Info icon
End of Life Notice: For Trend Cloud One™ - Conformity Customers, Conformity will reach its End of Sale on “July 31st, 2025” and End of Life “July 31st, 2026”. The same capabilities and much more is available in Trend Vision One™ Cloud Risk Management. For details, please refer to Upgrade to Trend Vision One
Logo of Trend Micro
Use the Knowledge Base AI to help improve your Cloud Posture

Enable Vulnerability Scanning

Trend Vision One™ provides continuous assurance that gives peace of mind for your cloud infrastructure, delivering over 1100 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: OCI-Compute-009

Ensure that Vulnerability Scanning feature is enabled for your Oracle Cloud Infrastructure (OCI) compute instances in order to proactively discover security weaknesses like vulnerable OS packages and open ports.

Security

Enabling Vulnerability Scanning for OCI compute instances is essential for proactively identifying security weaknesses, such as unpatched OS packages or unintentional open ports, which allows you to quickly remediate high-risk findings and enforce a secure, compliant security posture across your OCI environment.

Vulnerability Scanning can't be enabled unless the Oracle Cloud Agent is installed on the compute instance. Oracle Cloud Agent is a lightweight process that manages plugins running on your instance. If your compute instance uses a current platform image or a custom image based on one, the Oracle Cloud Agent is installed by default. Otherwise, refer to this guide to install the Oracle Cloud Agent software.

Audit

To determine if the Vulnerability Scanning feature is enabled for your OCI compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to examine, listed in the Name column.

06 Select the Management tab to access the list of plugins supported by the selected instance, managed by the Oracle Cloud Agent.

07 In the Oracle Cloud Agent section, click inside the Search and Filter box, select Plugin name, type Vulnerability Scanning, and choose Apply filter to return the Vulnerability Scanning plugin.

08 Check the Vulnerability Scanning plugin status, listed in the Enable plugin column. If the plugin status is set to Disabled, the Vulnerability Scanning feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Using OCI CLI

01 Run iam compartment list command (Windows/macOS/Linux) with output query filters to list the ID of each compartment available in your Oracle Cloud Infrastructure (OCI) account: 

oci iam compartment list
	--all
	--include-root
	--query 'data[]."id"'

02 The command output should return the requested OCI compartment identifiers (OCIDs): 

[
	"ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.compartment.oc1..abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd"
]

03 Run compute instance list command (Windows/macOS/Linux) with the ID of the OCI compartment that you want to examine as the identifier parameter, the list the ID of each compute instance available in the selected OCI compartment: 

oci compute instance list
	--compartment-id 'ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--region 'ap-sydney-1'
	--all
	--query 'data[]."id"'

04 The command output should return the requested compute instance IDs: 

[
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
	"ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcdabcd1234abcd1234abcd1234abcd1234abcd1234"
]

05 Run compute instance get command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to examine as the identifier parameter and custom output filters to describe the operational state of each plugin installed on the selected instance, managed by the Oracle Cloud Agent: 

oci compute instance get
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--query 'data."agent-config"."plugins-config"'

06 The command output should return the list of plugins installed on the compute instance and their current status: 

[
	{
		"desired-state": "DISABLED",
		"name": "WebLogic Management Service"
	},
	{
		"desired-state": "DISABLED",
		"name": "Vulnerability Scanning"
	},
	{
		"desired-state": "DISABLED",
		"name": "Oracle Java Management Service"
	},
	{
		"desired-state": "DISABLED",
		"name": "OS Management Hub Agent"
	},
	{
		"desired-state": "DISABLED",
		"name": "Management Agent"
	},
	{
		"desired-state": "ENABLED",
		"name": "Custom Logs Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute RDMA GPU Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute Instance Run Command"
	},
	{
		"desired-state": "ENABLED",
		"name": "Compute Instance Monitoring"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute HPC RDMA Auto-Configuration"
	},
	{
		"desired-state": "DISABLED",
		"name": "Compute HPC RDMA Authentication"
	},
	{
		"desired-state": "ENABLED",
		"name": "Cloud Guard Workload Protection"
	},
	{
		"desired-state": "DISABLED",
		"name": "Block Volume Management"
	},
	{
		"desired-state": "DISABLED",
		"name": "Bastion"
	}
]

Check the "desired-state" property value set for the "Vulnerability Scanning" plugin to determine the operational state of the plugin. If the "desired-state" value is set to "DISABLED", as shown in the output example above, the Vulnerability Scanning feature is not enabled for the selected Oracle Cloud Infrastructure (OCI) compute instance.

Remediation / Resolution

To ensure that Vulnerability Scanning is enabled for your Oracle Cloud Infrastructure (OCI) compute instances, perform the following operations:

Using OCI Console

01 Sign in to your Oracle Cloud Infrastructure (OCI) account.

02 Navigate to Compute console available at https://cloud.oracle.com/compute/.

03 Choose the OCI compartment that you want to access from the Compartment dropdown list.

04 In the left navigation panel, under Overview, choose Instances to list the compute instances provisioned in the selected OCI compartment.

05 Click on the name (link) of the compute instance that you want to configure, listed in the Name column.

06 Select the Management tab to access the list of supported instance plugins, managed by the Oracle Cloud Agent.

07 In the Oracle Cloud Agent section, click inside the Search and Filter box, select Plugin name, type Vulnerability Scanning, and choose Apply filter to return the Vulnerability Scanning plugin.

08 Click on the Actions button (i.e., 3-dot icon) next to the Vulnerability Scanning plugin and choose Enable to enable Vulnerability Scanning for the selected OCI compute instance. It takes up to 10 minutes for the configuration change to take effect.

Using OCI CLI

01 Set the "desired-state" to "ENABLED" for the "Vulnerability Scanning" plugin to enable the feature and save the "plugins-config" object to a file name cc-instance-plugins-config.json. Because the --agent-config parameter for compute instance update command replaces any existing values, ensure that "plugins-config" contains all the plugins managed by the Oracle Cloud Agent, as returned by the compute instance get command in the Audit process: 

{
	"plugins-config":
	[
		{
			"desired-state": "DISABLED",
			"name": "WebLogic Management Service"
		},
		{
			"desired-state": "ENABLED",
			"name": "Vulnerability Scanning"
		},
		{
			"desired-state": "DISABLED",
			"name": "Oracle Java Management Service"
		},
		{
			"desired-state": "DISABLED",
			"name": "OS Management Hub Agent"
		},
		{
			"desired-state": "DISABLED",
			"name": "Management Agent"
		},
		{
			"desired-state": "ENABLED",
			"name": "Custom Logs Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute RDMA GPU Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute Instance Run Command"
		},
		{
			"desired-state": "ENABLED",
			"name": "Compute Instance Monitoring"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute HPC RDMA Auto-Configuration"
		},
		{
			"desired-state": "DISABLED",
			"name": "Compute HPC RDMA Authentication"
		},
		{
			"desired-state": "ENABLED",
			"name": "Cloud Guard Workload Protection"
		},
		{
			"desired-state": "DISABLED",
			"name": "Block Volume Management"
		},
		{
			"desired-state": "DISABLED",
			"name": "Bastion"
		}
	]
}

02 Run compute instance update command (Windows/macOS/Linux) with the ID of the OCI compute instance that you want to configure as the identifier parameter, to enable the Vulnerability Scanning feature for the selected compute instance. For --agent-config, use the plugins configuration file edited in the previous step (i.e., cc-instance-plugins-config.json): 

oci compute instance update
	--instance-id 'ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd'
	--agent-config file://cc-instance-plugins-config.json

03 Type Y and press Enter for confirmation: 

WARNING: Updates to defined-tags and security-attributes and freeform-tags and agent-config and metadata and extended-metadata and shape-config and source-details and instance-options and launch-options and availability-config and platform-config and licensing-configs will replace any existing values. Are you sure you want to continue? [y/N]: Y

04 The command output should return the configuration infromation available for the modified compute instance (including the plugins config): 

{
	"data": {
		"availability-config": {
			"is-live-migration-preferred": null,
			"recovery-action": "RESTORE_INSTANCE"
		},
		"availability-domain": "ABCD:AP-SYDNEY-1-AD-1",
		"capacity-reservation-id": null,
		"cluster-placement-group-id": null,
		"compartment-id": "ocid1.tenancy.oc1..aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"dedicated-vm-host-id": null,
		"defined-tags": {},
		"display-name": "cc-project5-compute-instance",
		"extended-metadata": {},
		"fault-domain": "FAULT-DOMAIN-3",
		"freeform-tags": {},
		"id": "ocid1.instance.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
		"instance-configuration-id": null,
		"instance-options": {
			"are-legacy-imds-endpoints-disabled": true
		},
		"agent-config": {
			"are-all-plugins-disabled": false,
			"is-management-disabled": false,
			"is-monitoring-disabled": false,
			"plugins-config": [
				{
					"desired-state": "DISABLED",
					"name": "WebLogic Management Service"
				},
				{
					"desired-state": "ENABLED",
					"name": "Vulnerability Scanning"
				},
				{
					"desired-state": "DISABLED",
					"name": "Oracle Java Management Service"
				},
				{
					"desired-state": "DISABLED",
					"name": "OS Management Hub Agent"
				},
				{
					"desired-state": "DISABLED",
					"name": "Management Agent"
				},
				{
					"desired-state": "ENABLED",
					"name": "Custom Logs Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute RDMA GPU Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute Instance Run Command"
				},
				{
					"desired-state": "ENABLED",
					"name": "Compute Instance Monitoring"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute HPC RDMA Auto-Configuration"
				},
				{
					"desired-state": "DISABLED",
					"name": "Compute HPC RDMA Authentication"
				},
				{
					"desired-state": "ENABLED",
					"name": "Cloud Guard Workload Protection"
				},
				{
					"desired-state": "DISABLED",
					"name": "Block Volume Management"
				},
				{
					"desired-state": "DISABLED",
					"name": "Bastion"
				}
			]
		},
		"ipxe-script": null,
		"is-ai-enterprise-enabled": null,
		"is-cross-numa-node": false,
		"launch-mode": "PARAVIRTUALIZED",
		"launch-options": {
			"boot-volume-type": "PARAVIRTUALIZED",
			"firmware": "UEFI_64",
			"is-consistent-volume-naming-enabled": true,
			"is-pv-encryption-in-transit-enabled": true,
			"network-type": "PARAVIRTUALIZED",
			"remote-data-volume-type": "PARAVIRTUALIZED"
		},
		"licensing-configs": null,
		"lifecycle-state": "RUNNING",
		"metadata": {},
		"placement-constraint-details": null,
		"platform-config": {
			"is-measured-boot-enabled": false,
			"is-memory-encryption-enabled": false,
			"is-secure-boot-enabled": true,
			"is-symmetric-multi-threading-enabled": true,
			"is-trusted-platform-module-enabled": false,
			"type": "AMD_VM"
		},
		"preemptible-instance-config": null,
		"region": "ap-sydney-1",
		"security-attributes": {},
		"security-attributes-state": "STABLE",
		"shape": "VM.Standard.E4.Flex",
		"shape-config": {
			"baseline-ocpu-utilization": null,
			"gpu-description": null,
			"gpus": 0,
			"local-disk-description": null,
			"local-disks": 0,
			"local-disks-total-size-in-gbs": null,
			"max-vnic-attachments": 2,
			"memory-in-gbs": 1.0,
			"networking-bandwidth-in-gbps": 1.0,
			"ocpus": 1.0,
			"processor-description": "2.55 GHz AMD EPYC™ 7J13 (Milan)",
			"vcpus": 2
		},
		"source-details": {
			"boot-volume-size-in-gbs": null,
			"boot-volume-vpus-per-gb": null,
			"image-id": "ocid1.image.oc1.ap-sydney-1.abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd1234abcd",
			"instance-source-image-filter-details": null,
			"kms-key-id": null,
			"source-type": "image"
		},
		"system-tags": {},
		"time-maintenance-reboot-due": null
	},
	"opc-work-request-id": "ocid1.coreservicesworkrequest.oc1.ap-sydney-1.aaaabbbbccccddddabcd1234abcd1234abcd1234abcd1234abcd1234abcd"
}

References

Publication date Nov 11, 2025

Related OCI-Compute rules