Scan a Registry via the Tenable Container Security Scanner

Required Additional License: Tenable Container Security

Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator

Run the Container Security Scanner in Registry Import mode to scan all images in a registry.

Before you begin:

• Confirm your machine meetings the system requirements described in Tenable Container Security Scanner System Requirements.
• Download the Container Security Scanner, as described in Download the CS Scanner.
• Prepare your environment variable values, as described in the Environment Variables.
• (Optional) To scan images hosted in an Amazon Web Services (AWS) Elastic Container Registry (ECR), an Azure registry, or a Google Container Registry (GCR), prepare your registry as described in Prepare your Registry.

To run the Container Security Scanner in Registry Import mode:

1. In the command-line interface of the machine where you want to run the scanner, run the customized configuration and command for your deployment type using the following parameters:

   Note: Some of the following variables are not required to run the scanner. For information about these variables and their definitions, see Environment Variables.

   Copy

   docker run \ 
   -e TENABLE_ACCESS_KEY=<variable> \ 
   -e TENABLE_SECRET_KEY=<variable> \ 
   -e IMPORT_REPO_NAME=<variable> \ 
   -e REGISTRY_URI=<variable> \ 
   -e REGISTRY_USERNAME=<variable> \ 
   -e REGISTRY_PASSWORD=<variable> \  
   -e IMPORT_INTERVAL_MINUTES=<variable> \ 
   -i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry    

2. Press Enter.

   The Container Security Scanner scans all images in the registry.

What to do next:

• View the results of your scan, as described in View Scan Results for Container Images.