Tenable Container Security Scanner Environment Variables

You must use the CLI on your computer to configure your environment variables and run the Container Security Scanner.

You can configure and run the Container Security Scanner as many times as necessary, using any combination of registries and registry sources.

Environment Variables

Variable Description Type Required Supported Mode
TENABLE_ACCESS_KEY

Your Tenable Vulnerability Management API access key.

String Yes

Image Inspect

or

Registry Import
TENABLE_SECRET_KEY

Your Tenable Vulnerability Management API secret key.

 String Yes

Image Inspect

or

Registry Import
IMPORT_REPO_NAME

The name of the Container Security Scanner repository where you want to import the image. This name cannot contain spaces.

The repository name must meet the following requirements:

  • Contains 64 characters or fewer.
  • Contains only alphanumeric characters, dashes (-), underscores (_), or periods (.).
  • Begins with an alphanumeric character.
  • Contains no uppercase letters.

 String Yes

Image Inspect

or

Registry Import
REGISTRY_URI

The URI of the registry from which you want to import the image.

 String No Registry Import
REGISTRY_USERNAME

Your username for authenticating to the registry you want to scan.

Set this variable if you want to authenticate to the registry.

Your username variable depends on the registry you want to scan:

  • Amazon Web Services (AWS) Elastic Container Registry (ECR) — Type your AWS access key ID as your username. For information about how to obtain your access key ID, see the AWS Documentation.
  • Azure registry — Type your service principal ID for the registry. For more information about how to create a service principal, see Azure Documentation.
  • Google Cloud Platform (GCP) Google Container Registry (GCR) — Type your GCR account client email as it appears in the client_email field in the service account private key JSON file. For information about how to create and download your service account private key, see the Google Container Registry Documentation.
  • All other registries — Type the username you use to authenticate to the registry.
 String No

Registry Import
REGISTRY_PASSWORD

Your password for authenticating to the registry from which you want to import the image.

Set this variable if you want to authenticate to the registry.

Your password depends on the registry you want to scan.

  • Amazon Web Services (AWS) Elastic Container Registry (ECR) — Type your AWS access secret key as your password. For information about how to obtain your access secret key, see the AWS Documentation.
  • Azure registry — Type your service principal password for the registry. For more information about how to create a service principal, see Azure Documentation.
  • Google Cloud Platform (GCP) Google Container Registry (GCR) — Type your GCR service account private key as it appears in the private_key field in the service account private key JSON file. For information about how to create and download your service account private key, see the Google Container Registry Documentation.
  • All other registries — Type the password you use to authenticate to the registry.
 String No Registry Import
TENABLE_PROXY

The URL for the HTTP proxy the Container Security Scanner uses to connect to Tenable Vulnerability Management.

Set this variable if the machine where you deployed the Container Security Scanner requires a proxy server to connect to Tenable Vulnerability Management.

Note: If the machine where you deployed the Container Security Scanner requires proxy connections to your registry and to Tenable Vulnerability Management, you can apply both the REGISTRY_PROXY variable and the TENABLE_PROXY variable to your configuration. Run the Container Security Scanner in Registry Import mode if you apply both variables.

Your TENABLE_PROXY variable depends on whether your proxy requires username and password authentication.

  • Authentication required — Type your proxy URL in the following format:

    <username>:<password>@<host>:<port>

  • Authentication not required — Type your proxy URL in the following format:

    <host>:<port>

Note: You can specify the host using the hostname (for example, example.com) or IP address (for example 192.0.2.202).

String No

Image Inspect

or

Registry Import
REGISTRY_PROXY

The URL for the HTTP proxy the Container Security Scanner uses to connect to your registry.

Set this variable if the machine where you deployed the Container Security Scanner requires a proxy server to connect to the registry you want to scan.

Note: If the machine where you deployed the Container Security Scanner requires proxy connections to your registry and to Tenable Vulnerability Management, you can apply both the REGISTRY_PROXY variable and the TENABLE_PROXY variable to your configuration.

Your REGISTRY_PROXY variable depends on whether your proxy requires username and password authentication.

  • Authentication required — Type your proxy URL in the following format:

    <username>:<password>@<host>:<port>

  • Authentication not required — Type your proxy URL in the following format:

    <host>:<port>

Note: You can specify the host using the hostname (for example, example.com) or IP address (for example 192.0.2.202).

String No

Registry Import
IMAGE_NAME_WHITELIST

Image name or tag assigned to images that you want the Tenable Container Security Scanner to include in your registry scan.

Include this variable if you want to run the Tenable Container Security Scanner in Registry Import mode and you want the scanner to include only images with a certain name or tag in the scan.

If you do not set this variable, Tenable Container Security Scanner scans all the images in your registry.

Note: You cannot include an IMAGE_NAME_WHITELIST variable and an IMAGE_NAME_BLACKLIST variable in the same scan configuration.

Your allow list variable depends on whether you want to include images based on name, tag, or both.

  • Name — Type the name assigned to images that you want included in the scan.

    For example, if you type -e IMAGE_NAME_WHITELIST=alpine, the Tenable Container Security Scanner scans only images named alpine.

  • Tag — Type the tag assigned to images that you want included in *:<tag> format.

    For example, if you type -e IMAGE_NAME_WHITELIST=*:latest, the Tenable Container Security Scanner scans only images with the latest tag.

  • Both — Type the image name and tag set assigned to images that you want included in <image>:<name> format.

    For example, if you type -e IMAGE_NAME_WHITELIST=alpine:latest, only images named alpine that also have the latest tag are included in the scan.

Tip: You can use an asterisk (*) wild card character when specifying image name and tag values.

Tip: You can specify multiple allow list variables by separating each with a comma (for example, -e IMAGE_NAME_WHITELIST=alpine1,alpine2,alpine3,*:latest).

String No Registry Import
IMAGE_NAME_BLACKLIST

Image name or tag assigned to images that you want the Tenable Container Security Scanner to exclude from your registry scan.

Include this variable if you want to run theTenable Container Security Scanner in Registry Import mode and you want the scanner to exclude certain images from the scan. If you do not set this variable, Tenable Container Security Scanner scans all the images in your registry.

If you do not set this variable, Tenable Container Security Scanner scans all the images in your registry.

Note: You cannot include an IMAGE_NAME_BLACKLIST variable and an IMAGE_NAME_WHITELIST variable in the same scan configuration.

Your block list variable depends on whether you want to exclude images based on name, tag, or both.

  • Name — Type the name assigned to images that you want excluded from the scan.

    For example, if you type -e IMAGE_NAME_BLACKLIST=alpine, the Tenable Container Security Scanner excludes only images named alpine.

  • Tag — Type the tag assigned to images that you want excluded from the scan in *:<tag> format.

    For example, if you type -e IMAGE_NAME_BLACKLIST=*:latest, the Tenable Container Security Scanner excludes only images with the latest tag.

  • Both — Type the image name and tag set assigned to images you want excluded in <image>:<name> format.

    For example, if you type -e IMAGE_NAME_BLACKLIST=alpine:latest, only images named alpine that also have the latest tag are excluded from the scan.

Tip: You can use an asterisk (*) wild card character when specifying image name and tag values.

Tip: You can specify multiple block list variable sets by separating each set with a comma (for example, -e IMAGE_NAME_BLACKLIST=alpine1,alpine2,alpine3,*:latest).

image_name_ No Registry Import
CHECK_POLICY

If true, the Tenable Container Security Scanner sends a request to Tenable Vulnerability Management to verify whether the results of the scan include a violation of one or more compliance policies.

The message that Tenable Container Security Scanner provides in the output log depends on the results of the policy check.

  • Policy violation detected — Tenable Container Security Scanner provides the following message: This image does not pass your compliance policy.
  • No policy violation detected — Tenable Container Security Scanner provides the following message: image has passed your policy compliance.
  • Policy check timed out — Tenable Container Security Scanner provides the following message: Fatal error: Timed out trying to retrieve report.

If the policy check fails for any reason other than a policy violation or a policy check timeout, the Container Security Scanner generates a message specific to the error that caused the failure.

Tip: If you write custom code to automate image scanning via the Container Security Scanner, you can refer to the following exit codes to determine whether the image passed the policy check:
  • 0 — The image passed the policy check.
  • 1 — The policy check failed, due to timeout or some other error.
  • 2 — The image failed the policy check and is in violation or one or more compliance policies.

For information about Tenable Container Security Scanner policies, see Manage Tenable Container Security Policies.

 Boolean No Image Inspect
CHECK_POLICY_TIMEOUT

The amount of time, in seconds, that the Tenable Container Security Scanner waits for Tenable Vulnerability Management to finish scanning the image and complete the vulnerability detection analysis.

By default, the Container Security Scanner times out unanswered request for a policy after 600 seconds.

Note: Container Security Scanner does not set a maximum limit for the policy timeout value.

Integer No Image Inspect
IMPORT_INTERVAL_MINUTES

The frequency, in minutes, you want the Container Security Scanner to import and scan images from the selected registry.

Set this variable if you want the scanner to run repeatedly at set intervals.

If you do not set this variable, the Container Security Scanner imports and scans images from the selected registry only the first time you scan your registry.

If you do not set this variable, the Container Security Scanner imports and scans images from the selected registry only once, and ends after the scan has finished.

Note: You can schedule the scanner to run at set intervals only when you scan a registry. You cannot set a schedule when you configure and run the scanner in Image Inspect mode.

Integer No Registry Import
DEBUG_MODE

If true, the Container Security Scanner adds additional information to the scan's log to assist with debugging.

Note: Tenable recommends that you include this variable only if Tenable Support requests it.

 Boolean

No

Image Inspect

or

Registry Import
ALLOW_INSECURE_SSL_REGISTRY

If true, the Container Security Scanner accepts the registry's SSL certificate without verifying that a trusted Certificate Authority (CA) issued the certificate.

Caution: If Tenable accepts an SSL certificate without verifying that a trusted CA issued the certificate, your certificate may not be valid and your connections may not be secure. Therefore, Tenable recommends that you include this variable only during testing or debugging procedures.

Boolean

No

Registry Import
HTTP_CONNECTION_TIMEOUT_SECONDS

The amount of time, in seconds, that the Container Security Scanner waits for a response after sending a connection request to the registry. If the registry does not accept the connection request within this time span, Container Security Scanner cancels (times out) the request.

By default, the Container Security Scanner times out unanswered connection requests after 10 seconds.

 Integer No

Image Inspect

or

Registry Import
HTTP_IDLE_TIMEOUT_SECONDS

The amount of time, in seconds, that the Container Security Scanner waits for a response after sending a request for image data to the registry. If the registry does not respond within this time limit, the Container Security Scanner cancels (times out) the request.

By default, the Container Security Scanner times out unanswered requests after 60 seconds.

 Integer No

Image Inspect

or

Registry Import
HTTP_REQUEST_TIMEOUT_SECONDS

The amount of time, in seconds, that the Container Security Scanner allows a request to remain active (that is, the amount of time the Container Security Scanner waits for the registry to accept a connection request and respond to a request for image data). If a request is still active after this time limit has passed, the Container Security Scanner cancels (times out) the request.

By default, the Container Security Scanner times out active requests after 60 seconds.

 Integer No

Image Inspect

or

Registry Import