Scan a Registry via the Container Security Scanner

The following feature is not supported in Tenable.io Federal Risk and Authorization Management Program (FedRAMP) environments. For more information, see the FedRAMP Product Offering.

Required Additional License: Container Security

Required Tenable.io Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator

Run the CS Scanner in Registry Import mode to scan all images in a registry.

Before you begin:

• Confirm your machine meetings the system requirements described in Container Security Scanner System Requirements.
• Download the CS Scanner, as described in Download the CS Scanner.
• Prepare your environment variable values, as described in the Environment Variables.
• (Optional) To scan images hosted in an Amazon Web Services (AWS) Elastic Container Registry (ECR), an Azure registry, or a Google Container Registry (GCR), prepare your registry as described in Prepare your Registry.

To run the CS Scanner in Registry Import mode:

1. In the command-line interface of the machine where you want to run the scanner, run the customized configuration and command for your deployment type using the following parameters:

   Note: Some of the following variables are not required to run the scanner. For information about these variables and their definitions, see Environment Variables.

   Copy

   docker run \ 
   -e TENABLE_ACCESS_KEY=<variable> \ 
   -e TENABLE_SECRET_KEY=<variable> \ 
   -e IMPORT_REPO_NAME=<variable> \ 
   -e REGISTRY_URI=<variable> \ 
   -e REGISTRY_USERNAME=<variable> \ 
   -e REGISTRY_PASSWORD=<variable> \  
   -e IMPORT_INTERVAL_MINUTES=<variable> \ 
   -i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry    

2. Press Enter.

   The CS Scanner scans all images in the registry.

What to do next:

• View the results of your scan, as described in View Scan Results for Container Images.