Recently Viewed Topics
Scan a Repository via the Tenable.io CS Scanner
Required User Role: Scan Operator, Standard, Scan Manager, or Administrator
Run the Tenable.io CS Scanner in Registry Import mode to scan all images in a repository.
Before you begin:
- Confirm your machine meets the system requirements, as described in CS Scanner System Requirements.
- Download the Tenable.io CS Scanner, as described in Download the CS Scanner.
- Prepare your environment variable value, as described in the Environment Variables.
- (Optional) To scan images hosted in an Azure registry, complete the following tasks to prepare your Azure registry. For information about Azure registries, see Azure Documentation.
- Configure your Azure registry.
Create a service principal for your Azure registry and assign the AcrPull role to the service principal.
- (Optional) To scan images hosted in an Amazon Web Services (AWS) Elastic Container Registry (ECR), obtain your AWS token. For information about how to obtain your AWS token, see AWS Documentation.
To run the Tenable.io CS Scanner in Registry Import mode:
-
In the CLI of the machine where you want to run the scanner, type the customized configuration and command for your deployment type using the parameters defined below.
Note: Some of the following variables not required to run the scanner. For information about these variables and their definitions, see Environment Variables.
docker run \ -e TENABLE_ACCESS_KEY=<variable> \ -e TENABLE_SECRET_KEY=<variable> \ -e IMPORT_REPO_NAME=<variable> \ -e REGISTRY_URI=<variable> \ -e REGISTRY_USERNAME=<variable> \ -e REGISTRY_PASSWORD=<variable> \ -e IMPORT_INTERVAL_MINUTES=<variable> -i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry -
Press Enter.
The Tenable.io CS Scanner scans all images in the registry.
What to do next:
- View the results of your scan, as described in View Scan Results for Container Images.