Release Notes for Compliance Scanner

Note: Pivotal Platform is now part of VMware Tanzu. In v1.2 and later, Pivotal Compliance Scanner is named Compliance Scanner for VMware Tanzu.

Page last updated:

These are release notes for Compliance Scanner for VMware Tanzu.

For product versions and upgrade paths, see Upgrade Planner.


Release Date: May 11, 2020


New features and changes in this release:

  • CPU limit for Compliance Scanner is now configured independently of the Enforce CPU limit field: When you upgrade to v1.2.32 from v1.1.19 or later, the value of CPU limit is reset to the installation default of 50%.
    For instructions on setting the CPU limit, see Configure Scans.

  • You can now configure an Amazon S3 bucket for scan results if you have the instance profile name of the S3 bucket: You no longer need to know the access key ID and the secret access key for the S3 bucket.
    For information, see Configure to Upload to an S3 Bucket.

  • Adds support for S3 using AWS instance profiles to authenticate.
    For more information, see Using AWS Instance Profile.

  • Changes the communication protocol between the Scanner Web and the Scanner Daemon from Unix socket to TCP with mTLS.
  • Speeds up targeted benchmark runs.
  • Updates bundled OpenSCAP to v1.3.2
  • Updates STIG benchmark:

    • Adds audit rules: SV-90369r2_rule, SV-90387r3_rule, SV-90437r3_rule, SV-90445r3_rule, SV-90465r3_rule, SV-95681r1_rule, SV-90459r3_rule
    • Adds NIST Control Map to the STIG benchmark
  • Updates CIS benchmark:

    • Removes exceptions for audit rules: 4.1.6, 4.1.7
    • Fixes CIS Level 1 rules:
      • 1.1.17, 1.1.18, 1.1.19 - Remove the verification for cd roms
      • 2.2.7-2 - Use dpkg instead of systemctl
      • - Remove duplicate log entries and remove unneeded log files for rsyslog configuration
      • 4.3 - Ignore /var/log/cloud-init.log to be log rotated
      • 5.2.11 - Remove SSH MAC Exception
    • Fixes CIS Level 2 rule:
      • 4.1.10 - Fix failing test due to stemcell changes

Resolved Issues

This release has the following fixes:

  • Fixes permission issue causing Scheduled Scan to not work: Process is now run as VCAP.
  • Fixes cgroups issue: A single core is now used when scanning.

Known Issues

There are no known issues for this release.


Release Date: October 28, 2019


New features and changes in this release:

  • You can now use an Azure Blob Storage Container to store scan results. For information, see (Optional) Configure External Store Upload.

  • Adds the ability to schedule scans. This allows the User to schedule a time and day of the week to run their scan. For more information, see Configure Scheduled Scan.

  • Benchmarks used with Compliance Scanner have been updated:

    • The CIS Ubuntu Linux 16.04 LTS – Level 1 benchmark replaces the Recommended Security Baseline benchmark.
    • The CIS Ubuntu Linux 16.04 LTS – Level 2 benchmark replaces the Strict Security Practices benchmark.
      For information about these new benchmarks, see Benchmarks for Compliance Scanner for VMware Tanzu.
  • Adds a Custom SSH Banner field. Use this to provide the text expected when verifying the login SSH Banner on VMs during a scan. For more information, see Configure System Variables.

  • Updates golang dependency to v1.13.1

Known Issues

This release has the following issues:

  • Schedule Scan: Permission issue causes scheduled scan to not work when run under root.
  • cgroups: Scans use more resources due to multiple cores of a VM being used to run scans. This might cause performance issues on Diego Cell VMs with many apps.

View Release Notes for Another Version

To view the release notes for another product version, select the version from dropdown at the top of this page.