Scan IaC Files in the CLI Local Mode

You can use Tenable Cloud Security CLI to view scan results locally without publishing them to the cloud with the local mode. In this mode, the scan results are displayed in the console and the CLI does not push the scan results to the Tenable Cloud Security Console. You can use this feature to scan your test repository branches for any violations. Local mode is supported only for IaC scans with both plan-based and static analysis.

Note: Kubernetes scan is not supported in the local mode.

Before you begin:

You must have the following:

To run an IaC scan using the Tenable Cloud Security CLI:

  1. In the command terminal, initialize Terraform configuration files:

    accurics init
  2. Run the accurics plan or accurics scan command in the following ways:

    • Pipeline mode

      accurics plan -mode=pipeline -appurl=<application_url> -token=<API_token> -project=<project_ID> -test

      accurics scan -mode=pipeline -appurl=<application_url> -token=<API_token> -project=<project_ID> -test


      • application_url: URL of the Tenable Cloud Security Console, which is

      • API_token: API authentication token you generate from Tenable Cloud Security. For more information, see Generate API Tokens.

      • project_ID: Project in Tenable Cloud Security. Specify the project ID for running a scan in the local mode.

      • -test: Specifies that the repository and scan results are not pushed to the Tenable Cloud Security Console.

    • With configuration file

      accurics plan -config=<config_file_path> -test

      accurics scan -config=<config_file_path> -test


      • config_file_path: Relative or absolute path of the configuration file that you download from the Tenable Cloud Security Console.

For detailed information about the commands and parameters in Tenable Cloud Security CLI, see Tenable Cloud Security Commands and Options.