Compliance
Realm9 automatically scans virtual machines provisioned through Terraform against CIS (Center for Internet Security) benchmarks, giving you a compliance score for each VM and optionally blocking handover until violations are resolved.
Licence requirement: Compliance scanning is available on the Infrastructure Enterprise and Ultimate tiers.
Access: Provisioners and Admins can view results. Only Admins can manage settings and release blocked handovers.
What Gets Scanned
Compliance scans run against VMs provisioned through Terraform runs in Realm9. When a Terraform apply completes and a VM is spun up, a scan is triggered automatically (if Scan on Provision is enabled in settings).
Scans are not run against:
- Environments or bookings directly
- Terraform code (that is handled by Terraform Policies)
- User accounts or configuration
Supported VM providers: AWS, Azure, GCP, VMware vCenter, Proxmox.
CIS Profiles
Choose the benchmark profile that matches your workload:
| Profile | Use case |
|---|---|
| CIS Level 1 Server | Baseline security controls for servers (default) |
| CIS Level 2 Server | Enhanced hardening for servers |
| CIS Level 1 Workstation | Baseline controls for workstations |
| CIS Level 2 Workstation | Enhanced hardening for workstations |
Level 1 covers core, broadly applicable recommendations. Level 2 adds more opinionated controls suitable for high-security environments.
Compliance Page
Navigate to Compliance in the sidebar (visible to Provisioners and above).
Overview Tab
Summary cards:
- Average Score — organisation-wide average compliance percentage (green ≥ 90%, amber ≥ 70%, red < 70%)
- Total Scans — total VMs scanned
- Blocked VMs — VMs currently blocked pending remediation
- Pass Rate — percentage of scans meeting the minimum score threshold
Recent Scans table — last 20 scan results showing:
- VM hostname or IP
- Cloud provider
- Compliance score (percentage)
- Status badge
- Critical failure count
- Scan date
- Actions: Report (download HTML report), Release (unblock, Admin only)
Scan Results Tab
Full paginated list of all scan results with filtering by status and Terraform project.
Settings Tab
Configure compliance behaviour for your organisation (Admin only):
| Setting | Description |
|---|---|
| Enable CIS Scanning | Master toggle for the feature |
| Enforcement Mode | Audit, Warn, or Block (see below) |
| CIS Profile | Benchmark profile to apply |
| Minimum Pass Score | Percentage threshold (0–100, default 70%) |
| Block on Critical Failures | Block if any critical checks fail (default: on) |
| Block on High Failures | Block if any high-severity checks fail (default: off) |
| Scan on Provision | Auto-scan after every Terraform apply (default: on) |
| Scan on Schedule | Run periodic scans on a schedule |
| SSH User | OS user for the scanner to connect as (default: ubuntu) |
| Exempted Rule IDs | CIS control IDs to skip globally |
| Exempted Projects | Terraform projects to exclude from scanning |
Scan Statuses
| Status | Meaning |
|---|---|
| Pending | Scan created, waiting to start |
| Running | Scanner is actively checking the VM |
| Completed | Scan finished — results available |
| Failed | Scanner encountered an error (not a VM compliance failure) |
| Cancelled | Scan was aborted |
Additionally, a completed scan can have a handover blocked flag if enforcement rules are violated (see Enforcement below).
Scan Results
Each completed scan produces:
- Overall score — percentage of applicable CIS checks that passed
- Check breakdown — passed, failed, error, and not-applicable counts
- Severity breakdown — critical, high, medium, and low failure counts
- Per-rule results — for each CIS control: rule ID, title, status (pass/fail/error), severity, description, and remediation guidance
Report Formats
Three report formats are generated per scan:
- HTML — human-readable report, downloadable from the UI via the Report button
- ARF — Assessment Results Format (machine-readable XML/JSON for compliance tooling)
- JSON — raw structured data with full rule details
Enforcement Modes
| Mode | Effect |
|---|---|
| Audit | Scans run and results are recorded, but no VM is ever blocked. Use for visibility only. |
| Warn | Same as Audit — results recorded, no blocking. Intended for future alerting. |
| Block | Scans run and enforcement rules are evaluated. VMs that fail are blocked from handover until an Admin releases them. |
Blocking Rules (Block mode)
A VM is blocked if any of the following apply:
- Critical failures — if Block on Critical Failures is on and any critical CIS check fails
- High failures — if Block on High Failures is on and any high-severity check fails
- Score below threshold — if the overall score is below the configured minimum pass score
When a VM is blocked, its scan record shows the specific reason (e.g. "3 critical CIS check(s) failed").
Releasing a Blocked VM
Admins can release a blocked VM by clicking Release on the scan result. This records the admin's identity and timestamp and allows the handover to proceed. All releases are captured in the audit log.
How Scans are Triggered
Automatic (default): When a Terraform apply completes successfully and produces a VM, a scan is created automatically. This requires Scan on Provision to be enabled.
Scheduled: When Scan on Schedule is enabled, scans run on the configured cron interval.
Manual scan triggering from the UI is not currently available.
Role-Based Access
| Action | Viewer | User | Provisioner | Admin |
|---|---|---|---|---|
| View compliance page and scan results | — | — | ✓ | ✓ |
| Download scan reports | — | — | ✓ | ✓ |
| Configure compliance settings | — | — | — | ✓ |
| Release blocked VM handovers | — | — | — | ✓ |