Compliance Scanner for PCF v1.0

Compliance Scanner for PCF (Beta)

Page last updated:

WARNING: Compliance Scanner for Pivotal Cloud Foundry is currently in beta and is intended for evaluation and test purposes only. However, this product can be used in a PCF production environment because it does not have any impact on other tiles or Linux VMs.

Compliance Scanner for Pivotal Cloud Foundry (PCF) provides platform operators and auditors an assessment of each PCF Linux VM running on Xenial stemcells and, if it is compliant, with configuration guidelines.

The following VM types on an Ops Manager instance are skipped for scanning and do not have Compliance Scanner deployed on them:

  • Linux VMs running on Trusty stemcells
  • Non-Linux VMs


Benchmarks for existing commercial configuration scanners are intended for use against traditional Ubuntu servers. This means that running these benchmark scans against a stemcell results in numerous false positives.

Compliance Scanner for PCF addresses this issue by tuning industry-recognized Ubuntu configuration benchmarks for stemcells.

Compliance Scanner for PCF packages the following files for deployment on each BOSH-managed Linux VM:

  • The OpenSCAP (OSCAP) scanner
  • XFiles: A group of YAML files that contains configuration tests written in YAML.
  • The XCCDF Generator (XGen): This translates XFiles tests to the SCAP format.

Compliance Scanner for PCF is installed through Ops Manager. As part of the installation, it deploys each packaged component to each PCF Linux VM and instantiates a new Linux VM, oscap_store, for log retrieval.

Scans are errands that are triggered through Ops Manager. After a successful scan, operators can retrieve reports through the tile. Operators can download these reports to their local machine.

Key Features

Compliance Scanner for PCF includes the following key features:

  • Modified version of industry-recognized configuration benchmarks tuned for stemcells
  • Bundled tests written in YAML, allowing for easier readability
  • Reports of scan results for each Linux VM in the PCF deployment that highlight the compliance posture

Product Snapshot

The following table provides version and version-support information about Compliance Scanner for PCF.

Element Details
Tile version 1.0.0-beta.25
Release date April 3, 2018
Software component version OpenSCAP 1.3.0
Compatible Ops Manager version(s) 2.2, 2.3, 2.4, and 2.5
Compatible Pivotal Application Service version(s) 2.2, 2.3, 2.4, and 2.5
IaaS support AWS, Azure, GCP, and vSphere
IPsec support Yes


Compliance Scanner for PCF has the following limitations:

  • Because of stemcell-related customization, benchmarks are not certified by a governing body.

  • Windows VMs are not supported at this time.

Note: Compliance Scanner for PCF can only scan Linux VMs running on Xenial stemcells 97.x and 170.x and later.


Please provide any bugs, feature requests, or questions to the Pivotal Cloud Foundry Feedback list.

Create a pull request or raise an issue on the source for this page in GitHub