Security Compliance Management (SCM) 3.8.0 is here, with updates focused on keeping compliance scans running reliably with less manual intervention and an important license update.
This release introduces automatic cleanup for stuck scans, improved control over scan behavior with configurable timeouts, extended CIS-CAT® Pro Assessor license support, and updated benchmark content. It also includes important security fixes across core components.
⚠️ We recommend upgrading to SCM 3.8.0 before June 21, 2026 to avoid disruption, as the CIS-CAT Pro Assessor license included in SCM 3.7.1 expires on that date.
What’s changing in SCM 3.8.0
CIS-CAT Pro Assessor licensing and version
- SCM 3.8.0 now contains CIS-CAT Pro Assessor v4.63.0
- The bundled CIS-CAT® Pro Assessor license is now valid for one year
- The license shipped with SCM 3.8.0 is valid until June 2027
- The license included in SCM 3.7.1 expires on June 21, 2026
You can now also update the license without upgrading SCM:
- New
license_pathparameter- Allows updating the CIS-CAT Pro Assessor license independently
- Documentation: https://help.puppet.com/scm/current/Content/UserGuide/SCM/update_assessor_license.htm
Scan management, configuration, and reliability
Added a background scan sweeper to detect and cancel scans stuck in a "running" state
Fixed a race condition where timed-out Puppet Enterprise job status polls could leave scans permanently stuck
New
assessor_scan_timeoutoption controls task timeout for Windows Server 2022 domain controllers (Note: this isn't set by default)Increased default Max GraphQL requests limit to 300 requests
Benchmark coverage updates
- New benchmarks added for Amazon Linux 2023 STIG, Microsoft Windows 11 STIG, Oracle Linux 9 STIG, RHEL 10 STIG, and SUSE 16
- Updated benchmarks for: Amazon Linux 2, macOS, Debian, Windows, and Ubuntu (see the release notes for specific benchmark updates)
- Removed benchmarks for:
- Azure Compute Windows Server 2019 v1.0.1
- Azure Compute Windows Server 2022 v1.0.0
Security fixes
This release includes updates to address 40 vulnerabilities across several components. The following components were updated to address the vulnerabilities:
- Gorm.io
- Keycloak
- netty-codec
- netty-codec-http
- netty-codec-http2
- netty-codec-haproxy
- netty-handler
- Protobuf
- react-router
Refer to the full release notes for the complete list of CVEs.
Upgrade guidance
To avoid scan interruptions, upgrade to SCM 3.8.0 before June 21, 2026. This ensures continued use of the CIS-CAT Pro Assessor, access to updated benchmark content, improved security posture, and improvements in scan processing.
Learn more
- Full release notes: https://help.puppet.com/scm/current/Content/UserGuide/SCM/Release_notes/release_notes.htm#SecurityComplianceManagement380
If you have questions or need assistance upgrading, reach out to Puppet Support.
🤖 AI Disclosure
This article was written and reviewed by the author, with the help of AI to assist in pulling together the details from multiple sources and general brand voice alignment.
How did I do that? For this particular article, I provided Microsoft 365 Copilot with the original release notes, my previous release announcement for 3.7.0, our company brand voice guidelines, and the official product release announcement that went out to customers. The LLM can then pull together the list of things that were updated and create a skeleton of an article. I then rewrite the content as needed to meet with my own tone of voice and get rid of the over-list-based approach that LLMs often take. It's also important to actually check back against the original release notes because sometimes the LLM will change certain words or remove words that change the meaning of what was in the release. I hope this helps if you are also writing with LLMs!
For further actions, you may consider blocking this person and/or reporting abuse
