Scan a Container Image

Use the Tenable Cloud Security CLI to scan a container image. After Tenable Cloud Security scans your container image, you can view the detailed scan results on the Tenable Cloud Security Console.

Before you begin:

  • Create a project in the Tenable Cloud Security Console to scan the container image.

    Note: For accurate results in scan reports and dashboards, Tenable recommends to avoid scanning the same image from multiple projects.
  • Ensure that the container image is available in the docker daemon.

To scan a container image from the Tenable Cloud Security CLI:

  1. Run the tcs consec command in one of the following ways:

    • Without the configuration file

      tcs consec image <image_name>:<tag> --project=<project_ID> --token=<API_token> --wait --retryInterval <poll_interval> --timeout <timeout_sec>
    • With the configuration file:

      tcs consec image <image_name>:<tag> --config=<config_file_path> --wait --retryInterval <poll_interval> --timeout <timeout_sec>


    • <image_name>:<tag>: Image name with its tag. For example, alpine:latest.

    • <project_ID>: Project ID in Tenable Cloud Security. Use TCS_PROJECT_ID to set the project ID with an environment variable.

    • <API_token>: API authentication token you generate from Tenable Cloud Security. Use TCS_TOKEN to set the API token with an environment variable. For more information, see Generate API Tokens.

    • <config_file_path>: Specify the configuration file location that you downloaded from Tenable Cloud Security. This option accepts absolute or relative file paths (defaults to ./config, then checks <HOMEDIR>/.accurics/config). For more information, see Download Configuration File.

    • Use the following optional parameters to wait for the scan results:

      • --wait: If you specify this option, Tenable Cloud Security waits for the duration specified with the --timeout parameter for the scan to complete. If the scan completes within the specified duration, Tenable Cloud Security generates two types of CLI outputs:

        • Scan summary on the console: Includes the summary of total misconfigurations (violations) and total vulnerabilities.

        • JSON report: Detailed scan report that indicates the details about the misconfigurations and vulnerabilities.

        For more information about these CLI outputs, see CLI Outputs for Container Image Scans.

      • --timeout <timeout_sec>: The maximum time (in seconds) to wait for the violation report of the scan. The default value is 300 seconds (5 minutes). To change the default, use this option with the --wait option.

      • --retryInterval <poll_interval>: The polling time interval (in seconds) while polling for the violation report of the scan. The default value is 5 seconds. Tenable Cloud Security checks whether the violation report is ready after every polling interval.

CLI Outputs for Container Image Scans

In addition to displaying the scan results on the Tenable Cloud Security user interface, Tenable Cloud Security generates a scan summary on the console and a JSON report when you scan container images. To generate these two CLI outputs, you must use the tcs consec image command with the --wait option. The JSON report can be additionally used as an artifact of a successful CI/CD pipeline run or as raw data for post-processing of the scan results.

Note: If the --wait option is not specified with the tcs consec image command, the console summary and JSON report are not generated.

Tenable Cloud Security generates the following two CLI outputs:

What to do next:

On the Tenable Cloud Security Console, go to the Findings page. Tenable Cloud Security shows the vulnerabilities detected for the scanned image. For more information, see View Vulnerabilities.