TOC & Recently Viewed

Recently Viewed Topics

Configure and Run the CS Scanner in Kubernetes

To scan images with the CS Scanner in Kubernetes, create a Kubernetes deployment file and deploy the file via the CLI on the machine where you want to run the scan.

Before you begin:

To configure and run the CS Scanner in Kubernetes:

  1. In a text editor, open a new file.

  2. Save the file as tiocsscanner-deployment.yaml.
  3. Copy and paste the following text into the file, typing your specific variables where applicable:

    For information about these variables and their definitions, see Environment Variables.

    apiVersion: v1 kind: Service metadata: name: tiocsscanner namespace: tiocsscanner labels: app: tiocsscanner spec: selector: app: tiocsscanner type: ClusterIP ports: - name: http protocol: TCP port: 5000 --- apiVersion: extensions/v1beta1 kind: Deployment metadata: labels: app: tiocsscanner name: tiocsscanner namespace: tiocsscanner spec: minReadySeconds: 10 replicas: 1 selector: matchLabels: app: tiocsscanner strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate template: metadata: labels: app: tiocsscanner spec: containers: - image: "" name: tiocsscanner resources: limits: cpu: "3" requests: cpu: "1.5" memory: "2Gi" args: - import-registry env: - name: TENABLE_ACCESS_KEY valueFrom: secretKeyRef: name: tio key: username - name: TENABLE_SECRET_KEY valueFrom: secretKeyRef: name: tio key: password - name: REGISTRY_USERNAME valueFrom: secretKeyRef: name: private-registry key: username - name: REGISTRY_PASSWORD valueFrom: secretKeyRef: name: private-registry key: password - name: IMPORT_REPO_NAME value: "<variable>" - name: REGISTRY_URI value: "<variable>" - name: IMPORT_INTERVAL_MINUTES value: "<variable>"
    Note: If you are not pulling the image directly from the repository where it is hosted, append the following command to the end of the file, starting on a new line after the last variable:

    imagePullSecrets -name: jfrog-tio

  4. Save and close the file.
  5. In the CLI on the machine where you want to run the scan, type the following to deploy the file:

    kubectl apply -f tiocsscanner-deployment.yaml

    Note: The above command works only if the file is saved to the current working directory. If the file is saved somewhere other than the working directory, include the full path directory in the command. For example:


  6. Press Enter.

    The CS Scanner runs on Kubernetes.

  7. Run the following command to confirm the scan ran successfully:

    kubectl get pods --namespace=tiocsscanner

    The scan status log appears.

    Note: If you receive error messages in the scan data, follow the error prompts to correct the issue.

What to do next:

Copyright © 2019 Tenable, Inc. All rights reserved. Tenable,, Tenable Network Security, Nessus, SecurityCenter, SecurityCenter Continuous View and Log Correlation Engine are registered trademarks of Tenable, Inc.., Lumin, Assure, and the Cyber Exposure Company are trademarks of Tenable, Inc. All other products or services are trademarks of their respective owners.