Scan a Registry via the Tenable Container Security Scanner
The following feature is not supported in Tenable Vulnerability Management Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.
Required Additional License: Tenable Container Security
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator
Run the Container Security Scanner in Registry Import mode to scan all images in a registry.
Before you begin:
- Confirm your machine meetings the system requirements described in Tenable Container Security Scanner System Requirements.
- Download the Container Security Scanner, as described in Download the CS Scanner.
- Prepare your environment variable values, as described in the Environment Variables.
- (Optional) To scan images hosted in an Amazon Web Services (AWS) Elastic Container Registry (ECR), an Azure registry, or a Google Container Registry (GCR), prepare your registry as described in Prepare your Registry.
To run the Container Security Scanner in Registry Import mode:
-
In the command-line interface of the machine where you want to run the scanner, run the customized configuration and command for your deployment type using the following parameters:
Note: Some of the following variables are not required to run the scanner. For information about these variables and their definitions, see Environment Variables.
Copydocker run \
-e TENABLE_ACCESS_KEY=<variable> \
-e TENABLE_SECRET_KEY=<variable> \
-e IMPORT_REPO_NAME=<variable> \
-e REGISTRY_URI=<variable> \
-e REGISTRY_USERNAME=<variable> \
-e REGISTRY_PASSWORD=<variable> \
-e IMPORT_INTERVAL_MINUTES=<variable> \
-i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry -
Press Enter.
The Container Security Scanner scans all images in the registry.
What to do next:
- View the results of your scan, as described in View Scan Results for Container Images.