Policy Modes

In scenarios where you do not want your CI/CD tool to deploy cloud resources if Tenable Cloud Security detects violations in your IaC, the Tenable Cloud Security CLI provides special status codes based on the policy modes.

You can then configure your CI/CD to catch these codes and decide on failing the builds.


This is the default mode. Tenable Cloud Security CLI always responds with the status 0 (Success), if it detects any violation in your IaC.

Tenable Cloud Security CLI output for a policy in the Monitor mode:


In the Enforce policy mode, if Tenable Cloud Security CLI detects any violation in your IaC, it responds with an exit code status 1 (Failure).

Tenable Cloud Security CLI output for a policy in the Enforce mode:


After scanning the IaC resources, if the scan finds any violations, a Self-Heal policy replaces values related to violations in the IaC with the default values specified in the policy. You can change the default values for some of the rules. See Create a Custom Policy.

Note: For a Self-Heal policy to work as expected, you must enable Auto-Remediate on the repository.