Scan a Registry via the Tenable Container Security Scanner
Required Additional License: Tenable Container Security
Required Tenable Vulnerability Management User Role: Scan Operator, Standard, Scan Manager, or Administrator
Run the Container Security Scanner in Registry Import mode to scan all images in a registry.
Before you begin:
- Confirm your machine meetings the system requirements described in Tenable Container Security Scanner System Requirements.
- Download the Container Security Scanner, as described in Download the CS Scanner.
- Prepare your environment variable values, as described in the Environment Variables.
- (Optional) To scan images hosted in an Amazon Web Services (AWS) Elastic Container Registry (ECR), an Azure registry, or a Google Container Registry (GCR), prepare your registry as described in Prepare your Registry.
To run the Container Security Scanner in Registry Import mode:
In the command-line interface of the machine where you want to run the scanner, run the customized configuration and command for your deployment type using the following parameters:
Note: Some of the following variables are not required to run the scanner. For information about these variables and their definitions, see Environment Variables.Copy
docker run \
-e TENABLE_ACCESS_KEY=<variable> \
-e TENABLE_SECRET_KEY=<variable> \
-e IMPORT_REPO_NAME=<variable> \
-e REGISTRY_URI=<variable> \
-e REGISTRY_USERNAME=<variable> \
-e REGISTRY_PASSWORD=<variable> \
-e IMPORT_INTERVAL_MINUTES=<variable> \
-i tenableio-docker-consec-local.jfrog.io/cs-scanner:latest import-registry
The Container Security Scanner scans all images in the registry.
What to do next:
- View the results of your scan, as described in View Scan Results for Container Images.