Tenable.cs Extension for Visual Studio Code

Tenable.cs scans your Infrastructure as Code (IaC) for possible vulnerabilities and mitigates risks before the infrastructure is provisioned. The Tenable.cs extension for Visual Studio Code (VS Code) seamlessly enables the scanning of your IaC files and folders through VS Code.

Overview

The Tenable.cs extension for VS Code supports Terraform, Kustomize, Helm, and Kubernetes YAML. It uses Tenable.cs command line interface (CLI) and Terrascan for scanning the IaC files and reports violations in the output window.

The Tenable.cs extension operates in two modes:

• Standalone: This mode does not require a Tenable.cs account. Tenable.cs performs IaC scans locally and displays the results in the VS Code output window. The standalone mode is the default mode.
• Integrated: Tenable.cs displays the scan results on the Tenable.cs Dashboard page.
  Note: Currently, the Tenable.cs extension supports the integrated mode only for Terraform files.

Before you begin

• Install the Terraform VS Code extension.
• Ensure that the Terraform version .12 or later is installed.

Installation

1. Launch VS Code.
2. In the Search Extensions in Marketplace box, search for Tenable.cs.
   The Tenable.cs extension appears.
3. Select the Tenable.cs extension.
4. Click Install.

During the installation, the Tenable.cs extension downloads other dependent components and configures them locally.

Usage

Standalone Mode (Default)

In standalone mode, the Tenable.cs extension uses the free and open source scanner Terrascan for scanning IaC files.

1. In the VS Code workspace, select the Tenable.cs extension.
2. Click View > Command Palette.
   The Command Palette box appears.
3. Select Tenable.cs Mode and then select Standalone.
4. In the VS Code workspace, right-click the IaC file or folder to scan and click Tenable.cs Scan.
5. From the list of IaC types, select the required type. The available IaC types are: helm, k8s, kustomize, and terraform.
   Note: When you scan a single file, Tenable.cs scans the entire directory by default.

The Tenable.cs extension performs the IaC scan and reports the results in the VS Code output window. Tenable.cs also generates a JSON and an HTML report in the scanning directory.

Standalone mode is the default mode for the extension and commercial customers should use Integrated mode.

Integrated Mode (Commercial)

Pre Requisites

For Integrated mode scans, you must have the following:

• A Tenable.cs user account with an Operator or greater role.
• A project in the Tenable.cs console to scan your IaC repository. You can use this project to create the CI/CD builds.

Steps

1. In the VS Code workspace, select the Tenable.cs extension.
2. Click View > Command Palette.
   The Command Palette box appears.
3. Select Tenable.cs Mode and then select Integrated.
4. Access Tenable.cs from https://cloud.tenable.com/.
   The Tenable.cs Dashboard page appears.
5. On the Home page, click the Projects and Connections tab.
6. Click your project to view its details.
7. In the upper-right, click the Configuration link to download the configuration .zip file and extract it to a local folder.
8. In the VS Code workspace, click View > Command Palette.
9. From the Command Palette box, choose Tenable.cs Configuration and select the configuration file that you saved in step 7.
10. Right-click any IaC file or directory and click Tenable.cs Scan.
    The Tenable.cs extension displays a list of scan commands.
11. Select the required command from the displayed scan commands.
12. (Optional) Provide the required command options for the selected command:
    • Commands init, plan, and workspace take parameters equivalent to Terraform CLI.
    • Commands tgplan, tgplanall, and plan-all take parameters equivalent to Terragrunt CLI.

The Tenable.cs extension performs the scan and reports the results in output window as well as in the Tenable.cs console.

For more information, see Tenable.cs documentation.

Configuration settings

Tenable.cs extension provides two scopes for settings:

• User: Settings that apply globally to any instance of VS Code. You must update these settings manually.
• Workspace: Settings that apply to only the workspace that is open. The Workspace settings are automatically set when you run the Tenable.cs Configuration operation.

If you specify both User and Workspace settings, the Workspace settings take precedence.

To modify the User settings:

1. Click Tenable.cs on the status bar or click File > Preferences > Settings.
   The Settings editor appears.
2. In the User tab, update the following fields:
   • API token: Authentication token (only for integrated mode)
   • App URL: Repository URL (only for integrated mode)
   • Project ID: ID of the project in the Tenable.cs console (only for integrated mode)
   • Scan Mode: Standalone or Integrated

Uninstallation

1. To remove the extension, click View > Extensions.
2. Select the Tenable.cs extension and click Uninstall.