Tenable Cloud Security Commands and Options
This section lists the following Tenable Cloud Security commands and parameters:
Commands
Tenable Cloud Security CLI supports the following commands:
Command | Description |
---|---|
init |
This command is a wrapper over the terraform init command. accurics init |
configure |
This command prompts you to provide the endpoint of the Tenable Cloud Security Console and creates a configuration file that you can use while running the accurics plan command. accurics configure |
workspace | This command is a wrapper over the terraform workspace command. |
version | Shows the Tenable Cloud Security CLI version. |
Command | Description |
---|---|
plan |
Use this command for plan-based analysis. This command supports only Terraform files. This command detects violations in the Terraform files located in the current directory. Syntax:
|
tgplanall or plan-all |
This command detects violations in the Terragrunt/Terraform files that are in the current directory and within each subfolder. Syntax:
|
tgplan |
This command detects violations in the Terragrunt/Terraform files in the current directory. Use this command if you do not want to run the terragrunt plan-all command and want to scan individual folders under the main Terragrunt folder. In the following example, topfolder is the top-level folder and folder1 and folder2 are subfolders. You can run the accurics tgplan command on one folder at a time. Syntax:
|
scan |
This command is for static analysis and uses Terrascan (github.com/accurics/terrascan) to scan different IaC types. Supports the following IaC types:
Syntax:
|
Tenable Cloud Security CLI supports the following options with the accurics plan and accurics scan commands:
Option | Description | Required/Optional |
---|---|---|
-config=<configfile_path> |
Specify the configuration file location that you downloaded from Tenable Cloud Security. This option accepts absolute or relative file paths (defaults to ./config, then checks <HOMEDIR>/.accurics/config). |
Required if not running the pipeline mode |
-fail | Returns exit code 1 when Tenable Cloud Security detects high severity violations. | Optional |
-verbose | Print detailed logs along with the output. | Optional |
-pulltfstate | Pull the Terraform state file from a remote data store (S3 buckets on AWS). This command downloads the state file and also triggers a cloud scan. | Optional. Only applicable for the accurics plan command. |
-tfstate=<statefile_path> |
Specify the file path of the locally stored state file. For example: accurics plan -config=<config file> -tfstate=<statefile_path>
|
Optional |
-cloudscan | Trigger a cloud scan from the CLI. Tenable Cloud Security downloads the file from the S3 bucket if you provide the S3 bucket details during repository configuration on the Tenable Cloud Security Console. | Optional |
-planjson=<file> | Specify the Terraform plan JSON output file with the accurics plan command to use that file for scanning. | Optional. Only applicable for the accurics plan command. |
-mode=pipeline | Set the mode to pipeline. Optional if you specify the configuration file. | Required for pipeline mode. Optional if you specify the configuration file. |
-token=<token> | Specify the authentication token. | Required for pipeline mode. Optional if you specify the configuration file. |
-appurl=<application_url> | Specify the URL of the Tenable Cloud Security console. | Required for pipeline mode. Optional if you specify the configuration file. |
-project=<project_ID> or -env=<environment ID> |
Specify the project in Tenable Cloud Security. | Optional |
-test | Results of the IaC scan are not pushed to the Tenable Cloud Security Console. | Optional. Supported with CLI version 1.0.42 and higher. |
var-file | If a variable file is used with Terraform plan, specify the relative path to the file. For example, -var-file=/varDefs/values.tfvars | Optional |
<custom_variable> | Specify a custom parameter name and provide a value for it. For example, var="foo=bar" | Optional |
Environment Variables
Option | Description | Required/Optional |
---|---|---|
ACCURICS_APP_ID | Specify the application ID. | Required |
ACCURICS_ENV_ID | Specify the project ID. | Required |
ACCURICS_REPO_NAME | Specify the repository name. | Required |
ACCURICS_URL | Specify the URL endpoint. | Optional |