Deploy Tenable Nessus using JSON

You can automatically configure and deploy Tenable Nessus scanners using a JSON file, config.json. To determine the location of this file on your operating system, see Default Data Directories.

When you first launch Tenable Nessus after installation, Tenable Nessus first checks for the presence of environment variables, then checks for the config.json file. When Tenable Nessus launches for the first time, Tenable Nessus uses that information to link the scanner to a manager, set preferences, and create a user.

Note: config.json must be in ASCII format. Some tools, such as PowerShell, create test files in other formats by default.

Location of config.json File

Place the config.json file in the following location:

  • Linux: /opt/nessus/var/nessus/config.json
  • Windows: C:\ProgramData\Tenable\Nessus\nessus\config.json

Example Tenable Nessus File Format

{ "link": { "name": "sensor name", "host": "hostname or IP address", "port": 443, "key": "abcdefghijklmnopqrstuvwxyz", "ms_cert": "CA certificate for linking", "retry": 1, "proxy": { "proxy": "proxyhostname", "proxy_port": 443, "proxy_username": "proxyusername", "proxy_password": "proxypassword", "user_agent": "proxyagent", "proxy_auth": "NONE" } }, "preferences": { "global.max_hosts": "500" }, "user": { "username": "admin", "password": "password", "role": "system_administrator", "type": "local" } }

config.json Details

The following describes the format of the different settings in each section of config.json.

Note: All sections are optional; if you do not include a section, it is not configured when you first launch Tenable Nessus. You can manually configure the settings later.


The link section sets preferences to link Tenable Nessus to a manager.

Setting Description


A name for the scanner.


The hostname or IP address of the manager you want to link to.


The port for the manager you want to link to.

For Tenable Nessus Manager: 8834 or your custom port.

key The linking key that you retrieved from the manager.


A custom CA certificate to use to validate the manager's server certificate.



If you are using a proxy server, include the following:

proxy: The hostname or IP address of your proxy server.

proxy_port:The port number of the proxy server.

proxy_username: The name of a user account that has permissions to access and use the proxy server.

proxy_password: The password of the user account that you specified as the username.

user_agent: The user agent name, if your proxy requires a preset user agent.

proxy_auth: The authentication method to use for the proxy.



Set aws_scanner to true to link the Tenable Nessus scanner as an AWS scanner.

Note: The Tenable Nessus scanner must already be running on an AWS instance for the option to take effect.

Caution: aws_scanner is not supported in Amazon Linux 2023 AMI environments.


The preferences section configures any advanced settings. For more information, see Advanced Settings.


The user section creates a Tenable Nessus user.

Setting Description
username Username for the Tenable Nessus user.

(Optional but recommended)

Password for the Tenable Nessus user.

If you create a user but leave the password value empty, Tenable Nessus automatically generates a password. To log in as the user, use nessuscli to change the user's password first.

role The role for the user. Set to disabled, basic, standard, administrator, or system_administrator. For more information, see Users.
type Set to local.