To use the Tenable Vulnerability Management plugin, you must generate API access and secret keys from your Tenable account.

To generate secret keys

  1. Navigate to your Tenable.io instance, typically: 
    https://cloud.tenable.com
  2. Log in with your Tenable credentials
  3. Click on your username in the top-right corner
  4. Select My Account from the dropdown menu
  5. Navigate to the API Keys tab
  6. Click Generate to create new API keys.
  7. Immediately copy both the Access Key and Secret Key values.
  8. Store these keys securely. 

    The secret keys will not be displayed again.

  9. Optionally, name the keys – for example: "Certificate Discovery Plugin".
  10. Grant the following permissions and roles to your account.

Required Tenable.io permissions

Grant the following permissions to the credential.

Permisions

Description

View Scan Results

Required to access vulnerability scan data containing certificate information. Without this permission, the plugin cannot retrieve vulnerability details and will fail to function.

View Assets

Required to export asset inventory and validate which assets are current. Without this permission, the plugin cannot perform asset validation or incremental scanning.

Use Exports API

Required to export large datasets of vulnerabilities and assets. The plugin uses the Export APIs (/vulns/export and /assets/v2/export), which require this permission. Without this, the plugin cannot bulk-export vulnerability and asset data.

Role-Based access

Tenable uses role-based access control. The following built-in roles have sufficient permissions.

Role

Description

Administrator

Full access (includes all required permissions)

Scan Manager

Can view scan results and assets

Scan Operator

Can view scan results and assets

Standard (with appropriate permissions)

May work when granting the View Scan Results and View Assets permissions.

Custom Roles

If using custom roles, ensure the role includes:

  • Can View Scan Results
  • Can View Assets
  • Can Use Exports API
  • Can Access API (basic API access)