Skip to content
| Marketplace
Sign in
Azure DevOps>Azure Pipelines>Tenable Cloud Security
Tenable Cloud Security

Tenable Cloud Security

Ermetic

|
241 installs
| (3) | Free
Tenable Cloud Security Azure Pipelines extension
Get it free

Tenable Cloud Security Azure Pipelines Extension

Use the Tenable Cloud Security Azure Pipelines extension to :

  1. Scan your container images for security issues. Doing so can help you identify and fix software vulnerabilities before your images are deployed.
  2. Scan your infrastructure-as-code (IaC) pipeline for security issues. Doing so can help you identify and remediate configuration issues before your cloud resources are deployed.
  3. Sync your Cloud to Code to trace resources and issues back to their code origins.

Note: If you are using classic release pipelines, be aware that additional parameters are required for both the Scan and Sync tasks. See below for more information.

Tenable Cloud Security

Container Image Scan Task Parameters

Parameter Description Default Example
apiToken (Required) The API token used to communicate with Tenable Cloud Security. Generated in the Tenable Cloud Security Console during initial GitHub Actions setup.
apiUrl (Required) The URL of the Tenable Cloud Security API. The API URL varies based on the region in which your Tenable Cloud Security environment is deployed. https://us.app.ermetic.com/
excludePaths Exclude specific paths from the scan. dev/
excludeVulnerabilities The vulnerability IDs to exclude from the scan, entered as a comma separated list. CVE-2021-44228
failOnMinSeverity The minimum policy severity that should return an exit code different from 0, and fail the build workflow. If no value is defined, the workflow will not fail. Possible values: information low medium high critical critical
failOnMinCvssScore The minimum CVSS score of detected vulnerabilities that should return an exit code different from 0, and fail the build workflow. If no value is defined, the workflow will not fail. Possible values: any number between 0.0 and 10.0 (including decimal points) critical
logs Whether to print log messages to the standard workflow output. Log messages include information about the run process of the scanner and debug information. Possible values: true false true
minSeverity The minimum severity of Tenable Workload Protection policies that you want included in the scan. Possible values: information low medium high critical information medium
minCvssScore The minimum CVSS score of detected vulnerabilities that you want included in the scan. Possible values: any number between 0.0 and 10.0 (including decimal points) information medium
name The container name (alpine:latest / alpine / alpine@sha256:51b67269f354137895d43f3b3d810bfacd3945438e94dc5ac55fdac340352f48 / f8c20f8bbcb6 ) alpine:latest alpine:latest
outputFileFormats The format/s of the report output file/s which will be exported. Possible values: cyclonedx json junit md json json,csv
outputFileName The name of the report output file/s which will be exported. If multiple formats are selected, all files will have the same name. results results
outputJunitTestNamePrefix Prefix for JUnit test output name. Used to create a first-level hierarchy in test results. Can be used when junit is defined as an output file format. Scan1
outputPath The export path for the report output file/s. results/
registryPassword The password for your container registry results/
registryUsername The username for your container registry
silent Whether to print scan result content to the standard workflow output. Scan result output contains detailed information about issues found during scanning. Independent from logs. Possible values: true false false false

Additional Parameters Required When Using Classic Release Pipelines

Parameter Description Default Example
codeCommitUser The username of the author who performed the commit.
codeRepositoryUrl The repository URL. https://github.com/orgName/repoName
pipelineRunTrigger The activity that triggered pipeline execution. Manual, PullRequest, BuildCompletion

IaC Scan Task Parameters

Parameter Description Default Example
apiToken (Required) The API token used to communicate with Tenable Cloud Security. Generated in the Tenable Cloud Security Console during initial Azure Pipelines setup.
apiUrl (Required) The URL of the Tenable Cloud Security API. The API URL varies based on the region in which your Tenable Cloud Security environment is deployed. https://us.app.ermetic.com/
excludePaths Exclude specific paths from the scan. dev/
excludePolicies The IDs of any Tenable policies to exclude from the scan. This parameter is mutually exclusive with `policies` such that a value can only be entered for one of the two. You can use glob patterns as wildcards to define a range of policies. For example, excludePolicies aws-s3-* would exclude all policies related to AWS S3 buckets from the scan. aws-iam-role-public-access-exists-terraform
failOnMinSeverity The minimum policy severity that should return an exit code different from 0, and fail the build workflow. Possible values: none information low medium high critical none critical
logs Whether to print log messages to the standard workflow output. Log messages include information about the run process of the scanner and debug information, such as the number of files/lines scanned. Possible values: true false true
minSeverity The minimum severity of Tenable policies that you want to include in the scan. Possible values: information low medium high critical information medium
outputFileFormats The format/s of the report output file/s which will be exported. Possible values: csv json junit sarif json json,csv
outputFileName The name of the report output file/s which will be exported. If multiple formats are selected, all files will have the same name. results results
outputJunitTestNamePrefix Prefix for JUnit test output name. Used to create a first-level hierarchy in test results. Can be used when junit is defined as an output file format. Scan1
outputPath The export path for the report output file/s. results/
path The repository path that will be scanned. If left blank, the entire repository will be scanned. prod/
policies The IDs of the Tenable policies that will be used to scan the repository, entered as a comma separated list. If no values are entered, all policies will be scanned. This parameter is mutually exclusive with `excludePolicies` such that a value can only be entered for one of the two. You can use glob patterns as wildcards to define a range of policies to include. For example, policies aws-s3-* would include all policies related to AWS S3 buckets in the scan. For information about how to retrieve policy ID information from the CLI, refer to Tenable Cloud Security documentation. aws-iam-role-public-access-exists-terraform,aws-sqs-queue-encryption-disabled-terraform
silent Whether to print scan result content to the standard workflow output. Scan result output contains detailed information about issues found during scanning. Independent from logs. Possible values: true false false false
types The IaC frameworks to scan. If no value is entered, all frameworks will be scanned. Possible values: terraform terraform-plan cloudformation terraform

Additional Parameters Required When Using Classic Release Pipelines

Parameter Description Default Example
codeBasePath Path to the repository root.
codeCommitUser The username of the author who performed the commit.
codeRepositoryUrl The repository URL. https://github.com/orgName/repoName
pipelineRunTrigger The activity that triggered pipeline execution. Manual, PullRequest, BuildCompletion

IaC Sync Terraform Task Parameters

Parameter Description Default Example
apiToken (Required) The API token used to communicate with Tenable Cloud Security. Generated in the Tenable Cloud Security Console during initial Azure Pipelines setup.
apiUrl (Required) The URL of the Tenable Cloud Security API. The API URL varies based on the region in which your Tenable Cloud Security environment is deployed. https://us.app.ermetic.com/
path The Terraform root module path that will be synced. Defaults to the repository root. prod/,stg/
stateFilePath The Terraform state file path. terraform.tfstate terraform.tfstate
logs Whether to print log messages to the standard workflow output. Log messages include information about the run process of and debug information. Possible values: true false true
silent Whether to print sync result content to the standard workflow output. Sync result output contains information about files that have been traced back to their origins. Independent from logs. Possible values: true false false false

Additional Parameters Required When Using Classic Release Pipelines

Parameter Description Default Example
codeBasePath Path to the repository root.
codeCommitUser The username of the author who performed the commit.
codeRepositoryUrl The repository URL. https://github.com/orgName/repoName
pipelineRunTrigger The activity that triggered pipeline execution. Manual, PullRequest, BuildCompletion
  • Contact us
  • Jobs
  • Privacy
  • Manage cookies
  • Terms of use
  • Trademarks
© 2025 Microsoft