Compliance Service
  • English

    • Using ScanSuite

    ScanSuite is the resource for batch management of compliance scans. It associates multiple profiles and creates child Scan resources from one shared template.

    TOC

    When to Use ScanSuiteBasic ScanSuite ExampleScheduled ScanSuite ExampleScanSuite with Email NotificationScanSuite ParametersScan Template ParametersReport Delivery ParametersScanSuite AnnotationsMonitoring ScanSuite Execution

    When to Use ScanSuite

    Use ScanSuite when you need to:

    • manage multiple profiles together
    • schedule recurring compliance scans
    • apply the same scan template to a group of child Scan resources
    • pause, resume, or trigger a batch of related scans as one unit

    Use Using Scan instead when you only need one profile and one Scan resource.

    Basic ScanSuite Example

    apiVersion: compliance.security.alauda.io/v1alpha1
kind: ScanSuite
metadata:
  name: test-scan-suite
  namespace: compliance-system
spec:
  profiles:
    - stig-k8s-api-server
    - stig-k8s-control-plane
    - stig-k8s-general
    - stig-k8s-kubelet
  maxHistoricalResults: 3
  scanTemplate:
    scanType: node
    nodeScopeStrategy: auto
    targetNodeRoles:
      - control-plane
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""

    Scheduled ScanSuite Example

    apiVersion: compliance.security.alauda.io/v1alpha1
kind: ScanSuite
metadata:
  name: scheduled-scan-suite
  namespace: compliance-system
spec:
  profiles:
    - stig-k8s-api-server
    - stig-k8s-control-plane
  schedule: "0 2 * * *"
  maxHistoricalResults: 3
  scanTemplate:
    scanType: node
    nodeScopeStrategy: auto

    ScanSuite with Email Notification

    apiVersion: compliance.security.alauda.io/v1alpha1
kind: ScanSuite
metadata:
  name: notify-scan-suite
  namespace: compliance-system
spec:
  profiles:
    - stig-k8s-api-server
  maxHistoricalResults: 3
  scanTemplate:
    scanType: node
    nodeScopeStrategy: auto
  reportDelivery:
    email:
      enabled: true
      recipientsRef:
        name: compliance-mail-recipients

    ScanSuite Parameters

    The following table describes the top-level parameters of the ScanSuite resource:

    ParameterTypeDescription
    spec.profilesarrayList of profiles associated with the ScanSuite. The controller creates child Scan resources for these profiles.
    spec.schedulestringOptional. Configures scheduled execution using cron syntax. Example: "0 2 * * *" for daily execution at 2 AM. If not set, the ScanSuite runs only when triggered manually.
    spec.pausedbooleanOptional. Pauses the ScanSuite. Set this field to true to stop execution temporarily, and set it back to false to resume.
    spec.maxHistoricalResultsintOptional. Number of historical results to retain for each child Scan (default: 5).
    spec.scanTemplateobjectOptional. Template applied to the child Scan resources created by the ScanSuite.
    spec.reportDeliveryobjectOptional. Delivery configuration for generated reports. Currently email delivery is supported.

    Scan Template Parameters

    The following table describes the parameters available under spec.scanTemplate:

    ParameterTypeScopeDescription
    spec.scanTemplate.scanTypestringk8s, osSupports platform, node, and all. In platform mode, the system only scans Kubernetes resources. In node mode, the system only scans node files.
    spec.scanTemplate.nodeScopeStrategystringk8sScanning node selection mode. Supports auto and manual. In auto mode, nodes are selected based on rule-specific scope definitions. In manual mode, all rules are executed on the specified nodes.
    spec.scanTemplate.targetNodeRolesarrayk8s, osOptional. Restricts node roles. Valid values include control-plane and worker. When configured, it participates in node filtering and intersects with nodeScopeStrategy.
    spec.scanTemplate.nodeSelectorobjectk8s, osOptional. Uses node labels for selection. When configured, it participates in node filtering and intersects with nodeScopeStrategy.

    For ScanSuite, the node selection and scheduling fields are configured under spec.scanTemplate, not directly under spec.

    See Node Selection and Scheduling for the shared behavior and profile-specific limits.

    Report Delivery Parameters

    If spec.reportDelivery is configured, the following fields are used for email delivery:

    ParameterTypeDescription
    spec.reportDelivery.email.enabledbooleanEnables email delivery for reports generated by the ScanSuite.
    spec.reportDelivery.email.recipientsRef.namestringName of the ConfigMap that defines the email recipients.

    ScanSuite Annotations

    The following annotation can be used to control ScanSuite execution:

    AnnotationScopeDescription
    compliance.security.alauda.io/force-suite: "true"k8s, osManually triggers immediate ScanSuite execution. Automatically resets to false after completion.

    Monitoring ScanSuite Execution

    Use ScanSuite to inspect the batch resource, and use Scan to inspect the child executions created from it.

    # Check ScanSuite status
kubectl get scansuite test-scan-suite -n compliance-system -o yaml

# Check child Scans created by the ScanSuite
kubectl get scan -n compliance-system -o wide