Mondoo
cnspec

Open Source Security Scanner

Security and ComplianceAs Code

Assess security and compliance across the entire build-to-runtime lifecycle. Built on the most extensible data fabric in the security industry.

Get StartedGitHub

Why cnspec?

Policy as Code

Write security policies in YAML with MQL. Version control, review, and deploy policies like any other code.

Built-in Compliance

Ships with 100+ policies for CIS, SOC 2, HIPAA, PCI DSS, NIST, and more. Be compliant from day one.

Actionable Results

Get 0-100 scores and remediation guidance for every finding. Know exactly what to fix.

Pipeline Security

Integrate into CI/CD pipelines with GitHub Actions, GitLab CI, and Jenkins. Catch issues before production.

40+
Providers
1000+
Resources
7,600+
Fields

An abundance of integrations

Apple
AWS
Azure
Google Cloud
Kubernetes
GitHub
GitLab
Terraform
Linux
Okta
Slack
Windows
Apple
AWS
Azure
Google Cloud
Kubernetes
GitHub
GitLab
Terraform
Linux
Okta
Slack
Windows
cnspec scan local
 loaded 42 policies
 scanning local system...
 executing 156 queries...

Asset: production-server-01
Score: B (78/100)

Checks:
 Firewall is enabled and configured
 SSH password authentication disabled
 Root login via SSH disabled
 Unattended upgrades not configured
 Audit logging not enabled
 No world-writable files in system directories

Summary: 14 passed, 2 failed, 0 errors

What you can do with cnspec

Security scanning, compliance automation, and policy enforcement—all from the CLI.

Find misconfigurations before attackers do.

Scan for security issues across clouds, Kubernetes, containers, servers, SaaS platforms, network devices, and more. Identify exposed credentials, insecure defaults, and missing controls.

Automate compliance without the manual work.

Built-in policies for CIS, SOC 2, HIPAA, PCI DSS, NIST, and 30+ other frameworks. Generate evidence and reports automatically.

Define security standards as code.

Write custom policies in YAML with MQL. Version control your security requirements. Review changes before deployment.

Catch issues before they hit production.

Integrate into CI/CD with GitHub Actions, GitLab CI, Azure Pipelines, and Jenkins. Fail builds that violate security policies.

Know exactly what to fix and why.

Fix what matters first with prioritized risk rankings and remediation guidance that explains how to resolve each issue.

Scan everything from one tool.

One CLI for AWS, Azure, GCP, Kubernetes, Terraform, GitHub, operating systems, network devices, and SaaS applications.

40+ Providers

Security scanning built on the most extensible data fabric in the security industry. Scan everything from operating systems to cloud APIs to SaaS applications.

Operating Systems

  • Linux (VMs, containers, IoT)
  • macOS
  • Windows (servers, endpoints)

Cloud Providers

  • AWS (accounts, EC2, S3, EKS, IAM)
  • Azure (VMs, storage, AKS, M365)
  • Google Cloud (GCE, GCS, GKE)

Infrastructure

  • Kubernetes (clusters, manifests, images)
  • Terraform (HCL, plan/state files)
  • APIs (GitHub, GitLab, Okta, HTTP)

Policy as Code

Write security policies using a simple, human-readable language. Version control your policies and review changes before deployment.

Custom YAML-based policies
MQL queries for powerful assertions
Impact scoring for prioritization
Git-based version control
Deployable anywhere
ssh-policy.mql.yaml
YAML
policies:
  - uid: ssh-security-baseline
    name: SSH Security Baseline
    version: 1.0.0
    groups:
      - title: SSH Configuration
        checks:
          - uid: ssh-password-auth
            title: Disable SSH password authentication
            mql: sshd.config.params["PasswordAuthentication"] == "no"
            impact: 80


          - uid: ssh-root-login
            title: Disable root login via SSH
            mql: sshd.config.params["PermitRootLogin"] == "no"
            impact: 90


          - uid: ssh-protocol-version
            title: Use SSH Protocol 2
            mql: sshd.config.params["Protocol"] == "2"
            impact: 70

Continuous Scanning

Automatically scan your infrastructure on every change. Get instant feedback in CI/CD pipelines.

GitHub Actions

YAML
- name: Scan with cnspec
  uses: mondoohq/actions/cnspec@v1
  with:
    scan: container
    image: myapp:latest
    risk-threshold: 80

GitLab CI

YAML
security-scan:
  image: mondoo/cnspec:latest
  script:
    - cnspec scan docker myapp:latest
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Jenkins

Groovy
pipeline {
  stages {
    stage('Security Scan') {
      steps {
        sh 'cnspec scan local --risk-threshold 80'
      }
    }
  }
}

Get Started in Seconds

Install cnspec on any platform with a single command.

Homebrew
brew tap mondoohq/mondoo && brew install cnspec
Install Script
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
cnspec.viewAllInstallOptions

cnquery & cnspec

Two open source CLI tools built for terminal and CI/CD pipelines

cnquery

For exploration and ad-hoc queries. Like SQL for your infrastructure.

  • Interactive shell
  • Ad-hoc queries
  • Data export (JSON, YAML, CSV)
  • Scripting & automation
Learn about cnquery
You are here
cnspec

For policy enforcement and compliance scanning. Built on cnquery.

  • Policy-based scanning
  • Risk scoring
  • CI/CD integration
  • Remediation guidance

Ready to Secure Your Infrastructure?

Start scanning your infrastructure with cnspec today—it's free and open source.

Get StartedTry Mondoo Platform