Tenable Cloud Security Container Security Commands and Options

This section lists the commands and options to use with the tcs command.

Commands

Command	Description
tcs consec	Scan a container image or registry for vulnerabilities and misconfigurations.
tcs env	Display the Tenable Cloud Security CLI environment variables.
tcs version	Display the Tenable Cloud Security CLI version.

Note: Use the tcs [command] --help for more information about a command.

Global Scan Options for Image and Registry Scans (tcs consec command)

Use the following options with the tcs consec command for both container image and registry scans:

Option	Description	Required/Optional
-c or --config=<configfile_path>	The location of the configuration file that you downloaded. This option accepts absolute or relative file paths (defaults to ./config, then checks <HOMEDIR>/.accurics/config). Download Configuration File	Required if you do not specify the project ID and API token.
--token=<API_token>	The API authentication token. Use TCS_TOKEN to pass the token using an environment variable	Optional if you specify the configuration file.
-p=<project_ID> or --project=<project_ID>	The project in Tenable Cloud Security. Use TCS_PROJECT_ID to set the project ID with an environment variable.	Required
--fail	Returns exit code 1 when Tenable Cloud Security detects high severity violations.	Optional
-l or --log-level	Specify one of the following log levels to show in the CLI output: debug info warn error panic fatal The default value is info.	Optional
-x or --log-type	Specify one of the following log output type: console json The default value is console.	Optional
--log-dir <directory_name>	Specify a directory for the logs other than the default directory when running the scan in debug mode. Note: Tenable Cloud Security generates a log file if the scan is run in debug mode (--log-level=debug). By default, the log directory is ${pwd}/log.	Optional

Scan Options for Container Images (tcs consec image command)

The following command syntax shows how to run a scan for container images without a configuration file:

Copy

tcs consec image <image_name>:<tag> --token=<API_token> --project=<project_id> [--wait] [--retryInterval <interval>] [--timeout <seconds>]

The following command syntax shows how to run a scan for container images with a configuration file:

Copy

tcs consec image <image_name>:<tag> --config=<config_file_path> [--wait] [--retryInterval <interval>] [--timeout <seconds>]

Option	Description	Required/Optional
<image_name>:<tag>	Image name with its tag. For example, alpine:latest.	Required
--wait	If you specify this option, Tenable Cloud Security waits for the duration specified with the --timeout parameter for the scan to complete. If the scan completes within the specified duration, Tenable Cloud Security generates two types of CLI outputs: Scan summary on the console: Includes the summary of total misconfigurations (violations) and total vulnerabilities. JSON report: Detailed scan report that indicates the details about the misconfigurations and vulnerabilities. For more information about these CLI outputs, see CLI Outputs for Container Image Scans. Note: If the --wait option is not specified with the tcs consec image command, the console summary and JSON report are not generated.	Optional
--timeout <timeout_sec>	The maximum time (in seconds) to wait for the violation report of the scan. The default value is 300 seconds (5 minutes). To change the default, use this option with the --wait option.	Optional
--retryInterval <poll_interval>	The polling time interval (in seconds) while polling for the violation report of the scan. The default value is 5 seconds. Tenable Cloud Security checks whether the violation report is ready after every polling interval.	Optional

Scan Options for Container Registries (tcs consec registry command)

The following command syntax shows how to run the tcs consec command for scanning container registries without a configuration file:

Copy

tcs consec registry <registry_url> --username=<registry_username> --password=<registry_password>  --project=<project ID> --token=<API_token> --allowList=<images_to_scan> --denyList=<images_to_skip> [--builtAfter=<duration> | --builtBefore=<duration>] --mode=[scan | dry-run]

The following command syntax shows how to run the tcs consec command for scanning container registries with a configuration file:

Copy

tcs consec registry <registry_url> --username=<registry_username> --password=<registry_password> --allowLlist=<list_of_allowed_images> --denyList=<list_of_skipped_images> [--builtAfter=<duration> | --builtBefore=<duration>] --config=<config_file_path>

Option	Description	Required/Optional
<registry_url>	URL of the container registry. For example, http://localhost:5000.	Required
--username=<registry_username>	Container registry username. Use TCS_REGISTRY_USERNAME to set username with an environment variable.	Optional. Required if registries need authentication for access.
--password=<registry_password>	Container registry password. If you do not want to enter the password in plain text, use TCS_REGISTRY_PASSWORD to set the password with an environment variable.	Optional. Required if registries need authentication for access.
--allowList=<images_to_scan>	Specify a comma-separated list of images that you want to scan. You can provide a pattern and only those images that match the pattern are scanned. This parameter supports wildcard characters. For examples, see Scan a Container Registry.	Optional
--denyList=<images_to_skip>	Specify a comma-separated list of images that you want to skip during a scan. You can provide a pattern and the images that match the pattern are skipped. Note: If you specify both the --allowlist and --denylist parameters, the --denylist parameter takes precedence.	Optional
--builtAfter=<duration>	Scans only images that are built after the specified duration. Any images built before this duration are not considered for the scan. Specify the duration as d (day), w (week), m (month), or y year). For example, 1d, 2w, 3m, or 4y. Note: Specify only one value for the duration parameter. You cannot use a combination of values.	Optional
--builtBefore=<duration>	Scans only images that are built before the specified duration. Any images built after this duration are not considered for the scan. Specify the duration as d (day), w (week), m month), or y (year).	Optional
--mode=[scan \| dry-run]	Specifies the mode of the scan. This parameter can take one of the following two values: scan — Scans the registry for vulnerabilities. This is the default value. dry-run — Creates a CSV report listing all the repositories and tags in the registry. For more information, see Generate a Report of Images in a Container Registry.	Optional

Scan with Environment Variables

Use the tcs env command to view the environment variables.

Option	Description
TCS_PROJECT_ID	The project ID in Tenable Cloud Security.
TCS_TOKEN	The API authentication token.
TCS_REGISTRY_USERNAME	The container registry username.
TCS_REGISTRY_PASSWORD	The container registry password.
HTTP_PROXY	HTTP proxy for all communications with the Tenable Cloud Security CLI.
HTTPS_PROXY	HTTPS proxy for all communications with the Tenable Cloud Security CLI.
NO_PROXY	List of domains that do not need to go through the HTTPS_PROXY or HTTP_PROXY. Example If you have a local registry and need proxy for Tenable Cloud Security, set up the following environment variables: HTTPS_PROXY — Proxy to communicate with Tenable NO_PROXY — List with the registry domain (to skip proxy)

Script Options

Use the tcs completion command to generate the autocompletion script for the following shells:

Option	Description
bash	Generate a Bash script.
fish	Generate a fish shell script.
powershell	Generate a PowerShell script.
zsh	Generate a ZSH shell script.