Repository Configuration Parameters

In Tenable.cs, you can configure a list of parameters for your IaC repository scan. You can provide IaC parameters to improve violation detection and IaC to cloud resource mapping.

Note: If the specified variables are invalid, the IaC scan might fail.

Some parameters are only available for plan-based setup, whereas general configuration parameters are available with and without plan-based setup.

General Configuration Parameters (with and without Plan-Based Setup)

Name Description
BRANCH_NAME The name of a branch in the source code repository which you want to scan. If you do not specify this parameter, Tenable.cs scans the default branch.

On-premises Code Scanner Configuration Parameters

Name Description
REPO_TYPE Depending on the repository type to onboard, Tenable.cs automatically sets this parameter to github, bitbucket, or gitlab.
ON_PREM Tenable.cs automatically sets this parameter to True when scanning an on-premises repository.

Parameters for Terraform Private Modules

Note: On-premises repositories do not support Terraform private module parameters.
Name Description
TFC_HOST_NAME The hostname of Terraform Cloud. Use app.terraform.io as the hostname value.
TFC_USER_TOKEN

The API token to authenticate with the Terraform Cloud.

For more information, see authentication in Terraform Cloud documentation.

Plan-Based Parameters

Tenable.cs provides you with the plan-based setup for specifying run-time parameters during an IaC scan.

To view and manage repository configuration parameters:

  1. On the Repositories page, click the button.

    The Advanced Settings window appears.

  2. Click the Plan based setup toggle.

    All plan-based repository configuration parameter options appear.

The following tables explain the repository configuration parameters available in the plan-based setup:

AWS Configuration Parameters

Name Description
TFSTATE_URL The URL of the AWS S3 bucket that contains the state file.
TFSTATE_ASSUME_ROLE_ARN The AWS role that has read-only access to the S3 bucket containing the state file.
TFSTATE_EXTERNAL_ID (Optional) The external ID of the AWS role that has read-only access to the S3 bucket containing the state file.
BUCKET_REGION The AWS region of the S3 bucket containing the state file.

Microsoft Azure Configuration Parameters

Name Description
AZURE_STORAGE_ACCOUNT The storage account on Azure.
AZURE_STORAGE_ACCESS_KEY The access key for the storage account on Azure.
TFSTATE_CONTAINER_NAME The name of the Azure container that contains the state file.
TFSTATE_FILE_NAME The name of the state file located on Azure.

Terraform Plan File Parameters

Name Description
CONSOLE_FILE The repository path to the console file generated by the Terraform plan file. This parameter is only applicable for Terraform v11. If you do not specify this parameter, Tenable.cs scans the repository path.
PLAN_FILE The repository path to the Terraform plan file. This parameter is only applicable for Terraform v11 and v12. This is a binary file and must be from the Linux operating plan output. If you do not specify this parameter, Tenable.cs scans the repository path.

Terraform Workspace Parameters

Name Description
TERRAFORM_WORKSPACE (Optional) The name of the Terraform workspace. While running the Terraform plan, Tenable.cs replaces any Terraform code that uses the Terraform workplace value with this value. If you do not specify this parameter, Tenable.cs scans the default workspace.
TF_ASSUME_ROLE_ARN The name of the role that has read-only access to run the Terraform plan. The role is assumed/used before calling the Terraform plan to ensure that the Terraform plan avoids any access denial errors.

Terraform Module Parameters

Name Description
MODULE The name of the module to scan in the code file. Tenable.cs only scans the specified module.
SUBMODULE The name of the submodule to scan if using a public module. Specify the SUBMODULE_HTTP parameter along with this parameter.
SUBMODULE_HTTP The URL of the submodule if using a public module.

Custom Parameters

Name Description
var-file If the variable file is used within the Terraform plan, the relative path to the file.
<custom_variable> Specify a custom parameter and provide a value (<value1>) for it. The custom parameter is processed using the following syntax: -var key1=value1