Compliance Service
  • English

    • Using Scan

    Scan is the resource for running and managing a single compliance scan for one profile.

    TOC

    When to Use ScanBasic Scan ExampleOS Scan ExampleScan ParametersReport Delivery ParametersNode Selection NotesScan AnnotationsMonitoring Scan Results

    When to Use Scan

    Use Scan when you need to:

    • run one profile by itself
    • validate one target quickly without creating a batch resource
    • manage execution directly for a single compliance baseline
    • run a standalone OS scan such as stig-os-microos

    Use Using ScanSuite instead when you need to manage multiple profiles together or schedule repeated runs.

    Basic Scan Example

    apiVersion: compliance.security.alauda.io/v1alpha1
kind: Scan
metadata:
  name: cis-controlplane-scan
  namespace: compliance-system
spec:
  profile: cis-k8s-controlplane
  scanType: node
  nodeScopeStrategy: auto
  targetNodeRoles:
    - control-plane
  maxHistoricalResults: 3

    OS Scan Example

    apiVersion: compliance.security.alauda.io/v1alpha1
kind: Scan
metadata:
  name: os-scan
  namespace: compliance-system
spec:
  profile: stig-os-microos
  scanType: node

    Scan Parameters

    The following table describes the top-level parameters of the Scan resource:

    ParameterTypeDescription
    spec.profilestringProfile associated with this Scan. A Scan references exactly one profile.
    spec.scanTypestringOptional. Supports platform, node, and all. In platform mode, the system only scans Kubernetes resources. In node mode, the system only scans node files.
    spec.nodeScopeStrategystringOptional for Kubernetes scans. Supports auto and manual. In auto mode, nodes are selected based on rule-specific scope definitions. In manual mode, all rules are executed on the specified nodes.
    spec.targetNodeRolesarrayOptional. Restricts node roles. Valid values include control-plane and worker. When configured, it participates in node filtering together with nodeScopeStrategy.
    spec.nodeSelectorobjectOptional. Uses node labels for selection. When configured, it participates in node filtering together with nodeScopeStrategy.
    spec.maxHistoricalResultsintOptional. Number of historical results to retain for this Scan (default: 5).
    spec.reportDeliveryobjectOptional. Delivery configuration for generated reports. Currently email delivery is supported.

    Report Delivery Parameters

    If spec.reportDelivery is configured, the following fields are used for email delivery:

    ParameterTypeDescription
    spec.reportDelivery.email.enabledbooleanEnables email delivery for reports generated by the Scan.
    spec.reportDelivery.email.recipientsRef.namestringName of the ConfigMap that defines the email recipients.

    Node Selection Notes

    For Scan, the node selection and scheduling fields are configured directly under spec.

    See Node Selection and Scheduling for detailed behavior of scanType, nodeScopeStrategy, targetNodeRoles, and nodeSelector.

    Important Notes:

    • OS scanning requires scanType: node.
    • CIS only supports scanType: node; platform and all are not supported because kube-bench does not support rule-level node selection.
    • STIG supports platform, node, and all.

    Scan Annotations

    The following annotation can be used to control Scan execution:

    AnnotationScopeDescription
    compliance.security.alauda.io/force-scan: "true"k8s, osManually triggers immediate Scan execution. Automatically resets to false after completion.

    Monitoring Scan Results

    To check the status and results of a Scan:

    # Check one Scan
kubectl get scan os-scan -n compliance-system -o wide

# Check all Scans
kubectl get scan -n compliance-system -o wide