• Docs
  • Community
  • cnquery
From the creators of InSpec

Full-stack cloud security scanning

cnspec is an open source, cloud-native tool that evaluates the security of your entire infrastructure. Using intuitive policy as code, cnspec scans everything and identifies gaps that attackers can use to breach your systems.

Security header screenshot

What causes security breaches?

Breaches caused by misconfigurations cost companies ~$3.18 trillion in 2019. All an attacker needs is one entry point to compromise your entire system.

One interface to scan everything

cnspec is a single interface for scanning all of your infrastructure and services.You don't need to study the syntax for dozens of different APIs.

Catch defects before they leave your development environment

Easily integrate cnspec with your CI/CD pipelines so you can stop infrastructure problems before they become incidents.

Tap into our library of pre-made policies, or make & share your own

Get rolling right away with our off-the-shelf security policies. Extend, customize, and share them with the community.

Extend and customize security policies

cnspec is built and maintained with love by the inventors of policy as code.
Take our pre-made policies, or policies from the community, and change them to fit your needs.
We make it simple with a graph database approach and a simple query language.

  • 1. Craft the assertion
  • 2. Add metadata
  • 3. Bundle it into a policy
No Kubernetes namespace should be left at default!

Reveal misconfigurations

Through 2025, 99% of cloud security failures will be attributed to misconfiguration (Gartner).

cnspec detects risky configurations in your live systems. It provides an overall score and reveals details like weak authentication, bad encryption practices, and open ports.

Object Object



Scan for vulnerabilities

Keeping up with the latest patches can seem impossible. cnspec finds CVEs across your entire infrastructure.

Security feedback can feel like a firehose blast in your face.

cnspec includes severity so you can prioritize your response.

Security best practices for your full stack

Secure the cloud services you rely on

cnspec integrates with GitHub and GitLab to ensure that your sources are safe.

Establish a security baseline

Get a holistic view of your entire security posture. Create baselines and measure improvement.

Catch configuration drift

From TLS expiration to DNS configuration, we keep up with the latest recommended security practices so you don't have to.

Share and export results

Save scan output to JSON for flexible reporting and tracking. Or quickly share scan results with a link.

Mondoo's cnquery lets you answer any question about your infrastructure

Built for automation

Add automation around cnspec and use its data to trigger actions. Check out our GitHub action and Packer integrations or build your own!

For example, set up a GitHub Action to automate your Kubernetes manifest scans using cnspec:

# GitHub Action
name: cnspec kubernetes manifest scan
    - "k8s/*.yaml"
    runs-on: ubuntu-latest
      - uses: actions/checkout@v3
      - uses: mondoohq/actions/k8s-manifest@main

Works with everything

Amazon AWS






Kubernetes clusters

Kubernetes cluster nodes

Kubernetes manifests

Kubernetes workloads


Azure accounts


Container images

Container registries

DNS records

Operating Systems

Linux hosts

macOS hosts

Windows hosts


GitHub Organizations

GitHub Repositories


GitLab Groups

GitLab Projects

Secure your infrastructure with cnspec

cnspec is an open source initiative of Mondoo, Inc.

We also made cnquery, an open source, cloud-native tool that answers every question about your infrastructure. For integrated, continuous cloud security scanning and much more, try Mondoo.

Learn more about cnquery


Mondoo Platform



Data Privacy Policy | About Mondoo

Ⓒ 2023, Mondoo, Inc.