Connect Repositories

Required Tenable Cloud Security User Role: Administrator.

Before Tenable Cloud Security starts monitoring the code in your repositories, you must connect your repositories to Tenable Cloud Security Console. You can connect using one of the following methods:

  • Connect to a Repository Using Version Control

    Connect your repository using Azure DevOps, AWS CodeCommit, Bitbucket, GitHub, or GitLab.

    Note: To set up an SCM integration, Tenable Cloud Security requires an admin-level account. This allows Tenable Cloud Security to grant itself as an authorized OAuth application to discover and scan all Infrastructure as Code (IaC) projects across all repositories within your SCM account. The admin-level privileges also allow Tenable Cloud Security to create a webhook for auto-remediation and inline reviews to automate pull requests with remediation details.
  • Connect to a Repository Using the CLI

    Download and install command-line interface (CLI) on your system to scan your IaC repositories.

Note: Make sure that the repository names do not have any special characters.

Tenable recommends connecting a repository using version control when you want to:

  • Connect to your version control provider, for example, GitHub.

  • Scan your infrastructure as code (IaC).

To connect a repository using version control:

  1. In the left navigation bar, click > Connection > Repository.

    The Connect to repository page appears.

  2. In the Choose a workflow to discover repo(s) section, click Version control (recommended).

  3. Click Continue.

  4. In the Connect to a version control provider section, select one of the following version control system providers:

    A new window appears.

  5. Follow the on-screen instructions to grant Tenable Cloud Security Console access to your repository.
  6. Click Continue.
  7. In the Choose onboarding repositories section, connect to your repositories in one of the following ways:

    8. To connect to all your repositories automatically:

    1. Select the Onboard all repositories automatically check box.

    2. Click Onboard All.

      The Projects & Connections page appears. Tenable Cloud Security creates a separate project for each repository type. For example, the Default Gitlab Repositories contains all GitHub repositories.

      Tenable Cloud Security automatically starts the scan for the onboarded repositories.

    3. Click to refresh and view the status of the scan for each project.

    To connect your repositories manually:

    1. In the list of repositories, select the required repositories.

      Tip: You can search for repositories by their name.

    2. If you want to scan only a particular branch or folder of a repository, click the button next to the repository name.

      The Select branch drop-down box appears.

    3. Select the branch you want to scan.

    4. From the Select Folder check box, select the folders to scan.

    Note: If you do not select the branch for a repository, Tenable Cloud Security uses the default branch with the root folder.
    Important: If you have selected plan-based setup, ensure that there are Terraform (.tf) files in the selected branch; otherwise, the IaC scan fails.

    To add a custom or public repository:

    1. Click Add Custom / Public Repository.

    2. Type the name and folder path of the repository you want to add.

    3. Click Add.

    Note: The file and folder hierarchy structure of the repository depends on the version control provider. For example, Bitbucket and GitLab list the folders first and then the files, whereas GitHub lists the files and folders alphabetically.

    Tenable Cloud Security connects to the repository.

  8. (Optional) To configure advanced settings for a repository:

    1. Select a repository.

    2. In the Advanced settings field, click for the selected repository.

      A window appears.

    3. In the IaC engine type drop-down box, select one of the following engine types:

      • Terraform
      • CloudFormation
      • Kubernetes YAML
      • Helm Chart
      • Kustomize YAML
      • Terragrunt
      • Azure Resource Manager

      For more information about IaC engine types, see IaC Engine Types.

    4. In the Select version drop-down box, select the engine version.

    5. (Optional) Click the Enable Webhook toggle to allow Tenable Cloud Security to monitor your repository continuously for any changes.

    6. For Terraform and TerragruntIaC types, in the Auto-remediate settings drop-down box, select an option to indicate how to handle found violations:

      • Auto-remediate: Tenable Cloud Security automatically fixes any violations. For more information, see Set up Auto-Remediation.
      • Inline reviews: Tenable Cloud Security automatically creates an issue for the violation. For more information, see Set up Inline Reviews.
      • None: Tenable Cloud Security takes no action.

    7. To add custom parameters to the repository configuration for Terraform and TerragruntIaC types:

      1. (Optional) For plan-based setup, click the Plan based setup toggle.
      2. In the left drop-down box, select a parameter.
      3. In the text box, type the value for the selected parameter.

      For more information, see Repository Configuration Parameters.

    8. Click Save.

  9. Click Continue.
  10. In the Choose projects to add the repository to section, do one of the following:

    • Add a new project:

      1. Click Add a project.

      2. Enter the name of a project.

      3. Click Add.

    • Select a project from the list of existing projects.

      Tip: You can search for projects by their name.

  11. Click Connect.

    Tenable Cloud Security adds the newly connected repository to the Projects & Connections page.

Tenable recommends connecting a repository using the CLI when you want to:

  • Integrate a command-line interface with a continuous integration / continuous deployment (CI/CD) tool, for example, Jenkins.

  • Run a command-line interface locally to discover resources and violations in an infrastructure as code (IaC) repository.

To connect a repository using CLI:

  1. In the left navigation bar, click > Connection > Repository.

  2. In the Choose a workflow to discover repo(s) section, click CLI driven.

  3. Click Continue.

  4. Click Continue.

  5. In the CLI usage instructions section, follow the on-screen instructions.

    For more information, see Install or Upgrade the CLI.

  6. Click Done.

    Tenable Cloud Security adds the newly connected repository to the Projects & Connections page.

What to do next:

In the row corresponding to the project to which you have added the repository, click > IaC scan to run an IaC scan for the repository.