Forge Home




133 latest version

4.7 quality score

We run a couple of automated
scans to help you access a
module's quality. Each module is
given a score based on how well
the author has formatted their
code and documentation and
modules are also checked for
malware using VirusTotal.

Please note, the information below
is for guidance only and neither of
these methods should be considered
an endorsement by Puppet.

Security Compliance Management is now included with Puppet Enterprise

Security Compliance Management lets you monitor and report on security and compliance configurations in your Puppet-managed infrastructure. It requires Puppet Enterprise and is accessed through the Security Compliance Management Console in Puppet Enterprise.

For more information about this module, reach out to your Puppet by Perforce account executive or sales engineer. The Puppet team is available to assist you with the installation process and answer any questions.

Security Compliance Enforcement, a premium feature also available for Puppet Enterprise and Open Source Puppet, automatically enforces security configurations aligned to CIS Benchmarks and DISA STIGs.

Learn more about Security Compliance Enforcement       Go to module page:  Windows | Linux

Version information

  • 3.1.0 (latest)
  • 3.0.0
  • 2.21.0
  • 2.20.0
  • 2.19.0
  • 2.18.2
  • 2.18.1
  • 2.18.0
  • 2.17.1
  • 2.17.0
  • 2.16.0
  • 2.15.0
  • 2.14.0
  • 2.13.0
  • 2.12.0
  • 2.11.1
  • 2.11.0
  • 2.10.0
  • 2.9.0
  • 2.8.0
  • 2.7.0
  • 2.6.0
  • 2.5.0
  • 2.4.0
  • 2.3.0
  • 2.2.2
  • 2.2.1
  • 2.2.0
  • 2.1.0
  • 2.0.0
  • 1.0.5
  • 1.0.4
  • 1.0.3
  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 0.9.0
released Jun 27th 2024
This version is compatible with:
  • Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
  • Puppet > 6.24 < 8.0.0
  • , , , , , , , , , ,
  • backup_assessor
  • ciscat_scan

This module is licensed for use with Puppet Enterprise. You may also evaluate this module for up to 90 days.Learn More

Start using this module

  • r10k or Code Manager
  • Bolt
  • Manual installation
  • Direct download

Add this module to your Puppetfile:

mod 'puppetlabs-comply', '3.1.0'
Learn more about managing modules with a Puppetfile

Add this module to your Bolt project:

bolt module add puppetlabs-comply
Learn more about using this module with an existing project

Manually install this module globally with Puppet module tool:

puppet module install puppetlabs-comply --version 3.1.0

Direct download is not typically how you would use a Puppet module to manage your infrastructure, but you may want to download the module in order to inspect the code.



puppetlabs/comply — version 3.1.0 Jun 27th 2024

Puppet Comply

Puppet Comply is a tool that assesses the infrastructure you manage with Puppet Enterprise against CIS Benchmarks — the best practices for securely configuring systems from the Center for Internet Security (CIS).


This Module is required by the Puppet Comply product and should only be used as per the complete install instructions

There are two workflows for using the Comply module:

Using Replicated to host the Assessor

This is the default recommend workflow for using Comply. Comply hosts a copy of the latest Assessor. This path enables you to configure once, and allow Comply to easily upgrade your Assessor when you do a product upgrade. You can configure the service hosting the Assessor via KOTS to use certificates generated on your PE instance. Then, mutual TLS enables a secure authenticated between your nodes and Comply.

To generate the certificates on your PE instance, run the following:

[root@pe-instance-01 ~]# puppetserver ca generate --certname
Successfully saved private key for to /etc/puppetlabs/puppet/ssl/private_keys/
Successfully saved public key for to /etc/puppetlabs/puppet/ssl/public_keys/
Successfully submitted certificate request for
Successfully saved certificate for to /etc/puppetlabs/puppet/ssl/certs/
Certificate for was autosigned.

Then copy the ca.pem, public certificate and private key for your Comply instance to the KOTS config. Once deployed, the service will now be accessible to your nodes.

In order to keep you up to date, the version of the Assessor is embedded in the module. As such, when doing an upgrade of the Comply product, you should ensure that you have upgraded the module beforehand.

Using a privately hosted file

Alternatively, you can host the file privately elsewhere. If you choose this method, then use scanner_source parameter with the comply class. You may also need to disable the use_mtls paramter too. The version of the Assessor is inferred from the file name so for example if your scanner_source value was, Comply would infer this as being version 4.6.0 of the Assessor.


By default, Comply will install various dependencies required in order for the module and the CIS Assessor to function. Should you wish to configure what Comply manages, see the reference for more details.

Obtaining the Product

Please get in touch with a Puppet Representative

Running Acceptance Tests

bundle exec rake litmus:tear_down;
bundle exec rake litmus:provision_list[release_checks]; #reduce hosts in provision.yaml if required
bundle exec rake litmus:install_agent[puppet7];
bundle exec rake litmus:install_module;
bundle exec rake litmus:acceptance:parallel; #bundle exec rake