Scan an Image via the Container Security Scanner

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Required Additional License: Container Security

Required Tenable.io Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator

Run the CS Scanner in Image Inspect mode to scan a single image.

Before you begin:

• Download the image you want to scan to your local machine.
• Confirm your local machine meets the system requirements, as described in CS Scanner System Requirements.
• Download the CS Scanner, as described in Download the CS Scanner.
• Prepare your environment variable value, as described in the Environment Variables.

To run the CS Scanner in Image Inspect mode:

1. In the command-line interface of the machine where you want to run the scanner, run the customized configuration and command for your deployment type using the following parameters:

   Note: Some of the following variables are not required to run the scanner. For information about these variables and their definitions, see Environment Variables.

   Copy

   docker save <your image name as it appears in the repository> | docker run \
   -e TENABLE_ACCESS_KEY=<variable> \
   -e TENABLE_SECRET_KEY=<variable> \
   -e IMPORT_REPO_NAME=<variable> \
   -i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest inspect-image <Image name as you want it to appear in Tenable.io>

2. Press Enter.

   The CS Scanner scans the image.

What to do next:

• View the results of your scan, as described in View Scan Results for Container Images.