Infrastructure as Code

Announcing Packer Plugin Mondoo

The Mondoo team is excited to announce the release of the Mondoo plugin for Hashicorp Packer, a powerful tool for securing and validating machine images.

blog images rebrand (1)

Security vulnerabilities and misconfigurations expose your infrastructure to attackers, whether you are building your applications on Linux, Windows, Kubernetes, virtual machines, containers, or any combination thereof. It’s critical that businesses today have an automated machine image pipeline that includes security scanning.

Since its release in 2013, HashiCorp Packer has been the standard for many DevOps teams to automate machine image builds. With Packer, organizations can use a single source template to produce machine images for multiple platforms such as public cloud, private cloud, containers, and local development environments. Codifying machine images helps businesses deliver software more quickly, with higher reliability and greater stability.

Today we are pleased to announce the release of our open source plugin for HashiCorp Packer. Using Mondoo’s advanced policy-as-code engine to test builds for vulnerabilities and misconfigurations, Packer Plugin Mondoo helps you validate the security of machine images produced from Hashicorp Packer templates.

Policy as code

Mondoo curates an ever-increasing library of certified security policies and benchmarks, many of which are certified by the Center for Internet Security (CIS). You can quickly enable and customize these policies to meet the needs of your particular environment. You execute these policies as part of any Packer pipeline to ensure your images meet the requirements of your business.

Customize policies

A Mondoo policy is made up of queries, each of which checks for an individual security practice. To customize a policy in Mondoo Platform, you enable, disable, and ignore queries.

Mondoo policies can be easily customized to meet your organization’s requirements

Policy as code with Mondoo Query Language (MQL)

The details of a query in a Mondoo policy

Written in YAML, Mondoo policies are easy to develop! Should the need arise to create your own policies, Mondoo Query Language (MQL) is a powerful and alternative way to test any of your business-critical infrastructure.

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

Install Packer Plugin Mondoo with packer init

Packer 1.7 introduced the packer init command, which simplifies the installation and management of Packer plugins using HashiCorp Configuration Language (HCL) templates.

Configure the installation of Mondoo Packer Plugin in an HCL template

To install Packer Plugin Mondoo, enter this command:


Packer Plugin Mondoo returns this message on success:


To fail or not to fail?

Packer Plugin Mondoo’s score_threshold defines image scan success. This threshold is the minimum score that an image must achieve in order to succeed. If the image doesn’t meet the score threshold, the plugin can fail so that you can address any vulnerabilities or misconfigurations. Alternatively, it can continue creating the image.

Mondoo scoring

Continuous security visibility

Regardless of whether you choose to fail or continue a build when Mondoo finds vulnerabilities and misconfigurations, Packer Plugin Mondoo provides a record of that scan.

View scan results in STDOUT

Mondoo scans execute during the packer build process. Packer Plugin Mondoo returns results directly to STDOUT, providing visibility from your terminal or CI pipeline.

Results of a Packer Plugin Mondoo in STDOUT

View scan results in Mondoo Platform

Packer Plugin Mondoo also sends build scan results to Mondoo Platform. Graphical views provide a record of the build and the results from the scan.

Scan results displayed in Mondoo Platform

Clear and actionable results

Mondoo policies provide documentation, audit steps, and remediation for each security query. You and your team know exactly what to do when security vulnerabilities and misconfigurations are found.

Mondoo policy details

Get started today!

We’re excited for you to try our Packer plugin today! The easiest way to get started is to sign up for a free Mondoo account and then check out the new tutorial on our docs site: Assess HashiCorp Packer Machine Image Security with cnspec.

Need help?

Come join us in our Slack community and meet others practicing security automation.

There’s more to come!

Here at Mondoo, we have so much more on the horizon—not just for Packer, but for all things HashiCorp. Stay tuned for more announcements coming soon.

Scott Ford

Scott Ford is a DevOps practitioner. In his current role as Principal Architect at Mondoo, he is focused on helping businesses automate security without adding friction to innovation. Prior to joining Mondoo, Scott held positions as Principal Architect of Lacework, and Distinguished Architect at Chef Software helping companies around the world transform the way they build their products through collaboration and automation.

You might also like

Mondoo June 2024 Release Highlights
Mondoo May 2024 Release Highlights
Mondoo April 2024 Release Highlights