Compliance (ibmcloud workload-protection compliance) CLI
The IBM Cloud® Security and Compliance Center Workload Protection compliance CLI lets you determine the available frameworks, platforms, and scope options as well as create and manage benchmark and compliance tasks.
You can use wp
, sysdig-secure
, security-compliance-secure
, or scs
as aliases for the workload-protection
commands. For example, you can run ibmcloud wp policy create ...
,
ibmcloud sysdig-secure policy create ...
, ibmcloud security-compliance-secure policy create ...
, or ibmcloud scs policy create ...
for ibmcloud workload-protection policy create ...
.
Concepts
To use this CLI you will need to understand the following IBM Cloud Security and Compliance Center Workload Protection concepts. For more information on IBM Cloud Security and Compliance Center Workload Protection, see the IBM Cloud Security and Compliance Center Workload Protection documentation.
-
Compliance frameworks provide guidelines and structures to maintain security and help meet regulatory requirements.
-
Compliance platforms include the available platforms to be monitored including platforms such as Kubernetes, Docker, and so on.
-
Scope options are the available scope labels and operators that can be used when creating a benchmark or compliance task.
-
Tasks allow you to create benchmarks or compliance tasks.
Command options
The following are the available options for all ibmcloud workload-protection compliance
commands.
--instance-id ID
(required), exclusive with--instance-name
- The ID of the IBM Cloud Security and Compliance Center Workload Protection instance. The ID can be obtained by running the
ibmcloud resource service-instance
command. One of--instance-id
or--instance-name
must be specified. The--instance-id
and--instance-name
options cannot be specified together on the same command invocation. --instance-name INSTANCE_NAME
(required), exclusive with--instance-id
- The name of the IBM Cloud Security and Compliance Center Workload Protection instance. This is the name you specified when creating the instance. One of
--instance-id
or--instance-name
must be specified. The--instance-id
and--instance-name
options cannot be specified together on the same command invocation. --region REGION
|-r REGION
- Name of the region, for example,
us-south
oreu-gb
. If not specified, the region logged into, or targeted, will be used. --output FORMAT
- Available output formats are
JSON
,YAML
, orTABLE
. If not specified, output will be returned in a tabular format. --quiet
|-q
- Suppress verbose messages.
help
|--help
|-h
- List options available for the command.
ibmcloud workload-protection compliance frameworks
This command returns a list of available frameworks in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance frameworks (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Frameworks command options
See the command options for a description of each option.
ibmcloud workload-protection compliance frameworks metadata
This command returns the metadata for the specified framework in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance frameworks metadata --framework FRAMEWORK (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Frameworks metadata command options
--framework FRAMEWORK
- The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the
ibmcloud workload-protection compliance frameworks
command.
See the command options for a description of additional options.
ibmcloud workload-protection compliance platforms
This command returns a list of available platforms in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance platforms (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Platforms command options
See the command options for a description of each option.
ibmcloud workload-protection compliance scope-options
This command returns a list of available scope options in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance scope-options --framework FRAMEWORK --platform PLATFORM [--version VERSION] (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Compliance scope-options command options
--framework FRAMEWORK
- The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the
ibmcloud workload-protection compliance frameworks
command. --platform PLATFORM
- The name of a platform in your IBM Cloud Security and Compliance Center Workload Protection instance. Available platforms can be found using the
ibmcloud workload-protection compliance platforms
command. --version VERSION
- Returns the scope labels and operators for only the specified version. If not specified,
Latest
is returned.
See the command options for a description of additional options.
ibmcloud workload-protection compliance tasks
This command lists the tasks configured for your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance tasks (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--framework FRAMEWORK] [--filter FILTER] [--version VERSION] [--platform PLATFORM] [--region REGION] [--output FORMAT] [--quiet]
Compliance tasks command options
--filter FILTER
- Limits results by the string value specified. Only the
name
andscope
fields are searched for thefilter
value. --framework FRAMEWORK
- The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the
ibmcloud workload-protection compliance frameworks
command. --platform PLATFORM
- The name of a platform in your IBM Cloud Security and Compliance Center Workload Protection instance. Available platforms can be found using the
ibmcloud workload-protection compliance platforms
command. --version VERSION
- Returns the tasks for the specified version. If not specified,
Latest
is returned.
See the command options for a description of additional options.
ibmcloud workload-protection compliance task create
This command creates a new compliance task in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance task create --name NAME --schedule SCHEDULE --framework FRAMEWORK --platform PLATFORM --version VERSION [--scope SCOPE] [--schema SCHEMA] [--enabled ENABLED] [--excludeControlList CONTROL_IDS]
Compliance task create command options
--enabled ENABLED
-
Indicates if the task is enabled, and can be run, or is disabled. Valid values are
true
andfalse
. Default isfalse
indicating that the task is not enabled. --excludeControlList CONTROL_IDS
-
List of control IDs to be excluded from compliance task.
--framework FRAMEWORK
-
The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the
ibmcloud workload-protection compliance frameworks
command. --name NAME
-
The name to be given to the task.
--platform PLATFORM
-
The name of a platform in your IBM Cloud Security and Compliance Center Workload Protection instance. Available platforms can be found using the
ibmcloud workload-protection compliance platforms
command. --schedule SCHEDULE
-
The schedule when the task will be run. Specify as a cron-like expression representing a frequency. For example,
0 10 * * 1
. --schema SCHEMA
-
The benchmark or compliance schema to be applied to the task. Valid values are:
kube_bench_cis-1.5
kube_bench_cis-1.6
kube_bench_gke-1.0
kube_bench_eks-1.0
kube_bench_rh-0.7
linux_bench_cis-1.1
docker_bench_security_1.0
aws_foundations_bench-1.3
NIST-800-53-Rev4-WORKLOAD
NIST-800-53-Rev4-AWS
NIST-800-53-Rev5-WORKLOAD
NIST-800-53-Rev5-AWS
NIST-800-190-WORKLOAD
--scope SCOPE
-
The task scope.
--version VERSION
-
You can optionally specify the version of the framework. If not specified, defaults to
Latest
.
See the command options for a description of additional options.
ibmcloud workload-protection compliance task delete
This command deletes a task defined in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance task delete --id ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Compliance task delete command options
--id ID
- The task ID of the compliance task. You can find a list of configured tasks by running the
ibmcloud workload-protection compliance tasks
command.
See the command options for a description of additional options.
ibmcloud workload-protection compliance task update
This command enables or disables a task defined in your IBM Cloud Security and Compliance Center Workload Protection instance. A disabled task cannot be run.
ibmcloud workload-protection compliance task update --id ID (--disable | --enable)
Compliance task update command options
--id ID
- The task ID of the compliance task. You can find a list of configured tasks by running the
ibmcloud workload-protection compliance tasks
command. --disable
- The task ID is disabled and will not run.
--enable
- The task ID is enabled and will run.
See the command options for a description of additional options.
ibmcloud workload-protection compliance task get
This returns the task defined by the specified ID in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance task get --id ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Compliance task get command options
--id ID
- The task ID of the compliance task. You can find a list of configured tasks by running the
ibmcloud workload-protection compliance tasks
command.
See the command options for a description of additional options.
ibmcloud workload-protection compliance task report
This command returns the latest report for the task defined in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance task report --id ID --report-id REPORT_ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Compliance task report command options
--id ID
- The task ID of the compliance task. You can find a list of configured tasks by running the
ibmcloud workload-protection compliance tasks
command. --report-id REPORT_ID
- The report ID. If not specified, the
latest
will be returned.
See the command options for a description of additional options.
ibmcloud workload-protection compliance task run
This command runs a task defined in your IBM Cloud Security and Compliance Center Workload Protection instance.
ibmcloud workload-protection compliance task run --id ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]
Compliance task run command options
--id ID
- The task ID of the compliance task. You can find a list of configured tasks by running the
ibmcloud workload-protection compliance tasks
command.
See the command options for a description of additional options.