Integrate Tenable Cloud Security CLI with SCM and CI/CD Pipelines
Tenable Cloud Security integrates with source code management (SCM) and CI/CD pipelines to scan any container image for vulnerabilities and misconfigurations. Tenable recommends using single image scan with the Tenable Cloud Security CLI binary for integrating with SCM and CI/CD pipelines.
Integrate Tenable Cloud Security CLI with the following SCM and CI/CD pipelines:
Before you begin:
-
For scanning a container image, ensure that the container image is available in the docker daemon.
The following sample code shows how to integrate a single image scan in a GitHub pipeline:
name: consec_tcs_cli_build_and_scan_single_image
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Build Image
run: |
echo "building docker image"
docker build -t getting-started:new .
- name: TCS CLI Scan
env:
TCS_CLI_DOWNLOAD_URL: ${{ secrets.TCS_CLI_DOWNLOAD_URL }}
TCS_TOKEN: ${{ secrets.TCS_TOKEN }}
TCS_PROJECT_ID: ${{ vars.TCS_PROJECT_ID }}
run: |
echo ~~~~~Installation of TCS CLI..
wget $TCS_CLI_DOWNLOAD_URL
file_name=`echo $TCS_CLI_DOWNLOAD_URL | cut -f10 -d "/"`
tar -xf $file_name && chmod +x tcs
echo ~~~~~Starting TCS CLI Image scan ..
./tcs consec image getting-started:new --waitThe following sample code shows integrating a single image scan in Jenkins pipeline:
pipeline {
agent any
stages {
stage("Build Image...") {
steps {
sh "docker build -t getting-started:new ."
}
}
stage("Install TCS CLI...") {
steps {
sh "wget ${TCS_CLI_DOWNLOAD_URL}"
script{
def fileName = sh(returnStdout:true, script: 'echo "${TCS_CLI_DOWNLOAD_URL}" | cut -f10 -d "/"')
sh "tar -xvf $fileName "
sh "chmod +x tcs"
}
}
}
stage("Scanning Image...") {
steps {
sh "./tcs consec image getting-started:new --wait"
}
}
}
}The following sample code shows how to integrate a single image scan in a CircleCI pipeline:
version: 2.1
jobs:
consec-image:
machine:
image: ubuntu-2004:202010-01
steps:
- checkout
- run:
name: "Build Image"
command: "docker build -t getting-started:new ."
- run:
name: "Download TCS CLI"
command: >-
wget $TCS_CLI_DOWNLOAD_URL &&
file_name=`echo $TCS_CLI_DOWNLOAD_URL | cut -f10 -d "/"` &&
tar -xf $file_name && chmod 777 tcs
- run:
name: "TCS Image Scan"
command: "./tcs consec image getting-started:new --wait"
workflows:
consec-workflow:
jobs:
- consec-imageThe following sample code shows how to integrate a single image scan in an Azure DevOps pipeline:
trigger:
branches:
include:
- refs/heads/main
paths:
exclude:
- tcs.yml
variables:
vmImageName: 'ubuntu-latest'
TCS_CLI_DOWNLOAD_URL: https://www.tenable.com/downloads/api/v2/pages/tenable-cs/files/tenable.cs-cli_latest_Linux_x86_64.tar.gz
jobs:
- job: consec_scan
pool:
vmImage: $(vmImageName)
steps:
- script: |
echo "building docker image"
docker build -t getting-started:new .
displayName: 'Build Image'
- script: |
echo "installing TCS CLI"
wget $(TCS_CLI_DOWNLOAD_URL)
file_name=`echo $(TCS_CLI_DOWNLOAD_URL) | cut -f10 -d "/"`
tar -xf $file_name && chmod 777 tcs
./tcs version
echo "initiate TCS scan"
./tcs consec image getting-started:new --wait -l debug
displayName: 'TCS Scan'
continueOnError: trueWhere:
-
TCS_CLI_DOWNLOAD_URL: Tenable Cloud Security CLI download location. Use the following links for the download URLs:
-
Linux (arm64): https://www.tenable.com/downloads/api/v2/pages/tenable-cs/files/tenable.cs-cli_latest_Linux_arm64.tar.gz
-
Linux (x86_64): https://www.tenable.com/downloads/api/v2/pages/tenable-cs/files/tenable.cs-cli_latest_Linux_x86_64.tar.gz
-
MacOs (arm64): https://www.tenable.com/downloads/api/v2/pages/tenable-cs/files/tenable.cs-cli_latest_MacOs_arm64.tar.gz
-
MacOs (x86_64): https://www.tenable.com/downloads/api/v2/pages/tenable-cs/files/tenable.cs-cli_latest_MacOs_x86_64.tar.gz
-
-
TCS_PROJECT_ID: Project ID in Tenable Cloud Security. Use TCS_PROJECT_ID to set the project ID with an environment variable.
-
TCS_TOKEN: API authentication token you generate from Tenable Cloud Security. Use TCS_TOKEN to set the API token with an environment variable. For more information, see Generate API Tokens.