Tenable Cloud Security Commands and Options

This section lists the following Tenable Cloud Security commands and parameters:

Commands

Tenable Cloud Security CLI supports the following commands:

General Commands

Command Description
init

This command is a wrapper over the terraform init command.

accurics init

configure

This command prompts you to provide the endpoint of the Tenable Cloud Security Console and creates a configuration file that you can use while running the accurics plan command.

accurics configure

workspace This command is a wrapper over the terraform workspace command.
version Shows the Tenable Cloud Security CLI version.

Scan Commands

Command Description
plan

Use this command for plan-based analysis. This command supports only Terraform files. This command detects violations in the Terraform files located in the current directory.

Syntax:

  • accurics plan -mode=pipeline -appurl=<application_url> -token=<API_token>

  • accurics plan -config=<configfile_path>

tgplanall or

plan-all

This command detects violations in the Terragrunt/Terraform files that are in the current directory and within each subfolder.

Syntax:

  • accurics tgplanall -config=<configfile_path>

  • accurics plan-all -config=<configfile_path>

tgplan

This command detects violations in the Terragrunt/Terraform files in the current directory. Use this command if you do not want to run the terragrunt plan-all command and want to scan individual folders under the main Terragrunt folder. In the following example, topfolder is the top-level folder and folder1 and folder2 are subfolders. You can run the accurics tgplan command on one folder at a time.

Syntax:

  • topfolder>folder1> accurics tgplan -config=<configfile_path>
  • topfolder>folder2> accurics tgplan -config=<configfile_path>
scan

This command is for static analysis and uses Terrascan (github.com/accurics/terrascan) to scan different IaC types. Supports the following IaC types:

  • Terraform

  • Kubernetes

  • Helm Chart

  • Kustomize

  • CloudFormation template

Syntax:

  • accurics scan -mode=pipeline -appurl=<application_url> -token=<API_token>

  • accurics scan -config=<configfile_path>

Command Options

Tenable Cloud Security CLI supports the following options with the accurics plan and accurics scan commands:

Option Description Required/Optional
-config=<configfile_path>

Specify the configuration file location that you downloaded from Tenable Cloud Security. This option accepts absolute or relative file paths (defaults to ./config, then checks <HOMEDIR>/.accurics/config).

Download Configuration File

Required if not running the pipeline mode
-fail Returns exit code 1 when Tenable Cloud Security detects high severity violations. Optional
-verbose Print detailed logs along with the output. Optional
-pulltfstate Pull the Terraform state file from a remote data store (S3 buckets on AWS). This command downloads the state file and also triggers a cloud scan. Optional. Only applicable for the accurics plan command.
-tfstate=<statefile_path>

Specify the file path of the locally stored state file. For example:

accurics plan -config=<config file> -tfstate=<statefile_path>
This command uses the provided state file and triggers a cloud scan.

 Optional
-cloudscan Trigger a cloud scan from the CLI. Tenable Cloud Security downloads the file from the S3 bucket if you provide the S3 bucket details during repository configuration on the Tenable Cloud Security Console. Optional
-planjson=<file> Specify the Terraform plan JSON output file with the accurics plan command to use that file for scanning. Optional. Only applicable for the accurics plan command.
-mode=pipeline Set the mode to pipeline. Optional if you specify the configuration file. Required for pipeline mode. Optional if you specify the configuration file.
-token=<token> Specify the authentication token. Required for pipeline mode. Optional if you specify the configuration file.
-appurl=<application_url> Specify the URL of the Tenable Cloud Security console. Required for pipeline mode. Optional if you specify the configuration file.

-project=<project_ID> or

-env=<environment ID>

Specify the project in Tenable Cloud Security. Optional
-test Results of the IaC scan are not pushed to the Tenable Cloud Security Console. Optional. Supported with CLI version 1.0.42 and higher.
var-file If a variable file is used with Terraform plan, specify the relative path to the file. For example, -var-file=/varDefs/values.tfvars Optional
<custom_variable> Specify a custom parameter name and provide a value for it. For example, var="foo=bar" Optional

Environment Variables

Option Description Required/Optional
ACCURICS_APP_ID Specify the application ID. Required
ACCURICS_ENV_ID Specify the project ID. Required
ACCURICS_REPO_NAME Specify the repository name. Required
ACCURICS_URL Specify the URL endpoint. Optional