nctl scan compliance

Run a compliance scan against a Kubernetes cluster

nctl scan compliance [flags]

Examples

  # Run a SOC2 compliance scan (fetches policies from github.com/nirmata/kyverno-policies by default)
  nctl scan compliance --standard soc2

  # Scan specific namespaces
  nctl scan compliance --standard nist-800-53 --namespace production,staging

  # Output results as JSON
  nctl scan compliance --standard soc2 -o json

  # Use a local kyverno-policies checkout instead of fetching from GitHub
  # (set once in ~/.nirmata/nctl/nctl_config.yaml: compliance.policies-root: /path/to/kyverno-policies)

  # Override with specific policy paths or GitHub URLs
  nctl scan compliance --standard soc2 \
    -p github.com/nirmata/kyverno-policies/best-practices-k8s \
    -p github.com/nirmata/kyverno-policies/compliance/cis/common

Options

  -h, --help                    help for compliance
      --kube-context string     the kube context from configured kubeconfig. Default is the current or sole context
      --kubeconfig string       kubeconfig path (defaults to $HOME/.kube/kubeconfig)
      --mappings-file string    Override path to mappings YAML file
      --namespace stringArray   Namespaces to scan (comma-separated or repeated flag)
  -o, --output string           Output format (text, json, yaml, openreport) (default "text")
  -p, --policies strings        Policy paths to scan (local path or github URL; comma-separated or repeated). Overrides the default mappings-derived policy set.
      --standard string         Compliance standard (soc2, nist-800-53, nsa-cisa, iso27001, pci-dss, etc.)

Options inherited from parent commands

  -v, --v Level   number for the log level verbosity

SEE ALSO

• nctl scan - Scan resources
• nctl scan compliance diff - Diff two compliance snapshots