Repository Configuration Parameters
In Tenable Cloud Security, you can configure a list of parameters for your IaC repository scan. You can provide IaC parameters to improve violation detection and IaC to cloud resource mapping.
Note: If the specified variables are invalid, the IaC scan might fail.
Some parameters are only available for plan-based setup, whereas general configuration parameters are available with and without plan-based setup.
General Configuration Parameters (with and without Plan-Based Setup)
| Name | Description |
|---|---|
| BRANCH_NAME | The name of a branch in the source code repository which you want to scan. If you do not specify this parameter, Tenable Cloud Security scans the default branch. |
On-premises Code Scanner Configuration Parameters
| Name | Description |
|---|---|
| REPO_TYPE | Depending on the repository type to onboard, Tenable Cloud Security automatically sets this parameter to github, bitbucket, or gitlab. |
| ON_PREM | Tenable Cloud Security automatically sets this parameter to True when scanning an on-premises repository. |
Parameters for Terraform Private Modules
| Name | Description |
|---|---|
| TFC_HOST_NAME | The hostname of Terraform Cloud. Use app.terraform.io as the hostname value. |
| TFC_USER_TOKEN |
The API token to authenticate with the Terraform Cloud. For more information, see authentication in Terraform Cloud documentation. |
Plan-Based Parameters
Tenable Cloud Security provides you with the plan-based setup for specifying run-time parameters during an IaC scan.
To view and manage repository configuration parameters:
-
On the Repositories page, click the
button.The Advanced Settings window appears.
-
Click the Plan based setup toggle.
All plan-based repository configuration parameter options appear.
The following tables explain the repository configuration parameters available in the plan-based setup:
AWS Configuration Parameters
| Name | Description |
|---|---|
| TFSTATE_URL | The URL of the AWS S3 bucket that contains the state file. |
| TFSTATE_ASSUME_ROLE_ARN | The AWS role that has read-only access to the S3 bucket containing the state file. |
| TFSTATE_EXTERNAL_ID | (Optional) The external ID of the AWS role that has read-only access to the S3 bucket containing the state file. |
| BUCKET_REGION | The AWS region of the S3 bucket containing the state file. |
Microsoft Azure Configuration Parameters
| Name | Description |
|---|---|
| AZURE_STORAGE_ACCOUNT | The storage account on Azure. |
| AZURE_STORAGE_ACCESS_KEY | The access key for the storage account on Azure. |
| TFSTATE_CONTAINER_NAME | The name of the Azure container that contains the state file. |
| TFSTATE_FILE_NAME | The name of the state file located on Azure. |
Terraform Plan File Parameters
| Name | Description |
|---|---|
| CONSOLE_FILE | The repository path to the console file generated by the Terraform plan file. This parameter is only applicable for Terraform v11. If you do not specify this parameter, Tenable Cloud Security scans the repository path. |
| PLAN_FILE | The repository path to the Terraform plan file. This parameter is only applicable for Terraform v11 and v12. This is a binary file and must be from the Linux operating plan output. If you do not specify this parameter, Tenable Cloud Security scans the repository path. |
Terraform Workspace Parameters
| Name | Description |
|---|---|
| TERRAFORM_WORKSPACE | (Optional) The name of the Terraform workspace. While running the Terraform plan, Tenable Cloud Security replaces any Terraform code that uses the Terraform workplace value with this value. If you do not specify this parameter, Tenable Cloud Security scans the default workspace. |
| TF_ASSUME_ROLE_ARN | The name of the role that has read-only access to run the Terraform plan. The role is assumed/used before calling the Terraform plan to ensure that the Terraform plan avoids any access denial errors. |
Terraform Module Parameters
| Name | Description |
|---|---|
| MODULE | The name of the module to scan in the code file. Tenable Cloud Security only scans the specified module. |
| SUBMODULE | The name of the submodule to scan if using a public module. Specify the SUBMODULE_HTTP parameter along with this parameter. |
| SUBMODULE_HTTP | The URL of the submodule if using a public module. |
Custom Parameters
| Name | Description |
|---|---|
| var-file | If the variable file is used within the Terraform plan, the relative path to the file. |
| <custom_variable> | Specify a custom parameter and provide a value (<value1>) for it. The custom parameter is processed using the following syntax: -var key1=value1 |