Deploy Tenable Nessus as a Docker Image

You can deploy a managed Tenable Nessus scanner or an instance of Tenable Nessus Professional as a Docker image to run on a container. Tenable provides two base Tenable Nessus images: Oracle Linux 8 and Ubuntu. You can configure the Tenable Nessus instance with environment variables to configure the image with the settings you configure automatically. Using operators and variables, you can deploy the Tenable Nessus image as linked to Tenable Vulnerability Management or Tenable Security Center.

Tenable does not recommend deploying Tenable Nessus in a Docker container that shares a network interface controller (NIC) with another Docker container.

Note: Tenable Nessus does not support storage volumes. Therefore, if you deploy a new Tenable Nessus image, you will lose your data and need to reconfigure Tenable Nessus. However, while deploying the new image, you can configure any initial user and linking information with environment variables, as described in step 2 of the following procedure.

Before you begin:

To deploy Tenable Nessus as a Docker image:

  1. In your terminal, use the docker pull command to get the image.

    $ docker pull tenable/nessus:<version-OS>

    For the <version-OS> tag, you must specify the Tenable Nessus version and whether you are pulling Oracle Linux 8 or Ubuntu. You can use the latest tag in place of a specific Tenable Nessus version (for example, latest-ubuntu).

  2. Use the docker run command to run your image.
    • Use the operators with the appropriate options for your deployment, as described in Operators.

    • To preconfigure Tenable Nessus, use the -e operator to set environment variables, as described in Environment Variables.

      Note: Tenable recommends using environment variables to configure your instance of Tenable Nessus when you run the image. If you do not include environment variables such as an activation code, username, password, or linking key (if creating a managed Tenable Nessus scanner), you must configure those items later.

  3. If you did not include environment variables, complete any remaining configuration steps in the command-line interface or Tenable Nessus configuration wizard.

To stop and remove Tenable Nessus as a Docker image:


Operator Description
--name Sets the name of the container in Docker.
-d Starts a container in detached mode.

Publishes to the specified port in the format host port:container port. By default, the port is 8834:8834.

If you have several Tenable Nessus containers running, use a different host port. The container port must be 8834 because Tenable Nessus listens on port 8834.


Precedes an environment variable.

For descriptions of environment variables you can set to configure settings in your Tenable Nessus instance, see Environment Variables.

Environment Variables

The required and optional environment variables differ based on your Tenable Nessus license and whether you are linking to Tenable Vulnerability Management. Click the following bullets to view the environment variables.