Package: Invicti AppSec Enterprise (on-premise, on-demand)
Tenable.sc
Tenable.sc (formerly SecurityCenter) is an on-premises vulnerability management platform. In Invicti AppSec, the integration connects to your self-hosted Tenable.sc instance to import vulnerability scan results into your projects.
Prerequisites
| Field | Description |
|---|---|
| Access Key | Tenable.sc API access key |
| Secret Key | Tenable.sc API secret key paired with the Access Key |
| URL | the base URL of your Tenable.sc instance (e.g., https://tenablesc.example.com) |
Get API keys (on Tenable.sc side)
- Log in to the Tenable.sc web interface.
- Navigate to System > Users.
- Select the user account you want to use for the integration.
- Under the API Keys section, click Generate.
- Copy the Access Key and Secret Key immediately — the secret key is shown only once.
Refer to the Token Instructions link displayed in the Invicti AppSec settings panel for additional guidance on generating Tenable.sc API credentials.
Step 1: Navigate to Integrations
From the left sidebar menu, click Integrations.
Step 2: Select the Infra tab
On the Integrations > Scanners page, click the Infra tab.
Step 3: Find and activate Tenable.sc
Scroll through the list of Infra scanners to find Tenable.sc.
- If Tenable.sc is not activated, click Activate to enable the integration.
Step 4: Configure connection settings
Click the gear icon on the Tenable.sc card to open the settings panel. Fill in the required fields:
| Field | Description | Required |
|---|---|---|
| Instance | select Default or a previously saved instance; choose "Add New Instance" to configure a new Tenable.sc server | No |
| Instance Name | a label for this instance (shown when adding a new instance) | Yes (if new instance) |
| Access Key | Tenable.sc API Access Key | Yes |
| Secret Key | Tenable.sc API Secret Key | Yes |
| URL | base URL of your Tenable.sc instance | Yes |
| Insecure | skip TLS certificate verification (use only for self-signed certificates) | No |
Step 5: Test the connection
Click Test Connection. A green Connection successful message confirms that Invicti AppSec can authenticate with the Tenable.sc API.
Summary
| Step | Action |
|---|---|
| 1 | Navigate to Integrations from the sidebar |
| 2 | Select the Infra tab |
| 3 | Activate Tenable.sc |
| 4 | Enter Access Key, Secret Key, and URL |
| 5 | Test the connection |
Create a scan
Navigate to project scanners
- Open a project in Invicti AppSec.
- Go to Settings > Scanners.
- Click Add Scanner.
Add Tenable.sc scanner
- Select Infra as the scanner type.
- Choose Tenable.sc from the scanner list.
- Click Add to open the scan configuration drawer.
Scan configuration fields
| Field | Description | Required |
|---|---|---|
| Profile Name | a name to identify this scan configuration | Yes |
| Instance | select Default or a specific named Tenable.sc instance | No |
| Bind to | select the Tenable.sc scan to bind to | Yes |
| Meta Data | additional metadata to tag the scan | Yes |
| Scan Tag | free-text tag to identify or group scans | No |
| Start Scan | toggle to trigger the Tenable.sc scan on the next run | No |
Scheduler
Enable the Scheduler toggle to automatically run Tenable.sc scans on a recurring schedule.
Webhook (optional)
Add a webhook URL to receive scan completion notifications.
KDT command
kdt scan -p <project_name> -t tenablesc -b -
Troubleshooting
Connection fails
| Issue | Resolution |
|---|---|
| Invalid Access Key or Secret Key | verify the API keys in the Tenable.sc console under System > Users. Regenerate if needed. |
| URL unreachable | confirm the Tenable.sc instance URL is reachable from the Invicti AppSec server. Check firewall rules. |
| TLS certificate error | if using a self-signed certificate, enable the Insecure option in the connection settings. |
| Secret not available | the secret key is shown only at creation — generate a new key pair if the original wasn't saved. |
Scan issues
| Issue | Resolution |
|---|---|
| No scans available in Bind to dropdown | ensure at least one scan repository exists in Tenable.sc and the API key has access to it. |
| Scan shows no findings | the selected Tenable.sc scan may have no active vulnerabilities. Check the Tenable.sc console. |
| Instance not connecting | verify the URL and credentials for the specific instance match what is configured in Tenable.sc. |
Best practices
- Use a dedicated API key for Invicti AppSec with the minimum required permissions rather than reusing credentials shared with other tools.
- Use named instances to manage multiple Tenable.sc servers (e.g., separate instances for different network zones).
- Rotate API keys periodically and update the integration settings in Invicti AppSec accordingly.
- Enable Insecure only in isolated, trusted environments — for production deployments, use a valid TLS certificate.
Limitations
- Tenable.sc in Invicti AppSec operates on-premises and requires network connectivity from the Invicti AppSec server to the Tenable.sc host.
- Only scans accessible via the provided API key are available for selection.
- Tenable.sc is an on-premises platform — cloud-only Tenable features aren't available through this integration.
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center