Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
Tenable.io WAS DAST/API Integration
Tenable.io Web Application Scanning (WAS) is a cloud-based DAST solution that provides comprehensive web application vulnerability scanning. This integration allows Invicti AppSec to trigger Tenable.io WAS scans and import vulnerability findings.
Prerequisites
| Field | Description |
|---|---|
| Access Key | Tenable.io API access key |
| Secret Key | Tenable.io API secret key |
Get API Keys (on Tenable.io Side)
- Log in to Tenable.io.
- Click your profile icon in the upper right corner.
- Select My Account from the dropdown.
- Navigate to the API Keys tab.
- Click Generate to create a new API key pair.
- Copy both the Access Key and Secret Key — the secret key is shown only once.
Step 1: Navigate to Integrations
From the left sidebar menu, click on Integrations.
Step 2: Select the DAST/API Tab
On the Integrations > Scanners page, click on the DAST/API tab.
Step 3: Find and Activate Tenable.io WAS
Scroll through the list of DAST/API scanners to find Tenable.io WAS.
- If Tenable.io WAS is not activated, you will see an "Activate" button. Click it to enable the integration.
The scan method badge on the Tenable.io WAS card shows KDT, which means scans are triggered through the Kondukto CLI tool (KDT).
Step 4: Configure Connection Settings
Click on the gear icon on the Tenable.io WAS card to open the configuration panel. Fill in the required fields:
- User Key: Enter your Tenable.io API user key.
- Secret Key: Paste your Tenable.io API secret key.
- URL: Enter your Tenable.io API URL.
- Insecure: Enable this checkbox only if your Tenable.io instance uses a self-signed SSL certificate.
Step 5: Test the Connection
Click Test Connection. A green Connection successful message confirms the API keys are valid.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the DAST/API tab |
| 3 | Activate Tenable.io WAS |
| 4 | Enter Access Key and Secret Key |
| 5 | Test the connection |
Create a Scan
Navigate to Project Scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Tenable.io WAS Scanner
- Select DAST/API as the scanner type.
- Choose Tenable.io WAS from the scanner list.
- Click Add to open the scan configuration drawer.
Scan Configuration Fields
| Field | Description | Required |
|---|---|---|
| Environment | Select the environment for the scan | No |
| Bind To | Tenable.io WAS scan to bind to | Yes |
| Branch | Source code branch associated with this scan | No |
| Meta Data | Additional metadata for the scan | No |
| Scan Tag | Tag to identify the scan | No |
Scheduler
Enable the Scheduler toggle to run scans on a recurring schedule.
Webhook (Optional)
Add a webhook URL to receive scan completion notifications.
KDT Command
kdt scan -p <project_name> -t tenableiowas -b <branch_name>
Troubleshooting
Connection Fails
| Issue | Resolution |
|---|---|
| Invalid API keys | Regenerate the API keys from your Tenable.io account settings |
| WAS module not licensed | Ensure your Tenable.io subscription includes Web Application Scanning |
| Key permissions | The API keys must belong to an account with WAS scanning permissions |
| Network access | Ensure outbound access to cloud.tenable.com on port 443 is allowed |
Scan Issues
| Issue | Resolution |
|---|---|
| No scan templates available | Verify the Tenable.io account has WAS templates configured |
| Scan not starting | Check the Tenable.io WAS scanner status and available scan slots |
| Empty results | Confirm the scan completed in the Tenable.io WAS dashboard |
| Target not reachable | Ensure the target URL is accessible from Tenable.io's scanning infrastructure |
Best Practices
- Use a dedicated service account with API access limited to Web Application Scanning.
- Store API keys securely; treat them as passwords.
- Rotate API keys periodically and update the integration immediately.
- Ensure target web applications are reachable from Tenable.io's cloud scanning infrastructure.
- Use scan templates that match the application type (web, API, authenticated).
Limitations
- Tenable.io WAS requires the target application to be accessible from Tenable.io's cloud infrastructure or via a scanner agent for internal applications.
- The Web Application Scanning module must be separately licensed within Tenable.io.
- API key rotation invalidates existing keys immediately; update the integration promptly.
- Concurrent scan capacity is governed by your Tenable.io subscription tier.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center