Tenable.io VM
Tenable.io VM (Vulnerability Management) is a cloud-based vulnerability management platform. In Invicti ASPM, the integration imports vulnerability findings from Tenable.io into your projects by binding to existing Tenable.io scans.
Prerequisites
| Field | Description |
|---|---|
| User Key | Tenable.io API access key (user key) |
| Secret Key | Tenable.io API secret key paired with the User Key |
How to Get API Keys (on Tenable.io Side)
- Log in to the Tenable.io console.
- Navigate to Settings > My Account > API Keys.
- Click Generate to create a new Access Key and Secret Key pair.
- Copy both the Access Key (User Key) and Secret Key immediately — the secret is shown only once.
Note: Refer to the Token Instructions link displayed in the Invicti ASPM settings panel for additional guidance on generating Tenable.io API credentials.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the Infra Tab
On the Integrations > Scanners page, click on the Infra tab.
Step 3: Find and Activate Tenable.io VM
Scroll through the list of Infra scanners to find Tenable.io VM.
- If Tenable.io VM is not activated, click the Activate button to enable the integration.
Step 4: Configure Connection Settings
Click the gear icon on the Tenable.io VM card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| User Key | Tenable.io API Access Key | Yes |
| Secret Key | Tenable.io API Secret Key paired with the User Key | Yes |
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms that Invicti ASPM can authenticate with the Tenable.io API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the Infra tab |
| 3 | Activate Tenable.io VM |
| 4 | Enter User Key and Secret Key |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Tenable.io VM Scanner
- Select Infra as the scanner type.
- Choose Tenable.io VM from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Profile Name | A name to identify this scan configuration | Yes |
| Bind to | Select the Tenable.io VM scan to bind to | Yes |
| Meta Data | Additional metadata to tag the scan | Yes |
| Scan Tag | Free-text tag to identify or group scans | No |
| Start Scan | Toggle to trigger the Tenable.io scan immediately | No |
| Severity+ | Increase severity of imported findings by one level | No |
| Severity- | Decrease severity of imported findings by one level | No |
When you select a scan from the Bind to dropdown, the drawer displays the scan's targets, tags, agents, and policy details for reference.
Severity+ and Severity- are mutually exclusive — only one can be enabled at a time.
Scheduler
Enable the Scheduler toggle to automatically run Tenable.io VM scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t tenableiovm -b -Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid User Key or Secret Key | Verify the API keys in the Tenable.io console under Settings > My Account > API Keys. Regenerate if needed. |
| Permission denied | Ensure the API key belongs to a user with access to vulnerability management data. |
| Secret not available | The secret key is shown only at creation — generate a new key pair if the original was not saved. |
Scan Issues
| Issue | Resolution |
|---|---|
| No scans available in Bind to dropdown | Ensure at least one completed scan exists in your Tenable.io account and the API key has access to it. |
| Scan shows no findings | The selected Tenable.io scan may have no vulnerabilities, or the scan may not have completed. Check the Tenable.io console. |
| Scan not starting | Verify the scanner is activated and the connection test passes in the integration settings. |
Best Practices
- Use a dedicated API key for Invicti ASPM with the minimum required permissions rather than reusing credentials shared with other tools.
- Rotate API keys periodically and update the integration settings in Invicti ASPM accordingly.
- Bind each Invicti ASPM project to the Tenable.io scan that covers its production infrastructure for accurate vulnerability data.
- Use the Scheduler to align Invicti ASPM polling with your Tenable.io scan cadence so findings always reflect the latest state.
Limitations
- Tenable.io VM in Invicti ASPM imports findings from existing Tenable.io scans — it does not create new Tenable.io scans (unless Start Scan is enabled).
- Only scans accessible via the provided API key are available for selection.
- Agent-based and cloud connector findings are imported only if the bound scan includes them.
Updated about 3 hours ago