Tenable.io WAS DAST/API Integration
Tenable.io Web Application Scanning (WAS) is a cloud-based DAST solution that provides comprehensive web application vulnerability scanning. This integration allows Invicti ASPM to trigger Tenable.io WAS scans and import vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Access Key | Tenable.io API access key |
| Secret Key | Tenable.io API secret key |
How to Get API Keys (on Tenable.io Side)
- Log in to Tenable.io .
- Click your profile icon in the upper right corner.
- Select My Account from the dropdown.
- Navigate to the API Keys tab.
- Click Generate to create a new API key pair.
- Copy both the Access Key and Secret Key — the secret key is shown only once.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Tenable.io WAS
Scroll through the list of DAST/API scanners to find Tenable.io WAS.
-
If Tenable.io WAS is not activated, you will see an "Activate" button. Click it to enable the integration.
Note: The scan method badge on the Tenable.io WAS card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Tenable.io WAS card to open the configuration panel. Fill in the required fields:
-
User Key: Enter your Tenable.io API user key.
-
Secret Key: Paste your Tenable.io API secret key.
-
URL: Enter your Tenable.io API URL.
-
Insecure: Enable this checkbox only if your Tenable.io instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the API keys are valid.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Tenable.io WAS |
| 4 | Enter Access Key and Secret Key |
| 5 | Test the connection |
How to Create a Scan
Navigate to Project Scanners
- Open a project in Invicti ASPM.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Tenable.io WAS Scanner
- Select DAST/API as the scanner type.
- Choose Tenable.io WAS from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | Tenable.io WAS scan to bind to | Yes |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t tenableiowas -b <branch_name>Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API keys | Regenerate the API keys from your Tenable.io account settings |
| WAS module not licensed | Ensure your Tenable.io subscription includes Web Application Scanning |
| Key permissions | The API keys must belong to an account with WAS scanning permissions |
| Network access | Ensure outbound access to cloud.tenable.com on port 443 is allowed |
Scan Issues
| Issue | Resolution |
|---|---|
| No scan templates available | Verify the Tenable.io account has WAS templates configured |
| Scan not starting | Check the Tenable.io WAS scanner status and available scan slots |
| Empty results | Confirm the scan completed in the Tenable.io WAS dashboard |
| Target not reachable | Ensure the target URL is accessible from Tenable.io's scanning infrastructure |
Best Practices
- Use a dedicated service account with API access limited to Web Application Scanning.
- Store API keys securely; treat them as passwords.
- Rotate API keys periodically and update the integration immediately.
- Ensure target web applications are reachable from Tenable.io's cloud scanning infrastructure.
- Use scan templates that match the application type (web, API, authenticated).
Limitations
- Tenable.io WAS requires the target application to be accessible from Tenable.io's cloud infrastructure or via a scanner agent for internal applications.
- The Web Application Scanning module must be separately licensed within Tenable.io.
- API key rotation invalidates existing keys immediately; update the integration promptly.
- Concurrent scan capacity is governed by your Tenable.io subscription tier.
Updated about 3 hours ago