Mondoo April 2024 Release Highlights

We lit some big sparks in April with our initial release of Mondoo Firewatch, which focuses on solving the challenge of prioritizing security fixes. We also expanded our scanning capabilities to include Azure Container Registries and Dockerfiles, plus added a problem-solving approach to scanning Kubernetes cluster nodes. The improved workflow of compliance as code makes it easier to adjust your compliance monitoring and reporting to precisely match your auditor's needs.

Prioritization with context: Mondoo Firewatch

Ever feel like you're drowning in a rushing firehose of security findings? What about so-called critical vulnerabilities that, it turns out, aren't really much of a threat to your infrastructure? 

This month we released the first phase of our all-new Firewatch feature, a solution to overwhelming and often misrepresented findings. Firewatch surfaces genuinely critical risks and prioritizes the most important findings in your infrastructure.  

Firewatch evaluates and prioritizes findings and vulnerabilities based on contextual risks on affected assets and downstream system exposure. Our unique algorithm considers multiple angles and factors to highlight the issues most likely to expose your business to attack.

We redesigned our UI to focus on the most critical issues first. The all-new space dashboard includes an interactive sunburst chart for navigating critical findings in your entire space, as well as ranked lists of both vulnerabilities and security findings.

New views for advisories, CVEs, and assets show risk scores and contextual risk factors to expose the importance of fixes needed in your infrastructure.


When you explore the details of an individual risk from anywhere in the Mondoo Console, you now see exposure and downstream impact that help you compare and plan.

New policy check pages allow you to better understand critical impacts to your business. Score tiles bring risk front and center so you can understand the priority of findings. With refactored query descriptions, it's easier to understand why a check is important, how Mondoo evaluates your assets, and what risk factors mean to the safety of your organization.

The new blast radius value for every finding tells you the potential impact of a problem… and of fixing it. Blast radius isn't just the number of assets that have the issue; it also considers risk factors of all of the assets that have the issue. 

A new Affected Assets page lets you better prioritize assets in your environment with critical vulnerabilities. Top-of-page filters allow you to drill into individual risk factors that increase or decrease the threat that vulnerabilities present.

Vulnerabilities Affected Assets page

Improved EPSS graphs expose the risk percentile and are easier to read.

EPSS Graph

For a deeper look at the game-changing features of Mondoo Firewatch and an idea of what's coming next, read our Firewatch blog post.

Monitor your infrastructure for security misconfigurations and maps those checks automatically to top compliance frameworks.

Console performance improvements

No one wants to wait for slow-loading web pages. That's why we unleashed some masterful jiu jitsu on how the console fetches space and asset data. Now our pages are always speedy to load.

Compliance as code

Every audit is different. Now you can customize the Mondoo Compliance Hub experience to match the exact evidence required by your auditor.

Download one of our top industry compliance frameworks to your local system directly from Mondoo Compliance Hub.

Download a framework

The framework file you download is pre-customized for your space with compliance evidence mappings from policies you've enabled, as well as any exceptions you've defined. You can customize the file with any additional controls or specific evidence items your auditor requests.

With your compliance framework fully customized for your auditor's requirements, upload it to Mondoo Compliance Hub and track your progress just as you would using an out-of-the box framework. Need to make a change? Don't worry: You can replace the framework with an updated version at any time or remove it altogether.

Scan more

Scan Azure Container Registry

Mondoo now supports scanning Azure Container Registries (ACR) that require authentication using credentials stored after running the az login command.

To log in and scan a complete registry, run:

az login
cnspec scan container registry

Dockerfile scanning

Expose security concerns before they reach production with new Mondoo Dockerfile scanning. Run cnquery shell docker file DIRECTORY_OR_PATH to inspect a single Dockerfile or find nested Dockerfiles within directories. Using the new docker.file resource, you can explore the file itself or dive into Dockerfile stages and instructions.

cnquery shell docker file Dockerfile
→ loaded configuration from /Users/tsmith/.config/mondoo/mondoo.yml using source default
→ connected to Dockerfile
 ___ _ __   __ _ _   _  ___ _ __ _   _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
\___|_| |_|\__, |\__,_|\___|_|   \__, |
 mondoo™      |_|                |___/  interactive shell

cnquery> docker.file.stages{*}
docker.file.stages: [
 0: {
   entrypoint: null
   add: []
   run: [
     0: script="mkdir -p /opt/app"
     1: script="npm install"
   file: docker.file file.path="Dockerfile" instructions.length=8 stages.length=1
   copy: [
     0: docker.file.copy src=[
       0: "src/package.json"
       1: "src/package-lock.json"
     ] dst="."
   from: docker.file.from name="" image="node" tag="18.16.0-alpine3.17"
   env: {}
   cmd: script="npm

Stay tuned for upcoming Dockerfile policies and Dockerfile security monitoring in the Mondoo Console!

Kubernetes DaemonSet-based node scanning

With the new DaemonSet Kubernetes node scanning option you can scan Kubernetes cluster nodes with the Mondoo Kubernetes Operator even if the node utilization is too high for CronJob scheduling. If your clusters run high utilization, you can either edit an existing integration to use DaemonSets or configure a new integration with DaemonSet node scanning.

New and updated policies

XZ Utils Vulnerability policy

Although the recent XZ supply chain attack in XZ 5.6.0 and 5.6.1 (CVE-2024–3094) thankfully didn't make it into any mainstream enterprise Linux distributions, there's still a significant risk if employees are running rolling distributions or pre-releases of upcoming Linux distros. To quickly evaluate your CVE-2024–3094 exposure, we've created a new XZ Vulnerability (CVE-2024–3094) policy that looks for XZ 5.6.0/5.6.1 on impacted Linux releases:

  • Alpine
  • Arch
  • Debian trixie/sid
  • Fedora 40
  • Kali 2024.1
  • openSUSE Tumbleweed
XZ Vulnerability Policy affected assets

Expanded Endpoint Detection and Response (EDR) policy support

Mondoo now detects the ESET EDR with our new Endpoint Detection and Response (EDR) policy.

Rewritten cloud policies

We rewrote the Mondoo AWS Security policy and the Mondoo Microsoft Azure Security policy from the ground up with new and expanded queries that match the latest capabilities and risks, including Microsoft Entra ID.

Windows 11 compatibility policy

Enable the new Windows 11 Compatibility policy to see if existing Windows workstations meet the hardware requirements for Windows 11. This policy includes several different checks for CPU, RAM, TPM, and hard drive space requirements. To learn more about these hardware requirements, read Microsoft's Windows 11 Specs & System Requirements.

New Terraform checks in the CIS GCP Foundation policy

Now you can flag critical security misconfigurations before they ever run in your infrastructure. New and expanded Terraform config checks in the CIS Google Cloud Platform Foundation policy evaluate Terraform configs for proper GCP uniform bucket level access setup.

Support for the latest platforms

Fedora 40 EOL/CVE detection

Mondoo already offers CVE and EOL detection for the Fedora 40 beta, which is now available for testing. Protect your test systems from critical vulnerabilities such as the compromised XZ release (CVE-2024–3094) that originally shipped in this beta.

Google Container-Optimized OS 113

Mondoo now includes security scanning and EOL detection support for Google's latest COS 113 release.

Ubuntu 24.10 CVE detection

Canonical recently announced the start of development for Ubuntu 24.10, code named Oracular Oriole. If you're a risk taker and want to run this pre-alpha release of Ubuntu, Mondoo has your back with CVE support for this upcoming release.

Automate deployments with Terraform

Mondoo's latest Terraform provider allows you to automate the setup of Azure, Slack, and domain integrations. You can even tie in the Azure setup with the Mondoo setup to make managing Azure applications easier than ever. Thank you @mati007thm and @Pauti for all your fantastic work making this provider possible!

Expanded resource support


  • Improve resource default values
  • New availabilityZones field
  • New capacityRebalance field
  • New defaultInstanceWarmup field
  • New desiredCapacity field
  • New instances field
  • New maxInstanceLifetime field


  • New cnames field


  • Improve the performance of instance scanning


  • New associations field



  • Fix failures fetching ACL grants


  • Fix failures querying BigQuery resources


  • New createdAt field


  • New availabilityZones field
  • New elbType field
  • New hostedZoneId field
  • New region field
  • New securityGroups field
  • New vpc field
  • Deprecate vpcId in favor of vpc field, which exposes the aws.vpc resource


  • New region field


  • New expose field
  • New label field


  • Expand default fields to improve cnquery shell use
  • New shieldedNodesConfig field
  • New costManagementConfig field
  • New confidentialNodesConfig field
  • New identityServiceConfig field
  • New networkPolicyConfig field


  • New gcsFuseCsiDriverConfig field
  • New statefulHaConfig field


  • New enableMultiNetworking field
  • New enableFqdnNetworkPolicy field
  • New enableCiliumClusterwideNetworkPolicy field


An all-new sshd.config resource includes support for parsing the combined sshd_config and sshd_config.d/* configs. Now Mondoo can track the running state of your SSH daemon no matter where you define configuration options.

What's next?

Mondoo Firewatch already eliminates so much frustration and uncertainty from your prioritization and planning efforts. But there's more to come: Watch for the upcoming ability to customize how Mondoo prioritizes vulnerabilities and security findings.

In the meantime, explore Mondoo and see for yourself how much smarter your team can work when your decisions are well-informed.

Letha Dunn

Letha has been writing about technology for more than thirty years. During the past decade, she’s focused on educating engineers about identity and access management, security, CI/CD, and project velocity. Letha lives in the Pacific Northwest, where she rescues and rehabilitates abused and neglected horses and dogs.

Tim Smith

Tim Smith is a Product Manager at Mondoo. He’s been working in web operations and software development roles since 2007, port scanning class As since 1994, and downloaded his first Linux distro on a 14.4 modem. He most recently held positions at Limelight Networks, Cozy Co, and Chef Software.

You might also like

Exploring the Latest Security Features in Ubuntu 24.04
Mondoo Firewatch
Mondoo March 2024 Release Highlights