Deploy Nessus as a Docker Image
You can deploy a managed Nessus scanner or an instance of Nessus Professional as a Docker image to run on a container. The base image is a CentOS 8 instance of Nessus. You can configure the Nessus instance with environment variables to automatically configure the image with the settings you configure.
Tenable does not recommend deploying Nessus in a Docker container that shares a network interface controller (NIC) with another Docker container.
Before you begin:
-
Download and install Docker for your operating system.
-
Access the Nessus Docker image from https://hub.docker.com/r/tenableofficial/nessus.
To deploy Nessus as a docker image:
- In your terminal, use the docker pull command to get the image.
$ docker pull tenableofficial/nessus
- Use the docker run command to run your image.
-
Use the operators with the appropriate options for your deployment, as described in Operators.
-
To preconfigure Nessus, use the -e operator to set environment variables, as described in Environmental Variables.
Note: Tenable recommends you use environment variables to configure your instance of Nessus when you run the image. If you do not include environment variables such as an activation code, username, password, or linking key (if creating a managed Nessus scanner), you must configure those items later.
$ docker run --name "container name" -d -p 8834:8834 -e ACTIVATION_CODE=<activation code> -e USERNAME=<username> -e PASSWORD=<password> tenableofficial/nessus
- If you did not include environment variables, complete any remaining configuration steps in the command line interface or Nessus configuration wizard.
What to do next:
-
To stop and remove the container, see Remove Nessus as a Docker Container.
| Operator | Description |
|---|---|
| --name | Sets the name of the container in Docker. |
| -d | Starts a container in detached mode. |
| -p |
Publishes to the specified port in the format host port:container port. By default, the port is 8834:8834. If you have several Nessus containers running, use a different host port. The container port must be 8834 because Nessus listens on port 8834. |
| -e |
Precedes an environment variable. For descriptions of environment variables you can set to configure settings in your Nessus instance, see Environmental Variables. |
| Variable | Required? | Description |
|---|---|---|
| Initial Configuration Options | ||
| ACTIVATION_CODE | Recommended | The activation code to register Nessus. This determines whether the instance is a Nessus scanner or Nessus Professional. |
| USERNAME | Recommended |
Creates the administrator user. |
| PASSWORD | Recommended | Creates the password for the user. |
| Linking Options | ||
| LINKING_KEY | Yes if linking to manager | The linking key from the manager. |
| NAME | No | The name of the Nessus scanner to appear in the manager. By default, the name is the container ID. |
| MANAGER_HOST | Yes if linking to manager | The hostname or IP address of the manager. |
| MANAGER_PORT | Yes if linking to manager |
The port of the manager. By default, the port is 8834. For Nessus Manager, use 8834. For Tenable.io, use 443. |
| Proxy Options | ||
| PROXY | No | The hostname or IP address of the proxy server. |
| PROXY_PORT | No | The port number of the proxy server. |
| PROXY_USER | No | The name of a user account that has permissions to access and use the proxy server. |
| PROXY_PASS | No | The password of the user account that you specified as the proxy user. |
| Nessus Settings | ||
| AUTO_UPDATE | No |
Sets whether Nessus should automatically receive updates. Valid values are as follows:
|
Nessus Professional
docker run --name "nessus-pro" -d -p 8834:8834 -e ACTIVATION_CODE=<activation code> -e USERNAME=admin -e PASSWORD=admin tenableofficial/nessus
Managed Nessus scanner linked to Tenable.io
docker run --name "nessus-managed" -d -p 8834:8834 -e LINKING_KEY=<Tenable.io linking key> -e USERNAME=admin -e PASSWORD=admin -e MANAGER_HOST=cloud.tenable.com -e MANAGER_PORT=443 tenableofficial/nessus