openshift-docs/modules/compliance-crd-compliance-check-result.adoc

// Module included in the following assemblies:
//
// * security/compliance_operator/co-concepts/compliance-operator-crd.adoc

:_mod-docs-content-type: CONCEPT
[id="compliance-check-result_{context}"]
= ComplianceCheckResult object

When you run a scan with a specific profile, several rules in the profiles are verified. For each of these rules, a `ComplianceCheckResult` object is created, which provides the state of the cluster for a specific rule.

.Example `ComplianceCheckResult` object
[source,yaml]
----
apiVersion: compliance.openshift.io/v1alpha1
kind: ComplianceCheckResult
metadata:
  labels:
    compliance.openshift.io/check-severity: medium
    compliance.openshift.io/check-status: FAIL
    compliance.openshift.io/suite: example-compliancesuite
    compliance.openshift.io/scan-name: workers-scan
  name: workers-scan-no-direct-root-logins
  namespace: openshift-compliance
  ownerReferences:
  - apiVersion: compliance.openshift.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: ComplianceScan
    name: workers-scan
description: <description of scan check>
instructions: <manual instructions for the scan>
id: xccdf_org.ssgproject.content_rule_no_direct_root_logins
severity: medium <1>
status: FAIL <2>
----

<1> Describes the severity of the scan check.
<2> Describes the result of the check. The possible values are:
* PASS: check was successful.
* FAIL: check was unsuccessful.
* INFO: check was successful and found something not severe enough to be considered an error.
* MANUAL: check cannot automatically assess the status and manual check is required.
* INCONSISTENT: different nodes report different results.
* ERROR: check run successfully, but could not complete.
* NOTAPPLICABLE: check did not run as it is not applicable.

To get all the check results from a suite, run the following command:
[source,terminal]
----
oc get compliancecheckresults \
-l compliance.openshift.io/suite=workers-compliancesuite
----