Compliance (ibmcloud workload-protection compliance) CLI

The IBM Cloud® Security and Compliance Center Workload Protection compliance CLI lets you determine the available frameworks, platforms, and scope options as well as create and manage benchmark and compliance tasks.

You can use wp, sysdig-secure, security-compliance-secure, or scs as aliases for the workload-protection commands. For example, you can run ibmcloud wp policy create ..., ibmcloud sysdig-secure policy create ..., ibmcloud security-compliance-secure policy create ..., or ibmcloud scs policy create ... for ibmcloud workload-protection policy create ....

Concepts

To use this CLI you will need to understand the following IBM Cloud Security and Compliance Center Workload Protection concepts. For more information on IBM Cloud Security and Compliance Center Workload Protection, see the IBM Cloud Security and Compliance Center Workload Protection documentation.

Compliance frameworks provide guidelines and structures to maintain security and help meet regulatory requirements.
Compliance platforms include the available platforms to be monitored including platforms such as Kubernetes, Docker, and so on.
Scope options are the available scope labels and operators that can be used when creating a benchmark or compliance task.
Tasks allow you to create benchmarks or compliance tasks.

Command options

The following are the available options for all ibmcloud workload-protection compliance commands.

--instance-id ID (required), exclusive with --instance-name: The ID of the IBM Cloud Security and Compliance Center Workload Protection instance. The ID can be obtained by running the ibmcloud resource service-instance command. One of --instance-id or --instance-name must be specified. The --instance-id and --instance-name options cannot be specified together on the same command invocation.
--instance-name INSTANCE_NAME (required), exclusive with --instance-id: The name of the IBM Cloud Security and Compliance Center Workload Protection instance. This is the name you specified when creating the instance. One of --instance-id or --instance-name must be specified. The --instance-id and --instance-name options cannot be specified together on the same command invocation.
--region REGION | -r REGION: Name of the region, for example, us-south or eu-gb. If not specified, the region logged into, or targeted, will be used.
--output FORMAT: Available output formats are JSON, YAML, or TABLE. If not specified, output will be returned in a tabular format.
--quiet | -q: Suppress verbose messages.
help | --help | -h: List options available for the command.

ibmcloud workload-protection compliance frameworks

This command returns a list of available frameworks in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance frameworks (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Frameworks command options

See the command options for a description of each option.

ibmcloud workload-protection compliance frameworks metadata

This command returns the metadata for the specified framework in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance frameworks metadata --framework FRAMEWORK (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Frameworks metadata command options

--framework FRAMEWORK: The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the ibmcloud workload-protection compliance frameworks command.

See the command options for a description of additional options.

ibmcloud workload-protection compliance platforms

This command returns a list of available platforms in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance platforms (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Platforms command options

See the command options for a description of each option.

ibmcloud workload-protection compliance scope-options

This command returns a list of available scope options in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance scope-options --framework FRAMEWORK --platform PLATFORM [--version VERSION] (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Compliance scope-options command options

--framework FRAMEWORK: The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the ibmcloud workload-protection compliance frameworks command.
--platform PLATFORM: The name of a platform in your IBM Cloud Security and Compliance Center Workload Protection instance. Available platforms can be found using the ibmcloud workload-protection compliance platforms command.
--version VERSION: Returns the scope labels and operators for only the specified version. If not specified, Latest is returned.

See the command options for a description of additional options.

ibmcloud workload-protection compliance tasks

This command lists the tasks configured for your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance tasks (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--framework FRAMEWORK] [--filter FILTER] [--version VERSION] [--platform PLATFORM] [--region REGION] [--output FORMAT] [--quiet]

Compliance tasks command options

--filter FILTER: Limits results by the string value specified. Only the name and scope fields are searched for the filter value.
--framework FRAMEWORK: The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the ibmcloud workload-protection compliance frameworks command.
--platform PLATFORM: The name of a platform in your IBM Cloud Security and Compliance Center Workload Protection instance. Available platforms can be found using the ibmcloud workload-protection compliance platforms command.
--version VERSION: Returns the tasks for the specified version. If not specified, Latest is returned.

See the command options for a description of additional options.

ibmcloud workload-protection compliance task create

This command creates a new compliance task in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance task create --name NAME --schedule SCHEDULE --framework FRAMEWORK --platform PLATFORM --version VERSION [--scope SCOPE] [--schema SCHEMA] [--enabled ENABLED] [--excludeControlList CONTROL_IDS]

Compliance task create command options

--enabled ENABLED

Indicates if the task is enabled, and can be run, or is disabled. Valid values are true and false. Default is false indicating that the task is not enabled.

--excludeControlList CONTROL_IDS

List of control IDs to be excluded from compliance task.

--framework FRAMEWORK

The name of a framework in your IBM Cloud Security and Compliance Center Workload Protection instance. Available frameworks can be found using the ibmcloud workload-protection compliance frameworks command.

--name NAME

The name to be given to the task.

--platform PLATFORM

The name of a platform in your IBM Cloud Security and Compliance Center Workload Protection instance. Available platforms can be found using the ibmcloud workload-protection compliance platforms command.

--schedule SCHEDULE

The schedule when the task will be run. Specify as a cron-like expression representing a frequency. For example, 0 10 * * 1.

--schema SCHEMA

The benchmark or compliance schema to be applied to the task. Valid values are:

kube_bench_cis-1.5
kube_bench_cis-1.6
kube_bench_gke-1.0
kube_bench_eks-1.0
kube_bench_rh-0.7
linux_bench_cis-1.1
docker_bench_security_1.0
aws_foundations_bench-1.3
NIST-800-53-Rev4-WORKLOAD
NIST-800-53-Rev4-AWS
NIST-800-53-Rev5-WORKLOAD
NIST-800-53-Rev5-AWS
NIST-800-190-WORKLOAD

--scope SCOPE

The task scope.

--version VERSION

You can optionally specify the version of the framework. If not specified, defaults to Latest.

See the command options for a description of additional options.

ibmcloud workload-protection compliance task delete

This command deletes a task defined in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance task delete --id ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Compliance task delete command options

--id ID: The task ID of the compliance task. You can find a list of configured tasks by running the ibmcloud workload-protection compliance tasks command.

See the command options for a description of additional options.

ibmcloud workload-protection compliance task update

This command enables or disables a task defined in your IBM Cloud Security and Compliance Center Workload Protection instance. A disabled task cannot be run.

ibmcloud workload-protection compliance task update --id ID (--disable | --enable)

Compliance task update command options

--id ID: The task ID of the compliance task. You can find a list of configured tasks by running the ibmcloud workload-protection compliance tasks command.
--disable: The task ID is disabled and will not run.
--enable: The task ID is enabled and will run.

See the command options for a description of additional options.

ibmcloud workload-protection compliance task get

This returns the task defined by the specified ID in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance task get --id ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Compliance task get command options

--id ID: The task ID of the compliance task. You can find a list of configured tasks by running the ibmcloud workload-protection compliance tasks command.

See the command options for a description of additional options.

ibmcloud workload-protection compliance task report

This command returns the latest report for the task defined in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance task report --id ID --report-id REPORT_ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Compliance task report command options

--id ID: The task ID of the compliance task. You can find a list of configured tasks by running the ibmcloud workload-protection compliance tasks command.
--report-id REPORT_ID: The report ID. If not specified, the latest will be returned.

See the command options for a description of additional options.

ibmcloud workload-protection compliance task run

This command runs a task defined in your IBM Cloud Security and Compliance Center Workload Protection instance.

ibmcloud workload-protection compliance task run --id ID (--instance-id INSTANCE_ID | --instance-name INSTANCE_NAME) [--region REGION] [--output FORMAT] [--quiet]

Compliance task run command options

--id ID: The task ID of the compliance task. You can find a list of configured tasks by running the ibmcloud workload-protection compliance tasks command.

See the command options for a description of additional options.