis using the Tenable Cloud Security CLI:

1. In the command terminal, initialize Terraform configuration files:

   Copy

   accurics init

2. Run the accurics plan command in the following ways:

   • Pipeline mode

     Copy

     accurics plan -mode=pipeline -appurl=<application_url> -token=<API_token> [-project=<project_ID>]

     Where:

     • application_url: URL of the Tenable Cloud Security Console, which is https://cloud.tenable.com/cns.

     • API_token: API authentication token you generate from Tenable Cloud Security. For more information, see Generate API Tokens.

     • project_ID: (Optional) Project in Tenable Cloud Security. If you specify the project, Tenable Cloud Security sends the scan results to this project. If you do not specify the project, Tenable Cloud Security creates a default project for displaying the scan results.

   • With configuration file

     Copy

     accurics plan -config=<config_file_path>

     Where:

     • config_file_path: Relative or absolute path of the configuration file that you download from the Tenable Cloud Security Console.

   Example

   

Static Analysis

You can run a static analysis with the accurics scan command. The accurics scan command Terraform, CloudFormation templates, Azure Resource Manager template, Kubernetes, Kustomize, and Helm Chart.

Before you begin:

• Download the configuration file.

• Install Terrascan

To run a static analysis using the Tenable Cloud Security CLI:

1. Run the accurics scan command in the following ways:

   • Pipeline mode

     Copy

     accurics scan -mode=pipeline -appurl=<application_url> -token=<API_token>

   • With configuration file

     Copy

     accurics scan -config=<config_file_path>

   Where:

   • application_url: URL of the Tenable Cloud Security Console, which is https://cloud.tenable.com/cns.

   • API_token: API authentication token you generate from Tenable Cloud Security. For more information, see Generate API Tokens.

   • config_file_path: Relative or absolute path of the configuration file that you downloaded from the Tenable Cloud Security Console.

For detailed information about the commands and parameters in Tenable Cloud Security CLI, see Tenable Cloud Security Commands and Options.