Launching internal security scans using OpenVAS or Tenable can be painful to get correct. Both OpenVAS and Tenable require navigating a myriad of menus and pasting a list of IPs to start a scan. Both options have the ability to cache the list of IPs and schedule scans, but in the world of cloud environments and constantly changing servers, the saved lists of IP addresses become outdated rather quickly. We felt that pain and decided to create an automated solution. Instead of having to remember to update the list of internal IPs for each scan, you can run the tenable-scan-launcher to retrieve the list of IPs from Google Cloud and AWS and then launch a scan. The scanner can also be set up to export a Tenable generated report and save it as a file. The scan launcher can be run as a binary, Dockerfile, or as a Kubernetes resource.
To get started, you will need an internal scanner. You can use your own scanner if desired, or use the one provided in the repository examples.
Next you will use the Tenable UI and create a new scan using your new scanner. To launch a scan with the tool, include the necessary flags for Google Cloud or AWS as well as the scan ID. We have provided an example of a scan as a Kubernetes CronJob in the repository.
Please note that only internal IP addresses are collected at the moment. Collecting pod IPs and the option to do external scans by collecting the public IP addresses are planned for the future.