Tenable Web App Scanning is a cloud-based dynamic application security testing (DAST) solution that combines web application vulnerability scanning with comprehensive API security testing.
Built on Nessus technology and integrated with Tenable’s attack surface management capabilities, the platform provides unified visibility into web application security risks.
What is Tenable Web App Scanning?
Tenable Web App Scanning delivers automated security testing for web applications and APIs without requiring source code access.
The platform scans running applications to identify vulnerabilities that could be exploited by attackers, covering traditional web application flaws as well as modern API security concerns.
The scanner supports REST, GraphQL, and SOAP APIs alongside traditional web applications, making it suitable for organizations with diverse application architectures.
Integration with Tenable’s broader vulnerability management platform enables security teams to correlate web application vulnerabilities with infrastructure risks for comprehensive security visibility.
Key Features
API Security Testing
Tenable Web App Scanning provides extensive API testing capabilities:
- REST API Scanning: Automated discovery and testing of RESTful endpoints
- GraphQL Support: Query analysis and mutation testing for GraphQL APIs
- SOAP Web Services: WSDL-based testing for legacy SOAP services
- OpenAPI Import: Import OpenAPI/Swagger specifications to guide API testing
- Authentication Testing: OAuth 2.0, API keys, JWT, and custom authentication methods
Attack Surface Management Integration
The platform integrates with Tenable Attack Surface Management (ASM) to provide:
- Automatic discovery of web applications and APIs across your digital footprint
- Continuous monitoring for new or changed applications
- Risk prioritization based on internet exposure
- Shadow IT detection for web properties
Flexible Scan Controls
Tenable provides granular control over scanning operations:
- Pause/Resume: Stop scans during maintenance windows and resume later
- Rate Limiting: Configure request rates to avoid impacting production systems
- Scheduling: Set up recurring scans on custom schedules
- Scope Control: Define included and excluded URL patterns
Nessus-Powered Engine
Built on Tenable’s proven Nessus scanning technology, the platform delivers:
- Comprehensive vulnerability detection across OWASP Top 10 categories
- Regular vulnerability check updates from Tenable’s research team
- Low false positive rates through verification techniques
- Detailed remediation guidance for discovered issues
Getting Started
Tenable Web App Scanning is a cloud-native service accessed through the Tenable platform.
Initial Setup
- Log in to your Tenable.io account
- Navigate to Web App Scanning section
- Add your first application target
- Configure authentication if needed
- Run your initial scan
CLI Usage with Tenable API
# Set up API credentials
export TENABLE_ACCESS_KEY="your-access-key"
export TENABLE_SECRET_KEY="your-secret-key"
# Create a new web application scan
curl -X POST "https://cloud.tenable.com/was/v2/scans" \
-H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "Production App Scan",
"targets": ["https://app.example.com"],
"schedule": {
"enabled": true,
"type": "weekly"
}
}'
# Launch a scan
curl -X POST "https://cloud.tenable.com/was/v2/scans/{scan_id}/launch" \
-H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY"
# Get scan results
curl -X GET "https://cloud.tenable.com/was/v2/scans/{scan_id}/report" \
-H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY"
Python SDK Example
from tenable.io import TenableIO
# Initialize the client
tio = TenableIO(
access_key='your-access-key',
secret_key='your-secret-key'
)
# Create a web application scan
scan = tio.was.scans.create(
name='Production Web App Scan',
targets=['https://app.example.com'],
schedule={
'enabled': True,
'type': 'weekly',
'start_time': '2026-02-10T02:00:00Z'
}
)
# Launch the scan
tio.was.scans.launch(scan['scan_id'])
# Get scan status
status = tio.was.scans.status(scan['scan_id'])
print(f"Scan status: {status['status']}")
CI/CD Integration
GitHub Actions
name: Tenable Web App Security Scan
on:
push:
branches: [main]
schedule:
- cron: '0 2 * * 0' # Weekly Sunday 2 AM
jobs:
dast-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Deploy to Staging
run: |
# Deploy your application to staging
echo "Deploying..."
- name: Wait for Deployment
run: sleep 60
- name: Trigger Tenable WAS Scan
env:
TENABLE_ACCESS_KEY: ${{ secrets.TENABLE_ACCESS_KEY }}
TENABLE_SECRET_KEY: ${{ secrets.TENABLE_SECRET_KEY }}
run: |
# Launch scan
RESPONSE=$(curl -s -X POST \
"https://cloud.tenable.com/was/v2/scans/${{ vars.SCAN_ID }}/launch" \
-H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY")
SCAN_RUN_ID=$(echo $RESPONSE | jq -r '.scan_run_id')
echo "scan_run_id=$SCAN_RUN_ID" >> $GITHUB_OUTPUT
- name: Wait for Scan Completion
env:
TENABLE_ACCESS_KEY: ${{ secrets.TENABLE_ACCESS_KEY }}
TENABLE_SECRET_KEY: ${{ secrets.TENABLE_SECRET_KEY }}
run: |
while true; do
STATUS=$(curl -s \
"https://cloud.tenable.com/was/v2/scans/${{ vars.SCAN_ID }}/status" \
-H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
| jq -r '.status')
if [ "$STATUS" = "completed" ]; then
echo "Scan completed"
break
elif [ "$STATUS" = "failed" ]; then
echo "Scan failed"
exit 1
fi
echo "Scan status: $STATUS"
sleep 60
done
- name: Download Results
env:
TENABLE_ACCESS_KEY: ${{ secrets.TENABLE_ACCESS_KEY }}
TENABLE_SECRET_KEY: ${{ secrets.TENABLE_SECRET_KEY }}
run: |
curl -s \
"https://cloud.tenable.com/was/v2/scans/${{ vars.SCAN_ID }}/report?format=json" \
-H "X-ApiKeys: accessKey=$TENABLE_ACCESS_KEY;secretKey=$TENABLE_SECRET_KEY" \
-o tenable-was-results.json
- name: Upload Results
uses: actions/upload-artifact@v4
with:
name: tenable-was-report
path: tenable-was-results.json
GitLab CI
tenable-was-scan:
stage: security
image: python:3.11-slim
variables:
TENABLE_ACCESS_KEY: $TENABLE_ACCESS_KEY
TENABLE_SECRET_KEY: $TENABLE_SECRET_KEY
before_script:
- pip install pytenable
script:
- |
python << 'EOF'
from tenable.io import TenableIO
import os
import time
import json
tio = TenableIO(
access_key=os.environ['TENABLE_ACCESS_KEY'],
secret_key=os.environ['TENABLE_SECRET_KEY']
)
# Launch scan
scan_id = os.environ.get('SCAN_ID')
tio.was.scans.launch(scan_id)
# Wait for completion
while True:
status = tio.was.scans.status(scan_id)
if status['status'] == 'completed':
break
elif status['status'] == 'failed':
raise Exception('Scan failed')
time.sleep(60)
# Get results
results = tio.was.scans.results(scan_id)
with open('gl-dast-report.json', 'w') as f:
json.dump(results, f)
EOF
artifacts:
reports:
dast: gl-dast-report.json
rules:
- if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
Jenkins Pipeline
pipeline {
agent any
environment {
TENABLE_ACCESS_KEY = credentials('tenable-access-key')
TENABLE_SECRET_KEY = credentials('tenable-secret-key')
SCAN_ID = 'your-scan-id'
}
stages {
stage('Deploy to Staging') {
steps {
sh 'echo "Deploying application..."'
}
}
stage('DAST Scan') {
steps {
script {
// Launch Tenable WAS scan
sh '''
curl -X POST \
"https://cloud.tenable.com/was/v2/scans/${SCAN_ID}/launch" \
-H "X-ApiKeys: accessKey=${TENABLE_ACCESS_KEY};secretKey=${TENABLE_SECRET_KEY}"
'''
// Wait and poll for completion
def completed = false
while (!completed) {
def status = sh(
script: '''
curl -s \
"https://cloud.tenable.com/was/v2/scans/${SCAN_ID}/status" \
-H "X-ApiKeys: accessKey=${TENABLE_ACCESS_KEY};secretKey=${TENABLE_SECRET_KEY}" \
| jq -r '.status'
''',
returnStdout: true
).trim()
if (status == 'completed') {
completed = true
} else if (status == 'failed') {
error 'Tenable WAS scan failed'
}
sleep 60
}
}
}
}
}
post {
always {
sh '''
curl -s \
"https://cloud.tenable.com/was/v2/scans/${SCAN_ID}/report?format=html" \
-H "X-ApiKeys: accessKey=${TENABLE_ACCESS_KEY};secretKey=${TENABLE_SECRET_KEY}" \
-o tenable-was-report.html
'''
archiveArtifacts artifacts: 'tenable-was-report.html'
}
}
}
When to Use Tenable Web App Scanning
Tenable Web App Scanning is well-suited for:
- Existing Tenable customers: Organizations using Tenable.io for vulnerability management benefit from unified dashboards and correlated risk visibility
- API-heavy architectures: Strong support for REST, GraphQL, and SOAP APIs makes it suitable for microservices environments
- Attack surface management needs: Integration with Tenable ASM helps discover and secure shadow IT web properties
- Cloud-native organizations: The SaaS delivery model requires no infrastructure management
Consider alternatives if you need:
- On-premises deployment: Tenable WAS is cloud-only; consider other options for air-gapped environments
- Open-source solution: OWASP ZAP provides free DAST capabilities
- Lower cost entry point: Per-FQDN pricing may be expensive for organizations with many small applications
Platform Integration
Tenable Web App Scanning integrates with the broader Tenable ecosystem:
- Tenable.io Vulnerability Management: Correlate web app vulnerabilities with infrastructure risks
- Tenable Attack Surface Management: Discover unknown web applications in your digital footprint
- Tenable.sc (SecurityCenter): On-premises integration for hybrid environments
- Tenable One Exposure Management: Unified cyber exposure visibility
The platform also exports findings to common formats and integrates with:
- SIEM solutions (Splunk, QRadar, etc.)
- Ticketing systems (Jira, ServiceNow)
- GRC platforms (Archer, etc.)