Container Security Scanner Environment Variables

You must use the CLI on your computer to configure your environment variables and run the CS Scanner.

You can configure and run the CS Scanner as many times as necessary, using any combination of registries and registry sources.

Environment Variables

Variable Description Type Required Supported Mode
TENABLE_ACCESS_KEY

Your Tenable.io API access key.

String Yes

Image Inspect

or

Registry Import
TENABLE_SECRET_KEY

Your Tenable.io API secret key.

 String Yes

Image Inspect

or

Registry Import
IMPORT_REPO_NAME

The name of the CS Scanner repository where you want to import the image. This name cannot contain spaces.

The repository name must meet the following requirements:

  • Contains 64 characters or fewer.
  • Contains only alphanumeric characters, dashes (-), underscores (_), or periods (.).
  • Begins with an alphanumeric character.
  • Contains no uppercase letters.

 String Yes

Image Inspect

or

Registry Import
REGISTRY_URI

The URI of the registry from which you want to import the image.

 String No Registry Import
REGISTRY_USERNAME

Your username for authenticating to the registry you want to scan.

Set this variable if you want to authenticate to the registry.

Your username variable depends on the registry you want to scan:

  • Amazon Web Services (AWS) Elastic Container Registry (ECR) — Type your AWS access key ID as your username. For information about how to obtain your access key ID, see the AWS Documentation.
  • Azure registry — Type your service principal ID for the registry. For more information about how to create a service principal, see Azure Documentation.
  • Google Cloud Platform (GCP) Google Container Registry (GCR) — Type your GCR account client email as it appears in the client_email field in the service account private key JSON file. For information about how to create and download your service account private key, see the Google Container Registry Documentation.
  • All other registries — Type the username you use to authenticate to the registry.
 String No

Registry Import
REGISTRY_PASSWORD

Your password for authenticating to the registry from which you want to import the image.

Set this variable if you want to authenticate to the registry.

Your password depends on the registry you want to scan.

  • Amazon Web Services (AWS) Elastic Container Registry (ECR) — Type your AWS access secret key as your password. For information about how to obtain your access secret key, see the AWS Documentation.
  • Azure registry — Type your service principal password for the registry. For more information about how to create a service principal, see Azure Documentation.
  • Google Cloud Platform (GCP) Google Container Registry (GCR) — Type your GCR service account private key as it appears in the private_key field in the service account private key JSON file. For information about how to create and download your service account private key, see the Google Container Registry Documentation.
  • All other registries — Type the password you use to authenticate to the registry.
 String No Registry Import
TENABLE_PROXY

The URL for the HTTP proxy the CS Scanner uses to connect to Tenable.io.

Set this variable if the machine where you deployed the CS Scanner requires a proxy server to connect to Tenable.io.

Note: If the machine where you deployed the CS Scanner requires proxy connections to your registry and to Tenable.io, you can apply both the REGISTRY_PROXY variable and the TENABLE_PROXY variable to your configuration. Run the CS Scanner in Registry Import mode if you apply both variables.

Your TENABLE_PROXY variable depends on whether your proxy requires username and password authentication.

  • Authentication required — Type your proxy URL in the following format:

    <username>:<password>@<host>:<port>

  • Authentication not required — Type your proxy URL in the following format:

    <host>:<port>

Note: You can specify the host using the hostname (for example, example.com) or IP address (for example 192.0.2.202).

String No

Image Inspect

or

Registry Import
REGISTRY_PROXY

The URL for the HTTP proxy the CS Scanner uses to connect to your registry.

Set this variable if the machine where you deployed the CS Scanner requires a proxy server to connect to the registry you want to scan.

Note: If the machine where you deployed the CS Scanner requires proxy connections to your registry and to Tenable.io, you can apply both the REGISTRY_PROXY variable and the TENABLE_PROXY variable to your configuration.

Your REGISTRY_PROXY variable depends on whether your proxy requires username and password authentication.

  • Authentication required — Type your proxy URL in the following format:

    <username>:<password>@<host>:<port>

  • Authentication not required — Type your proxy URL in the following format:

    <host>:<port>

Note: You can specify the host using the hostname (for example, example.com) or IP address (for example 192.0.2.202).

String No

Registry Import
IMAGE_NAME_WHITELIST

Image name or tag assigned to images that you want the CS Scanner to include in your registry scan.

Include this variable if you want to run the CS Scanner in Registry Import mode and you want the scanner to include only images with a certain name or tag in the scan.

If you do not set this variable, CS Scanner scans all the images in your registry.

Note: You cannot include an IMAGE_NAME_WHITELIST variable and an IMAGE_NAME_BLACKLIST variable in the same scan configuration.

Your allow list variable depends on whether you want to include images based on name, tag, or both.

  • Name — Type the name assigned to images that you want included in the scan.

    For example, if you type -e IMAGE_NAME_WHITELIST=alpine, the CS Scanner scans only images named alpine.

  • Tag — Type the tag assigned to images that you want included in *:<tag> format.

    For example, if you type -e IMAGE_NAME_WHITELIST=*:latest, the CS Scanner scans only images with the latest tag.

  • Both — Type the image name and tag set assigned to images that you want included in <image>:<name> format.

    For example, if you type -e IMAGE_NAME_WHITELIST=alpine:latest, only images named alpine that also have the latest tag are included in the scan.

Tip: You can use an asterisk (*) wild card character when specifying image name and tag values.

Tip: You can specify multiple allow list variables by separating each with a comma (for example, -e IMAGE_NAME_WHITELIST=alpine1,alpine2,alpine3,*:latest).

String No Registry Import
IMAGE_NAME_BLACKLIST

Image name or tag assigned to images that you want the Tenable.io CS Scanner to exclude from your registry scan.

Include this variable if you want to run the Tenable.io CS Scanner in Registry Import mode and you want the scanner to exclude certain images from the scan. If you do not set this variable, Tenable.io CS Scanner scans all the images in your registry.

If you do not set this variable, CS Scanner scans all the images in your registry.

Note: You cannot include an IMAGE_NAME_BLACKLIST variable and an IMAGE_NAME_WHITELIST variable in the same scan configuration.

Your block list variable depends on whether you want to exclude images based on name, tag, or both.

  • Name — Type the name assigned to images that you want excluded from the scan.

    For example, if you type -e IMAGE_NAME_BLACKLIST=alpine, the CS Scanner excludes only images named alpine.

  • Tag — Type the tag assigned to images that you want excluded from the scan in *:<tag> format.

    For example, if you type -e IMAGE_NAME_BLACKLIST=*:latest, the CS Scanner excludes only images with the latest tag.

  • Both — Type the image name and tag set assigned to images you want excluded in <image>:<name> format.

    For example, if you type -e IMAGE_NAME_BLACKLIST=alpine:latest, only images named alpine that also have the latest tag are excluded from the scan.

Tip: You can use an asterisk (*) wild card character when specifying image name and tag values.

Tip: You can specify multiple block list variable sets by separating each set with a comma (for example, -e IMAGE_NAME_BLACKLIST=alpine1,alpine2,alpine3,*:latest).

image_name_ No Registry Import
CHECK_POLICY

If true, the CS Scanner sends a request to Tenable.io to verify whether the results of the scan include a violation of one or more compliance policies.

The message that CS Scanner provides in the output log depends on the results of the policy check.

  • Policy violation detected — CS Scanner provides the following message: This image does not pass your compliance policy.
  • No policy violation detected — CS Scanner provides the following message: image has passed your policy compliance.
  • Policy check timed out — CS Scanner provides the following message: Fatal error: Timed out trying to retrieve report.

If the policy check fails for any reason other than a policy violation or a policy check timeout, the CS Scanner generates a message specific to the error that caused the failure.

Tip: If you write custom code to automate image scanning via the CS Scanner, you can refer to the following exit codes to determine whether the image passed the policy check:
  • 0 — The image passed the policy check.
  • 1 — The policy check failed, due to timeout or some other error.
  • 2 — The image failed the policy check and is in violation or one or more compliance policies.

For information about Tenable.io Container Security policies, see Manage Container Security Policies.

 Boolean No Image Inspect
CHECK_POLICY_TIMEOUT

The amount of time, in seconds, that the CS Scanner waits for Tenable.io to finish scanning the image and complete the vulnerability detection analysis.

By default, the CS Scanner times out unanswered request for a policy after 600 seconds.

Note: CS Scanner does not set a maximum limit for the policy timeout value.

Integer No Image Inspect
IMPORT_INTERVAL_MINUTES

The frequency, in minutes, you want the CS Scanner to import and scan images from the selected registry.

Set this variable if you want the scanner to run repeatedly at set intervals.

If you do not set this variable, the CS Scanner imports and scans images from the selected registry only the first time you scan your registry.

If you do not set this variable, the CS Scanner imports and scans images from the selected registry only once, and ends after the scan has finished.

Note: You can schedule the scanner to run at set intervals only when you scan a registry. You cannot set a schedule when you configure and run the scanner in Image Inspect mode.

Integer No Registry Import
DEBUG_MODE

If true, the CS Scanner adds additional information to the scan's log to assist with debugging.

Note: Tenable recommends that you include this variable only if Tenable Support requests it.

 Boolean

No

Image Inspect

or

Registry Import
ALLOW_INSECURE_SSL_REGISTRY

If true, the CS Scanner accepts the registry's SSL certificate without verifying that a trusted Certificate Authority (CA) issued the certificate.

Caution: If Tenable accepts an SSL certificate without verifying that a trusted CA issued the certificate, your certificate may not be valid and your connections may not be secure. Therefore, Tenable recommends that you include this variable only during testing or debugging procedures.

Boolean

No

Registry Import
HTTP_CONNECTION_TIMEOUT_SECONDS

The amount of time, in seconds, that the CS Scanner waits for a response after sending a connection request to the registry. If the registry does not accept the connection request within this time span, CS Scanner cancels (times out) the request.

By default, the CS Scanner times out unanswered connection requests after 10 seconds.

 Integer No

Image Inspect

or

Registry Import
HTTP_IDLE_TIMEOUT_SECONDS

The amount of time, in seconds, that the CS Scanner waits for a response after sending a request for image data to the registry. If the registry does not respond within this time limit, the CS Scanner cancels (times out) the request.

By default, the CS Scanner times out unanswered requests after 60 seconds.

 Integer No

Image Inspect

or

Registry Import
HTTP_REQUEST_TIMEOUT_SECONDS

The amount of time, in seconds, that the CS Scanner allows a request to remain active (that is, the amount of time the CS Scanner waits for the registry to accept a connection request and respond to a request for image data). If a request is still active after this time limit has passed, the CS Scanner cancels (times out) the request.

By default, the CS Scanner times out active requests after 60 seconds.

 Integer No

Image Inspect

or

Registry Import