tenable-exporter 1.1.0__tar.gz

tenable_exporter-1.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Surj Bains
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

tenable_exporter-1.1.0/PKG-INFO

@@ -0,0 +1,206 @@
+Metadata-Version: 2.4
+Name: tenable-exporter
+Version: 1.1.0
+Summary: Prometheus exporter for Tenable.io metrics
+Author: Surj Bains
+License: MIT License
+        
+        Copyright (c) 2026 Surj Bains
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Keywords: prometheus,tenable,exporter,security,metrics,devsecops
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Monitoring
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pytenable>=1.6.0
+Requires-Dist: prometheus-client>=0.20.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-mock>=3.0; extra == "dev"
+Requires-Dist: ruff>=0.4; extra == "dev"
+Dynamic: license-file
+
+# tenable-exporter
+
+![tenable-exporter banner](assets/banner.png)
+
+[![CI](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/ci.yml/badge.svg)](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/codeql-analysis.yml)
+[![PyPI](https://img.shields.io/pypi/v/tenable-exporter?logo=pypi&logoColor=white)](https://pypi.org/project/tenable-exporter/)
+[![Python](https://img.shields.io/pypi/pyversions/tenable-exporter?logo=python&logoColor=white)](https://pypi.org/project/tenable-exporter/)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![GHCR](https://img.shields.io/badge/ghcr.io-tenable--exporter-blue?logo=github)](https://github.com/polarpoint-io/tenable-exporter/pkgs/container/tenable-exporter)
+
+A Prometheus exporter for [Tenable.io](https://www.tenable.com/) built with [pyTenable](https://github.com/tenable/pyTenable).
+
+Exports vulnerability, asset, and scan metrics so you can alert on them in Grafana or any Prometheus-compatible stack.
+
+> **PyPI**: `pip install tenable-exporter` &nbsp;·&nbsp; **Image**: `ghcr.io/polarpoint-io/tenable-exporter:latest` &nbsp;·&nbsp; **Repo**: <https://github.com/polarpoint-io/tenable-exporter>
+
+## Metrics
+
+### Vulnerabilities
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_vulnerabilities_total` | `severity` | Total vulnerabilities by severity |
+| `tenable_vulnerabilities_by_subscription_total` | `provider`, `subscription_id`, `severity` | Vulns per cloud provider and subscription |
+| `tenable_vulnerabilities_by_region_total` | `provider`, `subscription_id`, `region`, `severity` | Vulns per subscription and region |
+| `tenable_vulnerabilities_by_resource_group_total` | `provider`, `subscription_id`, `resource_group`, `severity` | Vulns per Azure resource group |
+| `tenable_vulnerabilities_by_resource_total` | `provider`, `subscription_id`, `resource_id`, `severity` | Vulns per individual cloud resource |
+| `tenable_vulnerabilities_by_plugin_family_total` | `plugin_family`, `severity` | Vulns by Tenable plugin family and severity |
+| `tenable_vulnerabilities_by_subscription_plugin_total` | `provider`, `subscription_id`, `region`, `plugin_family`, `severity` | Cross-dimension vuln count |
+| `tenable_vulnerabilities_by_state_total` | `provider`, `subscription_id`, `state`, `severity` | Vulns by lifecycle state (`OPEN`, `REOPENED`, `FIXED`) — use `FIXED` to track remediation velocity |
+| `tenable_vulnerabilities_by_exploit_risk_total` | `cve_category`, `severity` | Vulns by Tenable CVE category: `cisa known exploitable`, `ransomware`, `emerging threats`, `persistently exploited`, `top 50 vpr`, `recent active exploitation`, `in the news` |
+| `tenable_vulnerabilities_by_vpr_band_total` | `provider`, `subscription_id`, `vpr_band` | Vulns by VPR (Vulnerability Priority Rating) band: `critical` (9–10), `high` (7–8.9), `medium` (4–6.9), `low` (<4) |
+
+### Assets
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_assets_by_subscription_total` | `provider`, `subscription_id` | Asset count per cloud provider and subscription |
+| `tenable_assets_by_region_total` | `provider`, `subscription_id`, `region` | Asset count per subscription and region |
+| `tenable_assets_by_resource_group_total` | `provider`, `subscription_id`, `resource_group` | Asset count per Azure resource group |
+| `tenable_assets_by_resource_type_total` | `provider`, `subscription_id`, `region`, `resource_type` | Asset count by resource type (e.g. `t3.medium`, `Standard_D2s_v3`) |
+| `tenable_assets_by_source_total` | `source` | Assets by Tenable discovery source (`AWS`, `AZURE`, `GCP`, `NESSUS`, `WAS`, …) |
+| `tenable_assets_by_tag_total` | `tag_category`, `tag_value` | Assets by Tenable tag or cloud-native resource tag. Use `tag_category=asset_type` with values like `database`, `container_registry`, `acr`, `aks`, `rds` to track specific resource classes |
+
+### Compliance
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_compliance_findings_total` | `provider`, `subscription_id`, `audit_name`, `result` | CIS/DISA STIG compliance findings by audit and result (`PASSED`, `FAILED`, `WARNING`, `SKIPPED`) |
+| `tenable_compliance_findings_by_region_total` | `provider`, `subscription_id`, `region`, `result` | Compliance findings per region |
+| `tenable_compliance_findings_by_resource_group_total` | `provider`, `subscription_id`, `resource_group`, `result` | Compliance findings per Azure resource group |
+
+### Scans & System
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_scans_total` | — | Total number of scans |
+| `tenable_scans_by_status_total` | `status` | Scans by status (running, completed, aborted, …) |
+| `tenable_plugin_set_updated_timestamp` | — | Unix timestamp of the last plugin set update |
+
+### Label values by cloud provider
+
+| Label | AWS | Azure | GCP |
+|---|---|---|---|
+| `provider` | `aws` | `azure` | `gcp` |
+| `subscription_id` | Account ID | Subscription UUID | Project ID |
+| `region` | e.g. `us-east-1` | Azure location | GCP zone |
+| `resource_group` | `unknown` | Resource group name | `unknown` |
+| `resource_id` | EC2 instance ID | Azure resource / VM ID | GCP instance ID |
+| `resource_type` | EC2 instance type | VM size | Machine type |
+
+### Targeting databases, ACRs, and other resource types
+
+Tenable doesn't have a dedicated field for resource class (database, container registry, etc.). The recommended approaches:
+
+**Option 1 — Tenable tags (most reliable):** In the Tenable UI, create a tag category `AssetType` and assign values like `database`, `acr`, `aks`, `rds`, `cosmos_db` to assets. These appear immediately in `tenable_assets_by_tag_total{tag_category="assettype"}`.
+
+**Option 2 — Cloud-native resource tags:** Enable `include_resource_tags=True` (already on). Any AWS tag, Azure tag, or GCP label on the resource appears as a `tenable_assets_by_tag_total` time series. For example, an Azure ACR tagged `{"resource_type": "container_registry"}` surfaces as `tag_category="resource_type", tag_value="container_registry"`.
+
+**Option 3 — Plugin family:** Database vulnerabilities land in the `Databases` plugin family — visible in `tenable_vulnerabilities_by_plugin_family_total{plugin_family="databases"}`.
+
+**Option 4 — Discovery source filter:** Scope the exporter to specific sources via `TENABLE_FILTER_PROVIDERS`. For ACR-specific scanning, Tenable uses the `AZURE` source; container-specific findings come from the `Containers` plugin family.
+
+## Quick start
+
+### pip
+
+```bash
+pip install tenable-exporter
+export TENABLE_ACCESS_KEY=your_access_key
+export TENABLE_SECRET_KEY=your_secret_key
+
+tenable-exporter
+```
+
+Metrics will be available at `http://localhost:9190/metrics`.
+
+### Docker
+
+```bash
+docker run -p 9190:9190 \
+  -e TENABLE_ACCESS_KEY=your_access_key \
+  -e TENABLE_SECRET_KEY=your_secret_key \
+  ghcr.io/polarpoint-io/tenable-exporter:latest
+```
+
+### Docker Compose
+
+```bash
+cp .env.example .env
+# Fill in your Tenable credentials in .env
+docker compose up -d
+```
+
+## Configuration
+
+| Environment variable | Default | Description |
+|---|---|---|
+| `TENABLE_ACCESS_KEY` | **required** | Tenable.io API access key |
+| `TENABLE_SECRET_KEY` | **required** | Tenable.io API secret key |
+| `EXPORTER_PORT` | `9190` | Port to expose metrics on |
+| `SCRAPE_INTERVAL` | `300` | Seconds between Tenable API scrapes |
+| `TENABLE_FILTER_PROVIDERS` | _(all)_ | Comma-separated providers to include: `aws`, `azure`, `gcp` |
+| `TENABLE_FILTER_SUBSCRIPTIONS` | _(all)_ | Comma-separated subscription IDs to include (AWS account IDs, Azure subscription UUIDs, or GCP project IDs) |
+
+## Docker image tags
+
+| Tag | When pushed |
+|---|---|
+| `latest` | Every merge to `main` |
+| `sha-<short>` | Every merge to `main` |
+| `1.2.3` / `1.2` | On a semantic-release version bump |
+
+## Required GitHub secrets
+
+Add these at **GitHub repo → Settings → Secrets and variables → Actions**:
+
+| Secret | Description |
+|---|---|
+| `POL_GH_TOKEN` | Personal access token with `repo` + `write:packages` scope |
+| `PYPI_TOKEN` | PyPI API token for the `tenable-exporter` project |
+
+## Development
+
+```bash
+git clone https://github.com/polarpoint-io/tenable-exporter.git
+cd tenable-exporter
+pip install -e ".[dev]"
+
+export TENABLE_ACCESS_KEY=...
+export TENABLE_SECRET_KEY=...
+
+tenable-exporter
+```
+
+## License
+
+MIT — see [LICENSE](LICENSE).

tenable_exporter-1.1.0/README.md

@@ -0,0 +1,159 @@
+# tenable-exporter
+
+![tenable-exporter banner](assets/banner.png)
+
+[![CI](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/ci.yml/badge.svg)](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/codeql-analysis.yml)
+[![PyPI](https://img.shields.io/pypi/v/tenable-exporter?logo=pypi&logoColor=white)](https://pypi.org/project/tenable-exporter/)
+[![Python](https://img.shields.io/pypi/pyversions/tenable-exporter?logo=python&logoColor=white)](https://pypi.org/project/tenable-exporter/)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![GHCR](https://img.shields.io/badge/ghcr.io-tenable--exporter-blue?logo=github)](https://github.com/polarpoint-io/tenable-exporter/pkgs/container/tenable-exporter)
+
+A Prometheus exporter for [Tenable.io](https://www.tenable.com/) built with [pyTenable](https://github.com/tenable/pyTenable).
+
+Exports vulnerability, asset, and scan metrics so you can alert on them in Grafana or any Prometheus-compatible stack.
+
+> **PyPI**: `pip install tenable-exporter` &nbsp;·&nbsp; **Image**: `ghcr.io/polarpoint-io/tenable-exporter:latest` &nbsp;·&nbsp; **Repo**: <https://github.com/polarpoint-io/tenable-exporter>
+
+## Metrics
+
+### Vulnerabilities
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_vulnerabilities_total` | `severity` | Total vulnerabilities by severity |
+| `tenable_vulnerabilities_by_subscription_total` | `provider`, `subscription_id`, `severity` | Vulns per cloud provider and subscription |
+| `tenable_vulnerabilities_by_region_total` | `provider`, `subscription_id`, `region`, `severity` | Vulns per subscription and region |
+| `tenable_vulnerabilities_by_resource_group_total` | `provider`, `subscription_id`, `resource_group`, `severity` | Vulns per Azure resource group |
+| `tenable_vulnerabilities_by_resource_total` | `provider`, `subscription_id`, `resource_id`, `severity` | Vulns per individual cloud resource |
+| `tenable_vulnerabilities_by_plugin_family_total` | `plugin_family`, `severity` | Vulns by Tenable plugin family and severity |
+| `tenable_vulnerabilities_by_subscription_plugin_total` | `provider`, `subscription_id`, `region`, `plugin_family`, `severity` | Cross-dimension vuln count |
+| `tenable_vulnerabilities_by_state_total` | `provider`, `subscription_id`, `state`, `severity` | Vulns by lifecycle state (`OPEN`, `REOPENED`, `FIXED`) — use `FIXED` to track remediation velocity |
+| `tenable_vulnerabilities_by_exploit_risk_total` | `cve_category`, `severity` | Vulns by Tenable CVE category: `cisa known exploitable`, `ransomware`, `emerging threats`, `persistently exploited`, `top 50 vpr`, `recent active exploitation`, `in the news` |
+| `tenable_vulnerabilities_by_vpr_band_total` | `provider`, `subscription_id`, `vpr_band` | Vulns by VPR (Vulnerability Priority Rating) band: `critical` (9–10), `high` (7–8.9), `medium` (4–6.9), `low` (<4) |
+
+### Assets
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_assets_by_subscription_total` | `provider`, `subscription_id` | Asset count per cloud provider and subscription |
+| `tenable_assets_by_region_total` | `provider`, `subscription_id`, `region` | Asset count per subscription and region |
+| `tenable_assets_by_resource_group_total` | `provider`, `subscription_id`, `resource_group` | Asset count per Azure resource group |
+| `tenable_assets_by_resource_type_total` | `provider`, `subscription_id`, `region`, `resource_type` | Asset count by resource type (e.g. `t3.medium`, `Standard_D2s_v3`) |
+| `tenable_assets_by_source_total` | `source` | Assets by Tenable discovery source (`AWS`, `AZURE`, `GCP`, `NESSUS`, `WAS`, …) |
+| `tenable_assets_by_tag_total` | `tag_category`, `tag_value` | Assets by Tenable tag or cloud-native resource tag. Use `tag_category=asset_type` with values like `database`, `container_registry`, `acr`, `aks`, `rds` to track specific resource classes |
+
+### Compliance
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_compliance_findings_total` | `provider`, `subscription_id`, `audit_name`, `result` | CIS/DISA STIG compliance findings by audit and result (`PASSED`, `FAILED`, `WARNING`, `SKIPPED`) |
+| `tenable_compliance_findings_by_region_total` | `provider`, `subscription_id`, `region`, `result` | Compliance findings per region |
+| `tenable_compliance_findings_by_resource_group_total` | `provider`, `subscription_id`, `resource_group`, `result` | Compliance findings per Azure resource group |
+
+### Scans & System
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_scans_total` | — | Total number of scans |
+| `tenable_scans_by_status_total` | `status` | Scans by status (running, completed, aborted, …) |
+| `tenable_plugin_set_updated_timestamp` | — | Unix timestamp of the last plugin set update |
+
+### Label values by cloud provider
+
+| Label | AWS | Azure | GCP |
+|---|---|---|---|
+| `provider` | `aws` | `azure` | `gcp` |
+| `subscription_id` | Account ID | Subscription UUID | Project ID |
+| `region` | e.g. `us-east-1` | Azure location | GCP zone |
+| `resource_group` | `unknown` | Resource group name | `unknown` |
+| `resource_id` | EC2 instance ID | Azure resource / VM ID | GCP instance ID |
+| `resource_type` | EC2 instance type | VM size | Machine type |
+
+### Targeting databases, ACRs, and other resource types
+
+Tenable doesn't have a dedicated field for resource class (database, container registry, etc.). The recommended approaches:
+
+**Option 1 — Tenable tags (most reliable):** In the Tenable UI, create a tag category `AssetType` and assign values like `database`, `acr`, `aks`, `rds`, `cosmos_db` to assets. These appear immediately in `tenable_assets_by_tag_total{tag_category="assettype"}`.
+
+**Option 2 — Cloud-native resource tags:** Enable `include_resource_tags=True` (already on). Any AWS tag, Azure tag, or GCP label on the resource appears as a `tenable_assets_by_tag_total` time series. For example, an Azure ACR tagged `{"resource_type": "container_registry"}` surfaces as `tag_category="resource_type", tag_value="container_registry"`.
+
+**Option 3 — Plugin family:** Database vulnerabilities land in the `Databases` plugin family — visible in `tenable_vulnerabilities_by_plugin_family_total{plugin_family="databases"}`.
+
+**Option 4 — Discovery source filter:** Scope the exporter to specific sources via `TENABLE_FILTER_PROVIDERS`. For ACR-specific scanning, Tenable uses the `AZURE` source; container-specific findings come from the `Containers` plugin family.
+
+## Quick start
+
+### pip
+
+```bash
+pip install tenable-exporter
+export TENABLE_ACCESS_KEY=your_access_key
+export TENABLE_SECRET_KEY=your_secret_key
+
+tenable-exporter
+```
+
+Metrics will be available at `http://localhost:9190/metrics`.
+
+### Docker
+
+```bash
+docker run -p 9190:9190 \
+  -e TENABLE_ACCESS_KEY=your_access_key \
+  -e TENABLE_SECRET_KEY=your_secret_key \
+  ghcr.io/polarpoint-io/tenable-exporter:latest
+```
+
+### Docker Compose
+
+```bash
+cp .env.example .env
+# Fill in your Tenable credentials in .env
+docker compose up -d
+```
+
+## Configuration
+
+| Environment variable | Default | Description |
+|---|---|---|
+| `TENABLE_ACCESS_KEY` | **required** | Tenable.io API access key |
+| `TENABLE_SECRET_KEY` | **required** | Tenable.io API secret key |
+| `EXPORTER_PORT` | `9190` | Port to expose metrics on |
+| `SCRAPE_INTERVAL` | `300` | Seconds between Tenable API scrapes |
+| `TENABLE_FILTER_PROVIDERS` | _(all)_ | Comma-separated providers to include: `aws`, `azure`, `gcp` |
+| `TENABLE_FILTER_SUBSCRIPTIONS` | _(all)_ | Comma-separated subscription IDs to include (AWS account IDs, Azure subscription UUIDs, or GCP project IDs) |
+
+## Docker image tags
+
+| Tag | When pushed |
+|---|---|
+| `latest` | Every merge to `main` |
+| `sha-<short>` | Every merge to `main` |
+| `1.2.3` / `1.2` | On a semantic-release version bump |
+
+## Required GitHub secrets
+
+Add these at **GitHub repo → Settings → Secrets and variables → Actions**:
+
+| Secret | Description |
+|---|---|
+| `POL_GH_TOKEN` | Personal access token with `repo` + `write:packages` scope |
+| `PYPI_TOKEN` | PyPI API token for the `tenable-exporter` project |
+
+## Development
+
+```bash
+git clone https://github.com/polarpoint-io/tenable-exporter.git
+cd tenable-exporter
+pip install -e ".[dev]"
+
+export TENABLE_ACCESS_KEY=...
+export TENABLE_SECRET_KEY=...
+
+tenable-exporter
+```
+
+## License
+
+MIT — see [LICENSE](LICENSE).

tenable_exporter-1.1.0/pyproject.toml

@@ -0,0 +1,48 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "tenable-exporter"
+version = "1.1.0"
+description = "Prometheus exporter for Tenable.io metrics"
+readme = "README.md"
+requires-python = ">=3.11"
+license = { file = "LICENSE" }
+authors = [{ name = "Surj Bains" }]
+keywords = ["prometheus", "tenable", "exporter", "security", "metrics", "devsecops"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Information Technology",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: System :: Monitoring",
+]
+dependencies = [
+    "pytenable>=1.6.0",
+    "prometheus-client>=0.20.0",
+]
+
+[project.optional-dependencies]
+dev = [
+    "pytest>=8.0",
+    "pytest-mock>=3.0",
+    "ruff>=0.4",
+]
+
+[project.scripts]
+tenable-exporter = "exporter:main"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["exporter*"]
+
+[tool.pytest.ini_options]
+pythonpath = ["."]
+
+[tool.ruff]
+line-length = 100
+target-version = "py311"

tenable_exporter-1.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

tenable_exporter-1.1.0/tenable_exporter.egg-info/PKG-INFO

@@ -0,0 +1,206 @@
+Metadata-Version: 2.4
+Name: tenable-exporter
+Version: 1.1.0
+Summary: Prometheus exporter for Tenable.io metrics
+Author: Surj Bains
+License: MIT License
+        
+        Copyright (c) 2026 Surj Bains
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+        
+Keywords: prometheus,tenable,exporter,security,metrics,devsecops
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Monitoring
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pytenable>=1.6.0
+Requires-Dist: prometheus-client>=0.20.0
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0; extra == "dev"
+Requires-Dist: pytest-mock>=3.0; extra == "dev"
+Requires-Dist: ruff>=0.4; extra == "dev"
+Dynamic: license-file
+
+# tenable-exporter
+
+![tenable-exporter banner](assets/banner.png)
+
+[![CI](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/ci.yml/badge.svg)](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/codeql-analysis.yml/badge.svg)](https://github.com/polarpoint-io/tenable-exporter/actions/workflows/codeql-analysis.yml)
+[![PyPI](https://img.shields.io/pypi/v/tenable-exporter?logo=pypi&logoColor=white)](https://pypi.org/project/tenable-exporter/)
+[![Python](https://img.shields.io/pypi/pyversions/tenable-exporter?logo=python&logoColor=white)](https://pypi.org/project/tenable-exporter/)
+[![License](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)
+[![GHCR](https://img.shields.io/badge/ghcr.io-tenable--exporter-blue?logo=github)](https://github.com/polarpoint-io/tenable-exporter/pkgs/container/tenable-exporter)
+
+A Prometheus exporter for [Tenable.io](https://www.tenable.com/) built with [pyTenable](https://github.com/tenable/pyTenable).
+
+Exports vulnerability, asset, and scan metrics so you can alert on them in Grafana or any Prometheus-compatible stack.
+
+> **PyPI**: `pip install tenable-exporter` &nbsp;·&nbsp; **Image**: `ghcr.io/polarpoint-io/tenable-exporter:latest` &nbsp;·&nbsp; **Repo**: <https://github.com/polarpoint-io/tenable-exporter>
+
+## Metrics
+
+### Vulnerabilities
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_vulnerabilities_total` | `severity` | Total vulnerabilities by severity |
+| `tenable_vulnerabilities_by_subscription_total` | `provider`, `subscription_id`, `severity` | Vulns per cloud provider and subscription |
+| `tenable_vulnerabilities_by_region_total` | `provider`, `subscription_id`, `region`, `severity` | Vulns per subscription and region |
+| `tenable_vulnerabilities_by_resource_group_total` | `provider`, `subscription_id`, `resource_group`, `severity` | Vulns per Azure resource group |
+| `tenable_vulnerabilities_by_resource_total` | `provider`, `subscription_id`, `resource_id`, `severity` | Vulns per individual cloud resource |
+| `tenable_vulnerabilities_by_plugin_family_total` | `plugin_family`, `severity` | Vulns by Tenable plugin family and severity |
+| `tenable_vulnerabilities_by_subscription_plugin_total` | `provider`, `subscription_id`, `region`, `plugin_family`, `severity` | Cross-dimension vuln count |
+| `tenable_vulnerabilities_by_state_total` | `provider`, `subscription_id`, `state`, `severity` | Vulns by lifecycle state (`OPEN`, `REOPENED`, `FIXED`) — use `FIXED` to track remediation velocity |
+| `tenable_vulnerabilities_by_exploit_risk_total` | `cve_category`, `severity` | Vulns by Tenable CVE category: `cisa known exploitable`, `ransomware`, `emerging threats`, `persistently exploited`, `top 50 vpr`, `recent active exploitation`, `in the news` |
+| `tenable_vulnerabilities_by_vpr_band_total` | `provider`, `subscription_id`, `vpr_band` | Vulns by VPR (Vulnerability Priority Rating) band: `critical` (9–10), `high` (7–8.9), `medium` (4–6.9), `low` (<4) |
+
+### Assets
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_assets_by_subscription_total` | `provider`, `subscription_id` | Asset count per cloud provider and subscription |
+| `tenable_assets_by_region_total` | `provider`, `subscription_id`, `region` | Asset count per subscription and region |
+| `tenable_assets_by_resource_group_total` | `provider`, `subscription_id`, `resource_group` | Asset count per Azure resource group |
+| `tenable_assets_by_resource_type_total` | `provider`, `subscription_id`, `region`, `resource_type` | Asset count by resource type (e.g. `t3.medium`, `Standard_D2s_v3`) |
+| `tenable_assets_by_source_total` | `source` | Assets by Tenable discovery source (`AWS`, `AZURE`, `GCP`, `NESSUS`, `WAS`, …) |
+| `tenable_assets_by_tag_total` | `tag_category`, `tag_value` | Assets by Tenable tag or cloud-native resource tag. Use `tag_category=asset_type` with values like `database`, `container_registry`, `acr`, `aks`, `rds` to track specific resource classes |
+
+### Compliance
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_compliance_findings_total` | `provider`, `subscription_id`, `audit_name`, `result` | CIS/DISA STIG compliance findings by audit and result (`PASSED`, `FAILED`, `WARNING`, `SKIPPED`) |
+| `tenable_compliance_findings_by_region_total` | `provider`, `subscription_id`, `region`, `result` | Compliance findings per region |
+| `tenable_compliance_findings_by_resource_group_total` | `provider`, `subscription_id`, `resource_group`, `result` | Compliance findings per Azure resource group |
+
+### Scans & System
+
+| Metric | Labels | Description |
+|---|---|---|
+| `tenable_scans_total` | — | Total number of scans |
+| `tenable_scans_by_status_total` | `status` | Scans by status (running, completed, aborted, …) |
+| `tenable_plugin_set_updated_timestamp` | — | Unix timestamp of the last plugin set update |
+
+### Label values by cloud provider
+
+| Label | AWS | Azure | GCP |
+|---|---|---|---|
+| `provider` | `aws` | `azure` | `gcp` |
+| `subscription_id` | Account ID | Subscription UUID | Project ID |
+| `region` | e.g. `us-east-1` | Azure location | GCP zone |
+| `resource_group` | `unknown` | Resource group name | `unknown` |
+| `resource_id` | EC2 instance ID | Azure resource / VM ID | GCP instance ID |
+| `resource_type` | EC2 instance type | VM size | Machine type |
+
+### Targeting databases, ACRs, and other resource types
+
+Tenable doesn't have a dedicated field for resource class (database, container registry, etc.). The recommended approaches:
+
+**Option 1 — Tenable tags (most reliable):** In the Tenable UI, create a tag category `AssetType` and assign values like `database`, `acr`, `aks`, `rds`, `cosmos_db` to assets. These appear immediately in `tenable_assets_by_tag_total{tag_category="assettype"}`.
+
+**Option 2 — Cloud-native resource tags:** Enable `include_resource_tags=True` (already on). Any AWS tag, Azure tag, or GCP label on the resource appears as a `tenable_assets_by_tag_total` time series. For example, an Azure ACR tagged `{"resource_type": "container_registry"}` surfaces as `tag_category="resource_type", tag_value="container_registry"`.
+
+**Option 3 — Plugin family:** Database vulnerabilities land in the `Databases` plugin family — visible in `tenable_vulnerabilities_by_plugin_family_total{plugin_family="databases"}`.
+
+**Option 4 — Discovery source filter:** Scope the exporter to specific sources via `TENABLE_FILTER_PROVIDERS`. For ACR-specific scanning, Tenable uses the `AZURE` source; container-specific findings come from the `Containers` plugin family.
+
+## Quick start
+
+### pip
+
+```bash
+pip install tenable-exporter
+export TENABLE_ACCESS_KEY=your_access_key
+export TENABLE_SECRET_KEY=your_secret_key
+
+tenable-exporter
+```
+
+Metrics will be available at `http://localhost:9190/metrics`.
+
+### Docker
+
+```bash
+docker run -p 9190:9190 \
+  -e TENABLE_ACCESS_KEY=your_access_key \
+  -e TENABLE_SECRET_KEY=your_secret_key \
+  ghcr.io/polarpoint-io/tenable-exporter:latest
+```
+
+### Docker Compose
+
+```bash
+cp .env.example .env
+# Fill in your Tenable credentials in .env
+docker compose up -d
+```
+
+## Configuration
+
+| Environment variable | Default | Description |
+|---|---|---|
+| `TENABLE_ACCESS_KEY` | **required** | Tenable.io API access key |
+| `TENABLE_SECRET_KEY` | **required** | Tenable.io API secret key |
+| `EXPORTER_PORT` | `9190` | Port to expose metrics on |
+| `SCRAPE_INTERVAL` | `300` | Seconds between Tenable API scrapes |
+| `TENABLE_FILTER_PROVIDERS` | _(all)_ | Comma-separated providers to include: `aws`, `azure`, `gcp` |
+| `TENABLE_FILTER_SUBSCRIPTIONS` | _(all)_ | Comma-separated subscription IDs to include (AWS account IDs, Azure subscription UUIDs, or GCP project IDs) |
+
+## Docker image tags
+
+| Tag | When pushed |
+|---|---|
+| `latest` | Every merge to `main` |
+| `sha-<short>` | Every merge to `main` |
+| `1.2.3` / `1.2` | On a semantic-release version bump |
+
+## Required GitHub secrets
+
+Add these at **GitHub repo → Settings → Secrets and variables → Actions**:
+
+| Secret | Description |
+|---|---|
+| `POL_GH_TOKEN` | Personal access token with `repo` + `write:packages` scope |
+| `PYPI_TOKEN` | PyPI API token for the `tenable-exporter` project |
+
+## Development
+
+```bash
+git clone https://github.com/polarpoint-io/tenable-exporter.git
+cd tenable-exporter
+pip install -e ".[dev]"
+
+export TENABLE_ACCESS_KEY=...
+export TENABLE_SECRET_KEY=...
+
+tenable-exporter
+```
+
+## License
+
+MIT — see [LICENSE](LICENSE).

tenable_exporter-1.1.0/tenable_exporter.egg-info/SOURCES.txt

@@ -0,0 +1,10 @@
+LICENSE
+README.md
+pyproject.toml
+tenable_exporter.egg-info/PKG-INFO
+tenable_exporter.egg-info/SOURCES.txt
+tenable_exporter.egg-info/dependency_links.txt
+tenable_exporter.egg-info/entry_points.txt
+tenable_exporter.egg-info/requires.txt
+tenable_exporter.egg-info/top_level.txt
+tests/test_exporter.py

tenable_exporter-1.1.0/tenable_exporter.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

tenable_exporter-1.1.0/tenable_exporter.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+tenable-exporter = exporter:main

tenable_exporter-1.1.0/tenable_exporter.egg-info/requires.txt

@@ -0,0 +1,7 @@
+pytenable>=1.6.0
+prometheus-client>=0.20.0
+
+[dev]
+pytest>=8.0
+pytest-mock>=3.0
+ruff>=0.4

tenable_exporter-1.1.0/tenable_exporter.egg-info/top_level.txt

@@ -0,0 +1 @@
+

tenable_exporter-1.1.0/tests/test_exporter.py

@@ -0,0 +1,171 @@
+"""Unit tests for tenable-exporter."""
+
+import pytest
+from exporter import (
+    AssetCloud,
+    cloud_from_asset,
+    _str,
+    _vpr_band,
+    TenableCollector,
+    UNKNOWN,
+)
+
+
+# ── _str ──────────────────────────────────────────────────────────────────────
+
+def test_str_none():
+    assert _str(None) == UNKNOWN
+
+
+def test_str_empty():
+    assert _str("") == UNKNOWN
+
+
+def test_str_whitespace():
+    assert _str("  ") == UNKNOWN
+
+
+def test_str_value():
+    assert _str("us-east-1") == "us-east-1"
+
+
+def test_str_strips():
+    assert _str("  hello  ") == "hello"
+
+
+# ── _vpr_band ─────────────────────────────────────────────────────────────────
+
+@pytest.mark.parametrize("score,expected", [
+    (10.0,  "critical"),
+    (9.0,   "critical"),
+    (8.9,   "high"),
+    (7.0,   "high"),
+    (6.9,   "medium"),
+    (4.0,   "medium"),
+    (3.9,   "low"),
+    (0.0,   "low"),
+    (None,  UNKNOWN),
+])
+def test_vpr_band(score, expected):
+    assert _vpr_band(score) == expected
+
+
+# ── cloud_from_asset ──────────────────────────────────────────────────────────
+
+def test_cloud_from_asset_aws():
+    asset = {
+        "id": "abc",
+        "aws_account_id": "123456789012",
+        "aws_region": "us-east-1",
+        "aws_ec2_instance_id": "i-0abc123",
+        "aws_ec2_instance_type": "t3.medium",
+        "aws_vpc_id": "vpc-001",
+        "network_name": "default",
+    }
+    ctx = cloud_from_asset(asset)
+    assert ctx.provider        == "aws"
+    assert ctx.subscription_id == "123456789012"
+    assert ctx.region          == "us-east-1"
+    assert ctx.resource_id     == "i-0abc123"
+    assert ctx.resource_type   == "t3.medium"
+    assert ctx.vpc_id          == "vpc-001"
+    assert ctx.resource_group  == UNKNOWN
+
+
+def test_cloud_from_asset_azure():
+    asset = {
+        "id": "def",
+        "azure_subscription_id": "aaaa-bbbb-cccc",
+        "azure_location": "eastus",
+        "azure_resource_group": "my-rg",
+        "azure_resource_id": "/subscriptions/aaaa/resourceGroups/my-rg/providers/vm",
+        "azure_vm_size": "Standard_D2s_v3",
+        "azure_virtual_network": "my-vnet",
+    }
+    ctx = cloud_from_asset(asset)
+    assert ctx.provider        == "azure"
+    assert ctx.subscription_id == "aaaa-bbbb-cccc"
+    assert ctx.region          == "eastus"
+    assert ctx.resource_group  == "my-rg"
+    assert ctx.resource_type   == "Standard_D2s_v3"
+    assert ctx.vpc_id          == "my-vnet"
+
+
+def test_cloud_from_asset_gcp():
+    asset = {
+        "id": "ghi",
+        "gcp_project_id": "my-project",
+        "gcp_zone": "us-central1-a",
+        "gcp_instance_id": "1234567890",
+        "gcp_machine_type": "n2-standard-4",
+        "gcp_network": "default",
+    }
+    ctx = cloud_from_asset(asset)
+    assert ctx.provider        == "gcp"
+    assert ctx.subscription_id == "my-project"
+    assert ctx.region          == "us-central1-a"
+    assert ctx.resource_id     == "1234567890"
+    assert ctx.resource_type   == "n2-standard-4"
+    assert ctx.vpc_id          == "default"
+    assert ctx.resource_group  == UNKNOWN
+
+
+def test_cloud_from_asset_unknown():
+    asset = {"id": "xyz", "sources": [{"name": "NESSUS"}]}
+    ctx = cloud_from_asset(asset)
+    assert ctx.provider        == "nessus"
+    assert ctx.subscription_id == UNKNOWN
+    assert ctx.region          == UNKNOWN
+
+
+def test_cloud_from_asset_empty():
+    ctx = cloud_from_asset({})
+    assert ctx.provider        == UNKNOWN
+    assert ctx.subscription_id == UNKNOWN
+
+
+# ── TenableCollector._include ─────────────────────────────────────────────────
+
+def _collector(providers=None, subscriptions=None):
+    """Return a TenableCollector with a stub TIO (not used in these tests)."""
+    return TenableCollector(
+        tio=None,
+        filter_providers=providers or set(),
+        filter_subscriptions=subscriptions or set(),
+    )
+
+
+def test_include_no_filters():
+    c = _collector()
+    ctx = AssetCloud(provider="aws", subscription_id="123")
+    assert c._include(ctx) is True
+
+
+def test_include_provider_match():
+    c = _collector(providers={"aws"})
+    assert c._include(AssetCloud(provider="aws", subscription_id="x")) is True
+
+
+def test_include_provider_no_match():
+    c = _collector(providers={"azure"})
+    assert c._include(AssetCloud(provider="aws", subscription_id="x")) is False
+
+
+def test_include_subscription_match():
+    c = _collector(subscriptions={"123"})
+    assert c._include(AssetCloud(provider="aws", subscription_id="123")) is True
+
+
+def test_include_subscription_no_match():
+    c = _collector(subscriptions={"999"})
+    assert c._include(AssetCloud(provider="aws", subscription_id="123")) is False
+
+
+def test_include_both_filters_pass():
+    c = _collector(providers={"aws"}, subscriptions={"123"})
+    assert c._include(AssetCloud(provider="aws", subscription_id="123")) is True
+
+
+def test_include_both_filters_provider_fail():
+    c = _collector(providers={"azure"}, subscriptions={"123"})
+    assert c._include(AssetCloud(provider="aws", subscription_id="123")) is False