cnspec
Open source, cloud-native security and policy project
cnspec assesses your entire infrastructure's security and compliance. It finds vulnerabilities and misconfigurations across public and private cloud environments, Kubernetes clusters, containers, container registries, servers, endpoints, SaaS products, infrastructure as code, APIs, and more.
A powerful policy as code engine, cnspec is built upon Mondoo's security data fabric. It comes configured with default security policies that run right out of the box. It's both fast and simple to use!
Quick start
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
cnspec scan local
Installation
Install cnspec with our installation script:
Linux and macOS
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
Windows
Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'));
Install-Mondoo;
If you prefer manual installation, you can find the cnspec packages in our releases.
Run a scan with policies
Use the cnspec scan subcommand to check local and remote targets for misconfigurations and vulnerabilities.
Local scan
This command evaluates the security of your local machine:
cnspec scan local
Remote scan targets
You can also specify remote targets to scan. For example:
# to scan a docker image:
cnspec scan docker image ubuntu:22.04
# scan public ECR registry
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/r6z5b8t4
cnspec scan docker image public.ecr.aws/r6z5b8t4
# to scan an AWS account using the local AWS CLI config
cnspec scan aws
# scan an EC2 instance with EC2 Instance Connect
cnspec scan aws ec2 instance-connect root@i-1234567890abcdef0
# to scan a Kubernetes cluster via your local kubectl config or a local manifest file
cnspec scan k8s
cnspec scan k8s manifest.yaml
# to scan a GitHub repository
export GITHUB_TOKEN=<personal_access_token>
cnspec scan github repo <org/repo>
:books: To learn more, read the cnspec docs.
Policies
cnspec policies are built on the concept of policy as code. cnspec comes with default security policies configured for all supported targets. The default policies are available in the content directory of this repository.
Vulnerability scan
cnspec scans for vulnerabilities in a wide range of platforms. Vulnerability scanning is not restricted to container images; it works for build and runtime as well.
NOTE: Vulnerability scanning requires the client to be logged into Mondoo Platform.
Examples
# scan container image
cnspec vuln docker debian:12
# scan aws instance via EC2 instance connect
cnspec vuln aws ec2 instance-connect root@i-1234567890abcdef0
# scan instance via SSH
cnspec vuln ssh user@host
# scan windows via SSH or Winrm
cnspec vuln ssh user@host --ask-pass
cnspec vuln winrm user@host --ask-pass
# scan VMware vSphere ESXi hosts
cnspec vuln vsphere user@host --ask-pass
# scan Linux, Windows
cnspec vuln local
| Platform | Versions |
|---|
| Alpine | 3.10 - 3.23 |
| AlmaLinux | 8, 9, 10 |
| Amazon Linux | 1, 2, 2023 |
| Arch Linux | Rolling |
| CentOS | 6, 7, 8, Stream |
| Debian | 8, 9, 10, 11, 12, 13 |
| Fedora | 30 - 43 |
| openSUSE | Leap 15, Leap 16 |
| Oracle Linux | 6, 7, 8, 9, 10 |
| Photon Linux | 2, 3, 4, 5 |
| Red Hat Enterprise Linux | 6, 7, 8, 9, 10 |
| Rocky Linux | 8, 9, 10 |
| SUSE Linux Enterprise | 12, 15, 16 |
| Ubuntu | 18.04, 20.04, 22.04, 24.04 |
| VMware vSphere ESXi | 6, 7, 8 |
| Windows | 10, 11, 2016, 2019, 2022, 2025 |
cnspec interactive shell
