Deploy Tenable Web App Scanning as a Docker Image
You can deploy Tenable Web App Scanning as a Docker image to run on a container. The base image is an Oracle Linux 8 instance of Tenable Web App Scanning. You can set up your Tenable Web App Scanning instance with environment variables to deploy the Docker image with configuration settings automatically. Once the Docker image is deployed, you can also update it, or collect scanner logs.
Note: Tenable Web App Scanning does not have a command line interface or configuration wizard, users must use environment variables to configure Tenable Web App Scanning.
Note:Tenable Web App Scanning docker image only works on AMD 64-bit systems and does not support ARM or Windows systems.
Before you begin:
-
Download and install Docker for your operating system.
-
Access the Tenable Web App Scanning Docker image from https://hub.docker.com/r/tenable/was-scanner.
Deploy or Remove Docker Image
To deploy Tenable Web App Scanning as a docker image:
-
Use the operators with the appropriate options for your deployment, as described in Operators.
-
Use the -e operator to set environment variables, as described in Environment Variables. For example:
$ docker run -it -e WAS_LINKING_KEY='linkingkeyleavequotations' -e WAS_SCANNER_NAME='samplescannername' tenable/was-scanner:latest
Note: Copying and pasting example text can sometimes change the quotation characters causing the command to fail. Double-check the command before proceeding.
To stop and remove Tenable Web App Scanning as a Docker Image:
Note: When you remove Tenable Web App Scanning running as a Docker container, you lose the container data.
- In your terminal, stop the container from running using the docker stop command.
$ docker stop <container name>
- Remove your container using the docker rm command.
$ docker rm <container name>
| Operator | Description |
|---|---|
| --name | Sets the name of the container in Docker. |
| -d | Starts a container in detached mode. |
| -e |
Precedes an environment variable. For descriptions of environment variables you can set to configure settings in your Tenable Web App Scanning instance, see Environment Variables. |
Deploying a Tenable Web App Scanning image that is linked to Tenable Vulnerability Management.
| Variable | Required? | Description |
|---|---|---|
| WAS_SCANNER_NAME | Yes | The name of the Tenable Web App Scanning scanner to appear in Tenable Vulnerability Management. |
| WAS_LINKING_KEY | Yes | The linking key from Tenable Vulnerability Management. |
| WAS_SCANNER_GROUPS | No |
Scanner groups the scanner must be added to (for example, "scanner-group-1, sec-scanner-group"). |
| WAS_AUTO_UNLINK_ON_EXIT | No | Automatically unlinks the scanner when the scanner stops. |
| WAS_PLATFORM_URL | No | Defaults to https://cloud.tenable.com. |
| WAS_PROXY_URL | No | URL to use for proxy to platform. |
| WAS_FIPS_MODE | No | Enables FIPS mode for Tenable Web App Scanning. Defaults to false. |
Update Docker Image
To update the Docker image:
- Run the following command:
docker pull tenable/was-scanner
This pulls the latest version of the scanner from Docker.
Note: The Tenable Web App Scanning Docker Image does not update software or plugins. The latest version of the scanner must be pulled to get the latest plugins and software updates.
Collect Scanner Logs
To collect scanner logs, use one of the following options:
- Add environmental variable:
-e WAS_LOG_TO_STDOUT=true
This prints the logs to stdout, and you can collect them with docker logs <container id>.
- Set WAS_SCANNER_LOG_FILE to a specific location that you mount on the host. For example:
docker run -e WAS_SCANNER_LOG_FILE=/scanner/scanner.log -v $PWD:/scanner
Note: This option should cause the log file to exist in your PWD even after the container has stopped.
Deploy Docker in Container Mode
To deploy Docker in container mode:
- Run the following command:
docker run -d -e WAS_LINKING_KEY=<linking_key> -e WAS_SCANNER_NAME=<scanner_name> tenable/was-scanner:latest