Standalone tool to scan a system Compliance status with Security Configuration Assessment (SCA) in YAML format.
Download the binary from releases and run privileged.
# ./SCAScanner -h
USAGE:
SCAScanner [options] <path/to/policy.yaml> Run all checks from a policy file
SCAScanner [options] <path/to/dir> Scan all .yml/.yaml policies in a directory,
skipping those whose requirements don't apply
OPTIONS:
--display-details Show full rule details in console output
--no-details Show only header and summary (no requirements or rules)
--output-dir <dir> Root for default files (default: REPORTS_DIR or platform standard)
-l, --log <file> Write detailed output to a log file
--csv <file> Write scan results as CSV (one row per check)
-r, --report <file> Write scan results in SCAP-SCC log format
--sbom-file <file> Write Trivy CycloneDX SBOM to file
--sbom-target <path> Set Trivy SBOM target path (default: system drive root on Windows, / elsewhere)
--sbom-all-drives On Windows, write one SBOM per ready fixed local drive
--sbom-timeout <duration> Set Trivy timeout (e.g., 5m, 30s, 1h, none)
--sbom-skip-dir <list> Comma-separated directories to skip in SBOM scan
--sbom-skip-file <list> Comma-separated files to skip in SBOM scan
SFTP UPLOAD OPTIONS:
--sftp <host[:port]> Upload generated files to SFTP server
--sftp-user <user> SFTP username (env: SFTP_USER)
--sftp-pass <pass> SFTP password (env: SFTP_PASS) - ignored if using key auth
--sftp-key <path> SSH private key file path for key-based authentication
--sftp-path <path> Remote directory path (env: SFTP_PATH, default: /)
CONFIG FILE OPTIONS:
-c, --config <path> Load configuration from YAML file
--write-config [path] Generate a template config file (default: config.yml)
Use with path to write to custom location
-h, --help Show this help message
NOTES:
- Config file is optional. By default, app looks for 'config.yml' in working dir
- CLI arguments always override config file values
- Default reports are written to REPORTS_DIR when set
- Otherwise reports use /var/lib/platform-scanning on Linux
- On macOS the standard report directory is /Library/Application Support/platform-scanning
- On Windows the standard report directory is C:\ProgramData\platform-scanning
- SBOM generation runs on every scan using Trivy from 'SCA_SCANNER/bin'
- SBOM output lists detected software components, not every file on disk
- Successful Trivy warnings are saved next to the SBOM as *.trivy.log
- Trivy timeout defaults to 5m; use --sbom-timeout none to disable
EXAMPLES:
SCAScanner Policies/sample_policy.yaml
SCAScanner --display-details Policies/sample_policy.yaml
SCAScanner --write-config
SCAScanner --config custom.yml --no-details --csv report.csv Policies/
SCAScanner --sbom-file host-sbom.cdx.json Policies/sample_policy.yaml
SCAScanner --sbom-all-drives --sbom-file host-sbom.cdx.json Policies/sample_policy.yaml
-
Keep policy files in
Policies/, grouped by operating system and benchmark family. Use each policy'srequirementsblock to make the directory scan self-selecting, so one command can safely run against mixed Windows, Linux, and macOS policy sets. -
Run the scanner against the policy directory, not one file, for routine hardening checks:
.\SCAScanner.exe Policies\The scanner writes hardening evidence and the SBOM to the standard report directory. Set
REPORTS_DIRor pass--output-dirto override it. -
Use explicit output roots for campaigns, baselines, or change windows:
.\SCAScanner.exe --output-dir .\output\baseline-2026-05 Policies\
-
Use
--sbom-all-driveson Windows hosts where software may live outside the system drive. This creates one SBOM per ready fixed local drive under the host's SBOM folder. -
Review hardening results and SBOM diagnostics together. If Trivy reports warnings on a successful SBOM run, the scanner writes a neighboring
*.trivy.logfile so inaccessible paths or scanner limitations are visible. -
Treat the SBOM as a detected software inventory, not a full filesystem manifest. Use the hardening reports for configuration evidence and the SBOM for package/component evidence.
- Runs on Windows
- Runs on MacOS
- Runs on Linux
- Log to logfile
- Output to file (in multiple formats, CSV, JSON and TEXT)
- Variable support
- Support check conditions (All, any, none)
- Rule type 'Directory'
- Rule type 'Process'
- Rule type 'Commands'
- Rule type 'Registry (Windows Only)'
- Support all Content comparison operators
- Support all Numeric comparison operators
- Pass all examples