Manage Credentials

In Tenable.io, you can use credentials to grant a scanner local access to scan a target system without requiring an agent. Configuring credentialed scans allows Tenable.io to perform a wider variety of checks than non-credentialed scans, which can result in more accurate scan results. This facilitates scanning of a very large network to determine local exposures or compliance violations.

Credentialed scans can perform any operation that a local user can perform. The level of scanning depends on the privileges granted to the user account. The more privileges the scanner has via the login account (for example, root or administrator access), the more thorough the scan results.

In Tenable.io, you can create credentials for use in scans in the following ways:

CategoryDescriptionParameter
Scan-specific
  • You configure and store these credentials in an individual scan.
  • If you delete the scan, you also delete the credentials.
  • If you want to use the credentials in a different scan, you must either convert the scan-specific credential to a managed credential or recreate the scan-specific credential settings in the other scan.
credentials object in the scan
Policy-specific
  • You configure and store these credentials in a scan policy. You can then use the policy to create individual scans.
  • If you add credentials to a policy, users cannot add scan-specific credentials to scans created from the policy. Tenable recommends adding managed credentials to scans, instead of adding credentials to policies.
  • If you delete the policy, you also delete the policy-specific credentials. However, Tenable.io retains the credentials in any scans you used the policy to create before deletion.
  • If you want to use the credentials in a different policy, you must recreate the policy-specific credentials in the other policy.
credentials object in the policy
Managed
  • You configure and store managed credentials centrally in the credential manager.
  • You can use managed credentials in multiple scans. You can also grant other users permissions to use managed credentials in scans.
  • You cannot use managed credentials in policies.
  • In the Tenable.io user interface, you can convert a scan-specific credential to a managed credential during scan configuration.
POST /credentials endpoint

The settings you configure for a credential vary based on the credential type. Credential types include:

  • Cloud Services
  • Database
  • Host
  • Miscellaneous
  • Mobile Device Management
  • Patch Management
  • Plaintext authentication

For more information, see:


Did this page help you?