[tenable_ot_security] Add agentless deployment

[moxarth-rathod]

Proposed commit message

tenable_ot_security: add agentless support and update kibana version constraint

Checklist

• I have reviewed tips for building integrations and this pull request is aligned with them.
• I have verified that all data streams collect metrics or logs.
• I have added an entry to my package's changelog.yml file.
• I have verified that Kibana version constraints are current according to guidelines.
• I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

• Clone integrations repo.
• Install the elastic package locally.
• Start the elastic stack using the elastic package.
• Move to integrations/packages/tenable_ot_security directory.
• Run the following command to run tests.

elastic-package test -v

Related issues

• Closes [tenable_ot_security] Add Agentless Deployment Support #19356

[infra-vault-gh-plugin-prod]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

[github-actions]

✅ Elastic Docs Style Checker (Vale)

No issues found on modified lines!

---

The Vale linter checks documentation changes against the Elastic Docs style guide. To use Vale locally or report issues, refer to Elastic style guide for Vale.

[github-actions]

TL;DR

Two failures occurred: (1) the changelog check failed because the new entry links to pull/1 instead of this PR, and (2) package tests never started because docker compose was unavailable after downloading an unexpectedly tiny compose binary. Update the changelog link first, then re-run CI; the compose failure looks environment/download-related, not package logic.

Remediation

• In packages/tenable_ot_security/changelog.yml (PR head), change the new 2.1.0 entry link from https://github.com/elastic/integrations/pull/1 to https://github.com/elastic/integrations/pull/19433.
• Re-run the failed package job. If docker compose fails again, harden .buildkite/scripts/common.sh with_docker_compose_plugin() by using curl -fSL and validating the downloaded file (size/checksum via release checksums) before chmod/docker compose version.

Investigation details

Root Cause

1. Configuration/content issue (deterministic): changelog PR link mismatch.

   • Buildkite log shows:
     • ERROR: unexpected link: 'https://github.com/elastic/integrations/pull/1'
     • expected https://github.com/elastic/integrations/pull/19433
   • PR head file confirms the bad link in the new top entry:
     • packages/tenable_ot_security/changelog.yml line 4 (new 2.1.0 change): link: https://github.com/elastic/integrations/pull/1

2. Infrastructure/tooling issue (likely transient download corruption): docker compose plugin not actually available.

   • Failing step exits at:
     • docker: 'compose' is not a docker command.
   • In the same log, the compose download transferred only ~54 KB (54881 bytes), while Docker Compose v2.24.1 linux x86_64 release asset is ~60.9 MB (60927703 bytes), indicating the downloaded file was not the expected binary.
   • Relevant CI code path:
     • .buildkite/scripts/test_one_package.sh line 24 calls with_docker_compose_plugin
     • .buildkite/scripts/common.sh line 177 downloads compose with curl -SL (no -f / no checksum validation), line 179 then runs docker compose version

Evidence

• Build: https://buildkite.com/elastic/integrations/builds/44244
• Job/step: :scroll: Check changelog PR links
  • Key excerpt:
    • ERROR: unexpected link: 'https://github.com/elastic/integrations/pull/1'
    • expected: 'https://github.com/elastic/integrations/pull/19433'
• Job/step: Check integrations tenable_ot_security
  • Key excerpt:
    • docker: 'compose' is not a docker command.
    • download transfer: 100 54881

Verification

• Not run locally; analysis based on Buildkite logs, PR head file contents, and repository CI scripts.

Follow-up

• After fixing the changelog link, retry the Buildkite run.
• If compose still fails, treat as CI environment/download integrity issue and patch with_docker_compose_plugin() to fail fast on HTTP errors and validate binary integrity.

Note

🔒 Integrity filter blocked 3 items

The following items were blocked because they don't meet the GitHub integrity level.

• #19433 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [tenable_ot_security] Add agentless deployment #19433 pull_request_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".
• [tenable_ot_security] Add agentless deployment #19433 issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".

To allow these resources, lower min-integrity in your GitHub frontmatter:

tools:
  github:
    min-integrity: approved  # merged | approved | unapproved | none

---

What is this? | From workflow: PR Buildkite Detective

Give us feedback! React with 🚀 if perfect, 👍 if helpful, 👎 if not.

[elastic-vault-github-plugin-prod]

✅ All changelog entries have the correct PR link.

[elasticmachine]

💚 Build Succeeded

• Buildkite Build
• Commit: f312f36

History

• 💔 Build #44244 failed f137b63

cc @moxarth-rathod

[elastic-vault-github-plugin-prod]

Package tenable_ot_security - 2.1.0 containing this change is available at https://epr.elastic.co/package/tenable_ot_security/2.1.0/