ChainLaunch
Pro Feature

Compliance Scanning

Compliance scanning requires ChainLaunch Pro. Learn more about Pro features.

ChainLaunch Pro Feature

Compliance scanning requires ChainLaunch Pro. Learn more about Pro features.

ChainLaunch Pro ships a built-in compliance scanner that audits each network against a curated set of best-practice checks for Hyperledger Fabric and Hyperledger Besu. Run it on demand or on a schedule to surface configuration drift, expiring certificates, missing backups, and consensus risk before they cause an incident.

What gets checked

The scanner derives a per-network health status (HEALTHY, DEGRADED, AT_RISK, or CRITICAL) from individual check results. Every check returns one of PASSED, WARNING, or FAILED plus a remediation hint.

Fabric checks

Check Category What fails it
Orderer Quorum Consensus Fewer than 3 orderers (etcdraft needs 3 for crash fault tolerance, 5 for f=2).
Org Diversity Governance All peers belong to the same organization (single-org channel = no real consortium).
TLS Certificates Cryptography Any node missing a TLS cert, or TLS cert/sign cert mismatched.
Cert Expiry Cryptography Any cert expires within 30 days (WARNING at 90 days).
Node Health Operations Any node not in RUNNING state, or unhealthy heartbeat.
Endpoint Conflicts Networking Two nodes share the same listening endpoint (port reuse / hostname clash).
Backup Compliance DR No active backup schedule covers this network's nodes.

Besu checks

Check Category What fails it
Validator Count Consensus Fewer than 4 validators for QBFT (3f+1 ⇒ f=1 minimum).
TLS Certificates Cryptography Same as Fabric.
Cert Expiry Cryptography Same as Fabric.
Node Health Operations Same as Fabric.
Endpoint Conflicts Networking Same as Fabric.
Backup Compliance DR Same as Fabric.

Each check is a pure function over NetworkInfo (network + nodes + backup-schedule presence). New checks are added by ChainLaunch upgrades; you don't need migrations.

Permissions

All compliance endpoints require system:monitor permission, available to ADMIN, OPERATOR, and VIEWER roles by default. See RBAC & Permissions.

Run a scan

Per network

chainlaunch compliance scan 5

Truncated response:

{
  "networkId": 5,
  "networkName": "supply-chain-mainnet",
  "platform": "FABRIC",
  "status": "DEGRADED",
  "summary": { "total": 7, "passed": 5, "failed": 1, "warning": 1 },
  "checks": [
    {
      "name": "Orderer Quorum",
      "category": "Consensus",
      "status": "PASSED",
      "message": "5 orderers — tolerates up to 2 failures."
    },
    {
      "name": "Cert Expiry",
      "category": "Cryptography",
      "status": "WARNING",
      "message": "1 certificate expires within 90 days",
      "details": { "expiring": [
        { "node": "peer0-org2", "type": "TLS", "expiresIn": "63d" }
      ] },
      "remediation": "Renew before expiry; see /vault-integration or the cert-renewal runbook."
    },
    {
      "name": "Backup Compliance",
      "category": "DR",
      "status": "FAILED",
      "message": "No backup schedule covers this network",
      "remediation": "Configure a daily schedule under /backups for the org's nodes."
    }
  ],
  "scannedAt": "2026-05-06T08:14:23Z"
}

Whole organization

chainlaunch compliance summary

Returns one OrgWideScanResult with per-network breakdown plus an aggregated summary. Use this for the executive dashboard or a daily Slack post.

Scan history

Every scan is persisted, so you can prove "we scanned every Wednesday" to an auditor:

# Recent scans across all networks
curl -s "https://chainlaunch.example.com/api/v1/compliance/scans?limit=50" | jq
 
# Per-network history
curl -s "https://chainlaunch.example.com/api/v1/networks/5/compliance/history?limit=20" | jq

Endpoint reference

Method Path Purpose
GET /api/v1/networks/{networkId}/compliance Run a fresh scan against one network
GET /api/v1/networks/{networkId}/compliance/history Past scans for one network
GET /api/v1/compliance/summary Org-wide scan
GET /api/v1/compliance/scans Recent scans across all networks

All endpoints support ?limit= and ?offset= for pagination on listing endpoints.

Status semantics

OverallStatus is derived from the worst check:

Health Triggered by
HEALTHY All checks passed
DEGRADED At least one WARNING, no FAILED
AT_RISK One FAILED check
CRITICAL Two or more FAILED checks, or any failure in Consensus category

Use these in dashboards and alert routing — CRITICAL should page, AT_RISK ticket, DEGRADED email.

Automating scans

The scanner is just an HTTP endpoint, so any scheduler works. Two patterns:

Cron + Slack

#!/usr/bin/env bash
# /etc/cron.daily/chainlaunch-compliance
RESULT=$(chainlaunch compliance summary --output json)
 
STATUS=$(echo "$RESULT" | jq -r .status)
FAILED=$(echo "$RESULT" | jq '.summary.failed')
 
if [[ "$STATUS" != "HEALTHY" ]]; then
  curl -X POST "$SLACK_WEBHOOK" -H 'Content-Type: application/json' \
    -d "{\"text\":\"⚠️ ChainLaunch compliance: $STATUS$FAILED failed checks\"}"
fi

Webhook subscription

If you've configured Webhooks, every scan emits a compliance.scan.completed event with the full result. No polling needed.

Terraform

The Terraform provider exposes compliance results as a data source. See chainlaunch-terraform.

data "chainlaunch_compliance_scan" "supply_chain" {
  network_id = chainlaunch_fabric_network.supply_chain.id
}
 
# Fail terraform plan if status is critical
resource "null_resource" "compliance_gate" {
  triggers = {
    status = data.chainlaunch_compliance_scan.supply_chain.status
  }
  lifecycle {
    precondition {
      condition     = data.chainlaunch_compliance_scan.supply_chain.status != "CRITICAL"
      error_message = "Compliance scan critical — refusing to apply."
    }
  }
}

Common findings & fixes

Finding Root cause Fix
Orderer Quorum: FAILED Started a Fabric channel with 1 orderer for testing, never scaled Add 2 more orderers via Networks → (the network) → Add Orderer
Org Diversity: FAILED Single-org demo network Either accept (mark as test network) or invite a second org via Pro Sharing
Cert Expiry: WARNING (60-90d) Never set up rotation Set up automated rotation; for Fabric-X see the cert-renewal runbook
Cert Expiry: FAILED (under 30d) Manual renewal missed Renew immediately and rescan
Backup Compliance: FAILED No schedule Configure backup target + schedule under Backups
Validator Count: FAILED Besu QBFT with 3 validators Add a 4th to satisfy 3f+1
Endpoint Conflicts: FAILED Two peers bound to same 0.0.0.0:7051 Reassign listening ports under Nodes → (the node) → Edit

Limits & gotchas

  • The scanner does not verify on-chain state — it inspects ChainLaunch's view of nodes, certs, and policies.
  • Cert expiry checks read the PEM stored in ChainLaunch. If you renewed the cert directly on disk without updating ChainLaunch, the scanner will lie.
  • Backup Compliance only verifies a schedule exists — it doesn't verify that the most recent backup actually succeeded. For that, watch the backup.failure event in Webhooks or Notifications.
  • Org diversity check uses MSP IDs as the org identifier. Multiple peers under the same MSP count as one org.

Next steps

  • Audit Logging — every compliance scan and config change is logged.
  • Backups — schedule the backups the scanner expects to find.
  • Webhooks — subscribe to compliance.scan.completed events.
  • Configure Monitoring — pair compliance with ongoing health metrics.