
Tenable Web Application Scanning
Application Security- Overview
- Setup
- Data & mappings
- Operations & API
- Changelog
The Tenable Web App Scanning connector integrates with Tenable.io WAS to synchronize web application assets (sites), dynamic code finding definitions (plugin-based vulnerability metadata), and dynamic code findings (individual vulnerability instances) into the Brinqa platform. It uses the v2 Asset Export API for site discovery and the WAS-specific vulnerability export API for findings.
Data retrieved from Tenable Web App Scanning
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Site | Yes | Site |
| DynamicCodeFindingDefinition | Yes | Dynamic Code Finding Definition |
| DynamicCodeFinding | Yes | Dynamic Code Finding |
Model relationships
For detailed steps on how to view the data retrieved from Tenable Web App Scanning in the Brinqa Platform, see How to view your data.
Connection settings
When setting up a data integration, select Tenable Web App Scanning from the Connector dropdown and provide the following:
| Setting | Required | Default | Description |
|---|---|---|---|
| API URL | No | https://cloud.tenable.com | Tenable Web App Scanning API URL, defaults to https://cloud.tenable.com |
| Access Key | Yes | Default - (user input, Required) | Tenable Web App Scanning API account access key |
| Secret Key | Yes | Default - (user input, Required) | Tenable Web App Scanning API account secret key |
| Page size | No | 100 | Maximum number of records to get per API request |
| Parallel requests | No | 3 | Maximum number of parallel API requests |
| Maximum retries | No | 5 | The maximum number of retry attempts before giving up a request |
| Custom properties | No | Default - (user input) | Comma delimited list of case-insensitive custom property names to be promoted to Tenable IO Asset models |
Authentication
Method
API Key authentication using an Access Key and Secret Key pair.
Endpoint
| Method | URL |
|---|---|
GET / POST | https://cloud.tenable.com/* |
Request Headers
| Header | Value |
|---|---|
X-ApiKeys | accessKey={accessKey};secretKey={secretKey} |
Usage
All API requests include the API key pair in the X-ApiKeys header. No separate token exchange is required.
How to obtain Tenable Web App Scanning credentials
Generate Tenable access key and secret key
For the Tenable WAS connector to use the Tenable WAS API, you must provide the access key and secret key from Tenable. The Tenable WAS connector uses the same access key and secret key as the Tenable Vulnerability Management connector for authentication. If you are using both the Tenable Vulnerability Management and the Tenable WAS connector and you generate new API keys for the Tenable Vulnerability Management integration, you must update your Tenable WAS integration with the same keys.
In order for the Tenable WAS connector to successfully retrieve data from the Tenable WAS API, the access key and secret key must be tied to a Basic user role with Can View permissions. For additional information, see Tenable documentation on permissions.
Tenable does not allow retrieving the access key and secret key for an existing user, therefore, you must generate new keys instead. To generate a new access key and secret key for your own Tenable account, follow these steps:
-
Log in to your Tenable account.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click My Account.
-
Click the User Account button on the upper-right corner of the page, and then click the API Keys tab.
-
Click Generate. The Generate API Keys window appears.
-
Review the warning on the page and click Generate.
Your new Tenable access key and secret key display. Copy the access key and secret key to a safe and secure location.
To generate a new access key and secret key for another user as an administrator, follow these steps:
-
Log in to your Tenable account as an administrator.
-
Click the Menu button on the upper-left corner of the page. A navigation pane appears.
-
Click Settings, and then click Access Control.
-
Click the name of the user for which you want to generate an access key and secret key. The Edit User page appears.
-
In the API Keys section, click Generate API Keys.
-
Review the warning on the page and click Replace & Generate.
The new Tenable access key and secret key display. Copy the access key and secret key to a safe and secure location.
Note: If you do not have permissions to create Tenable access and secret keys, contact your Tenable administrator. For additional information, see Tenable documentation on API keys.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes:
Site
| Source Field Name | SDM Attribute |
|---|---|
asset.agent_names | AGENT_NAMES |
asset.agent_uuid | TENABLE_UUID |
asset.cloud.aws.* | AWS_* |
asset.cloud.aws.ec2_instance_id / azure.vm_id / gcp.instance_id | INSTANCE_ID |
asset.cloud.aws.ec2_name / hostnames / fqdns / ipv4s | NAME |
asset.cloud.azure.* | AZURE_* |
asset.cloud.gcp.* | GCP_* |
asset.custom_attributes[].value | CUSTOM_{name} |
asset.deleted_by | DELETED_BY |
asset.has_agent | HAS_AGENT |
asset.has_plugin_results | HAS_PLUGIN_RESULTS |
asset.id | UID |
asset.installed_software | INSTALLED_SOFTWARE |
asset.is_licensed | IS_LICENSED |
asset.is_public | IS_PUBLIC |
asset.manufacturer_tpm_ids | MANUFACTURER_TPM_IDS |
asset.mcafee_epo_agent_guid | MCAFEE_EPO_AGENT_GUID |
asset.mcafee_epo_guid | MCAFEE_EPO_GUID |
asset.network.bios_uuid | BIOS_UUID |
asset.network.fqdns | DNS_NAMES |
asset.network.fqdns | PRIVATE_DNS_NAME |
asset.network.fqdns | PUBLIC_DNS_NAME |
asset.network.hostnames + netbios_names + fqdns | HOSTNAME |
asset.network.hostnames + netbios_names + fqdns | HOSTNAMES |
asset.network.ipv4s | PRIVATE_IP_ADDRESSES |
asset.network.ipv4s | PUBLIC_IP_ADDRESSES |
asset.network.ipv4s | PUBLIC_IP_ADDRESS |
asset.network.ipv4s + ipv6s | IP_ADDRESSES |
asset.network.mac_addresses | MAC_ADDRESSES |
asset.network.network_id | NETWORK_ID |
asset.network.network_name | NETWORK_NAME |
asset.network.ssh_fingerprints | SSH_FINGERPRINTS |
asset.network_device_serial_identifier | NETWORK_DEVICE_SERIAL_IDENTIFIER |
asset.open_ports | OPEN_PORTS |
asset.operating_systems | OPERATING_SYSTEM |
asset.operating_systems | OPERATING_SYSTEMS |
asset.ratings.acr.score | ACR_SCORE |
asset.ratings.aes.score | AES_SCORE |
asset.resource_tags | RESOURCE_TAGS |
asset.scan.first_scan_time | FIRST_SCANNED |
asset.scan.last_authenticated_scan_date | LAST_AUTHENTICATED_SCAN |
asset.scan.last_authentication_attempt_date | LAST_AUTHENTICATION_ATTEMPT_DATE |
asset.scan.last_authentication_scan_status | LAST_AUTHENTICATION_SCAN_STATUS |
asset.scan.last_authentication_success_date | LAST_AUTHENTICATION_SUCCESS_DATE |
asset.scan.last_licensed_scan_date | LAST_LICENSED_SCAN |
asset.scan.last_scan_id | LAST_SCAN_UUID |
asset.scan.last_scan_target | LAST_SCAN_TARGET |
asset.scan.last_scan_time | LAST_SCANNED |
asset.scan.last_schedule_id | LAST_SCAN_SCHEDULE_UUID |
asset.sources[].name | SOURCES |
asset.system_types + constants | CATEGORIES |
asset.tags | TAGS |
asset.tenable_agent_days_since_active | TENABLE_AGENT_DAYS_SINCE_ACTIVE |
asset.terminated_by | TERMINATED_BY |
asset.third_party_ids.servicenow_sysid | SERVICE_NOW_ID |
asset.timestamps.created_at | SOURCE_CREATED_DATE |
asset.timestamps.deleted_at | DELETED_AT |
asset.timestamps.first_seen | FIRST_SEEN |
asset.timestamps.last_seen | LAST_SEEN |
asset.timestamps.terminated_at | TERMINATED_AT |
asset.timestamps.terminated_at / deleted_at / aws.ec2_instance_state_name | STATUS |
asset.timestamps.updated_at | SOURCE_LAST_MODIFIED |
asset.types | ASSET_TYPES |
| Generated | DESCRIPTION |
Instant.now() | LAST_CAPTURED |
lastScan.name | LAST_SCAN_NAME |
DynamicCodeFindingDefinition
| Source Field Name | SDM Attribute |
|---|---|
Instant.now() | LAST_CAPTURED |
PID-{plugin.id} | UID |
plugin.cpe | AFFECTED |
plugin.cves | CVE_IDS / CVE_RECORDS |
plugin.cvss3_base_score | CVSS_V3_BASE_SCORE |
plugin.cvss3_vector | CVSS_V3_VECTOR |
plugin.cvss_base_score | CVSS_V2_BASE_SCORE |
plugin.cvss_vector | CVSS_V2_VECTOR |
plugin.cwe | CWE_IDS / WEAKNESSES |
plugin.description | DESCRIPTION |
plugin.exploit_available | EXPLOIT_AVAILABLE |
plugin.family | CATEGORIES |
plugin.name | NAME |
plugin.patch_published | PATCH_AVAILABLE |
plugin.patch_published | PATCH_PUBLISHED |
plugin.plugin_modified | SOURCE_LAST_MODIFIED |
plugin.plugin_published | PUBLISHED_DATE |
plugin.policy | POLICY |
plugin.risk_factor | SEVERITY |
plugin.risk_factor | SOURCE_SEVERITY |
plugin.risk_factor | SEVERITY_SCORE |
plugin.see_also | REFERENCES |
plugin.solution | RECOMMENDATION |
plugin.synopsis | SUMMARY |
plugin.vuln_published | VULN_PUBLISHED |
plugin.wasc + plugin.owasp | TAGS |
DynamicCodeFinding
| Source Field Name | SDM Attribute |
|---|---|
Instant.now() | LAST_CAPTURED |
vuln.asset.uuid | TARGETS |
vuln.finding_id | UID |
vuln.finding_id | NAME |
vuln.first_found | FIRST_FOUND |
vuln.last_fixed | LAST_FIXED |
vuln.last_found | LAST_FOUND |
vuln.output | RESULTS |
vuln.plugin.id | TYPE |
vuln.scan.uuid | SCAN_ID |
vuln.state | STATUS |
vuln.state | SOURCE_STATUS |
vuln.state | STATUS_CATEGORY |
vuln.url | URL |
Operations & API
Expand each connector object to see its operation options, delta-sync behavior, and the API it uses. See connector operation options for how to apply operation options (keys and values are case-sensitive).
Site
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (v2 asset export)
- Default filters:
sources=WAS,types=webapp
DynamicCodeFindingDefinition
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (JSON)
DynamicCodeFinding
Operation options
This object does not support any operation options.
Delta sync
The connector README does not document sync behavior for this object.
API
- Type: REST endpoint (WAS vulnerability export)
Changelog
The Tenable Web App Scanning connector has undergone the following changes:
| Version | Description | Migration Steps |
|---|---|---|
| 3.1.50 | Improvements - Transient 502 Bad Gateway and 503 Service Unavailable responses from Tenable.io during an export request (Site, Dynamic Code Finding) are now retried with exponential backoff. If the upstream remains unavailable after retries, the affected source is skipped with a clear log entry so the rest of the sync completes instead of failing the whole run. | N/A |
| 3.1.49 | No changes in this release. | N/A |
| 3.1.48 | Bug Fixes - Dynamic Code Finding Definition — Corrected the "Published date" and "Source last modified" attributes to be stored as proper timestamps (were stored as numbers). | • Dynamic Code Finding Definition: the date attributes listed above changed from numbers to timestamps. Re-sync the Tenable IO WAS connector to repopulate these records with the corrected type. |
| 3.1.47 | Bug Fixes - Dynamic Code Finding — Fixed a deserialization failure that caused dynamic code finding syncs to abort. The Tenable WAS API returns first_found, last_found, and last_fixed as ISO-8601 timestamp strings (e.g. "2026-04-09T05:21:36.227Z"), but the connector was attempting to parse them as numeric values. Timestamps are now parsed correctly and stored as epoch milliseconds under FIRST_FOUND, LAST_FOUND, and LAST_FIXED. The connector also gracefully handles findings where first_found or last_found is absent — these attributes are simply omitted for that record instead of failing the sync. | • Dynamic Code Finding: the FIRST_FOUND, LAST_FOUND, and LAST_FIXED attributes changed to proper timestamps. Re-sync the Tenable IO WAS connector to repopulate these records with the corrected type. |
| 3.1.46 | Improvements Dependency Upgrades - Refreshed internal model and CVSS scoring libraries to the latest stable releases to pick up upstream fixes and stay aligned with the rest of the Brinqa connector platform. Cross-Connector Attribute Consolidation - Every connector-defined custom attribute now participates in cross-connector consolidation by default. When the same asset or finding is observed by another connector, Brinqa will merge values for these attributes consistently rather than treating each connector's values as independent. | • Re-sync the connector after upgrading so that previously synced records pick up the new consolidation mappings. Existing data remains intact; the re-sync ensures consolidated values for assets and findings shared with other connectors converge correctly. |
| 3.1.45 — Withdrawn | This release shipped a regression and has been superseded by 3.1.46. Customers should skip 3.1.45 and upgrade directly from 3.1.44 to 3.1.46. | N/A |
| 3.1.44 | Improvements Dependency Upgrades - Upgraded internal framework and storage libraries to the latest stable versions for improved reliability, security patches, and alignment with the rest of the connector platform. | Several attributes were removed in the underlying framework and replaced with renamed multi-valued (or boolean-equivalent) counterparts. Values previously stored under the old attribute names remain in place but will no longer be updated; new syncs populate the new attribute names. Action: Re-sync the connector after upgrade. | Model | Old Attribute | New Attribute | |:---|:---|:---| | Site | HOSTNAME | HOSTNAMES | | Site | PUBLIC_DNS_NAME | PUBLIC_DNS_NAMES | | Site | PUBLIC_IP_ADDRESS | PUBLIC_IP_ADDRESSES | | Dynamic Code Finding Definition | PATCH_AVAILABLE | PATCHABLE | |
| 3.1.43 | No changes in this release. | N/A |
| 3.1.42 | Bug Fixes - Fixed findings not retrieved — The connector now retrieves all finding states (OPEN, REOPENED, FIXED) by default, ensuring complete visibility into remediated vulnerabilities. Previously, only OPEN and REOPENED findings were returned. - Last Fixed attribute — A new attribute capturing when a previously detected vulnerability was resolved. Improvements - state operation option for Dynamic Code Finding — Finding states are now configurable via the state operation option (e.g. OPEN,REOPENED,FIXED). Defaults to all states when not set. - Upgraded to Tenable v2 Asset Export API — The connector now uses the newer assets/v2/export endpoint instead of the deprecated v1 API, providing richer asset data and better performance. - Support for webapp asset type — Asset type filtering is now configurable via the types operation option (comma-separated). Defaults to webapp for WAS. - Improved resilience to API changes — All asset model classes now ignore unknown fields from the Tenable API, so the connector will not break if Tenable adds new fields to their responses. | N/A |
| 3.1.41 | New Features - Last Captured attribute on findings — Both Dynamic Code Finding and Dynamic Code Finding Definition records now carry a "Last captured" timestamp recording when the connector last observed the record during a sync. This makes it easier to identify stale findings and confirm that data is being refreshed as expected. | N/A |
| 3.1.40 | No changes in this release. | N/A |
| 3.1.39 | Improvements - Better handling of Tenable service interruptions — The connector now distinguishes between gateway timeouts (HTTP 504) and temporary service-unavailable responses (HTTP 503) from the Tenable API. Affected requests are skipped with a clear log entry rather than aborting the whole sync, so transient Tenable-side outages no longer fail an otherwise healthy run. | N/A |
| 3.1.38 | No changes in this release. | N/A |
| 3.1.37 | No changes in this release. | N/A |
| 3.1.36 | New Features - Richer Site asset data via the asset export API — The Site model now sources its data from Tenable's asset export API, adding a large set of cloud and scan-context attributes — including AWS, Azure, and GCP instance identifiers, agent presence, first/last scan timestamps, last scan name, and source tracking. This gives a much fuller picture of each scanned web application asset. Improvements - Additional Dynamic Code Finding detail — Dynamic Code Findings now capture the finding's source status and last-found timestamp, improving visibility into finding lifecycle and recency. | N/A |
| 3.1.35 | No changes in this release. | N/A |
| 3.1.34 | No changes in this release. | N/A |
| 3.1.33 | No changes in this release. | N/A |
| 3.1.32 | Improvements - Resilience to temporary Tenable outages — When the Tenable WAS API returns a "Service Unavailable" response, the connector now retries the request instead of failing immediately, and skips individual records that cannot be retrieved rather than aborting the entire sync. | N/A |
| 3.1.31 | No changes in this release. | N/A |
| 3.1.30 | No changes in this release. | N/A |
| 3.1.29 | No changes in this release. | N/A |
| 3.1.28 | No changes in this release. | N/A |
| 3.1.27 | No changes in this release. | N/A |
| 3.1.26 | No changes in this release. | N/A |
| 3.1.25 | No changes in this release. | N/A |
| 3.1.24 | Bug Fixes - Dynamic Code Finding "First found" timestamp — The "First found" attribute is now stored as a proper timestamp derived from the finding's creation date, rather than as a raw numeric value. | • Dynamic Code Finding: the FIRST_FOUND attribute changed from a numeric value to a timestamp. Re-sync the Tenable IO WAS connector so existing findings are repopulated with the corrected type. |
| 3.1.23 | Improvements - CVSS v2 base score now populated for finding definitions — Dynamic Code Finding Definitions now record the CVSS v2 base score reported by Tenable, and CVSS vector parsing was made more robust so individual vector components are decoded consistently. | N/A |
| 3.1.22 | No changes in this release. | N/A |
| 3.1.21 | No changes in this release. | N/A |
| 3.1.20 | No changes in this release. | N/A |
| 3.1.19 | No changes in this release. | N/A |
| 3.1.18 | No changes in this release. | N/A |
| 3.1.17 | No changes in this release. | N/A |
| 3.1.16 | Improvements - More accurate CVSS scores — CVSS base scores are now read with full decimal precision instead of being truncated, so finding definitions reflect the exact score reported by Tenable. | N/A |
| 3.1.15 | New Features - Source severity score for finding definitions — Dynamic Code Finding Definitions now include a numeric "Source severity score" derived from the Tenable-reported risk factor, alongside the existing severity label. | N/A |
| 3.1.14 | No changes in this release. | N/A |
| 3.1.13 | No changes in this release. | N/A |
| 3.1.12 | New Features - Configurable maximum retries — A new "Maximum retries" connector setting controls how many times a failed Tenable API request is retried before the connector gives up, giving administrators more control over behavior against unreliable networks or rate limits. Improvements - Removed the unused "Dev mode" setting — A development-only configuration option that had no effect in production has been removed to simplify connector setup. | N/A |
| 3.1.11 | No changes in this release. | N/A |
| 3.1.10 | No changes in this release. | N/A |
| 3.1.9 | No changes in this release. | N/A |
| 3.1.8 | No changes in this release. | N/A |
| 3.1.7 | No changes in this release. | N/A |
| 3.1.6 | No changes in this release. | N/A |
| 3.1.5 | No changes in this release. | N/A |
| 3.1.4 | No changes in this release. | N/A |
| 3.1.3 | No changes in this release. | N/A |
| 3.1.2 | No changes in this release. | N/A |
| 3.1.1 | No changes in this release. | N/A |
| 3.1.0 | Improvements Dependency Upgrades - Updated the shared Brinqa model library to a newer release for upstream fixes and alignment with the rest of the connector platform. | N/A |
| 3.0.16 | Overview The Tenable.io Web App Scanning connector integrates with Tenable Vulnerability Management (Tenable.io) Web Application Scanning to synchronize scanned web application assets along with their dynamic code findings and finding definitions. Category: Application Security Models | N/A |