Mondoo.com

cnspec
  • Docs
  • Community
  • cnquery
From the creators of InSpec

Full-stack cloud security scanning

cnspec is an open source, cloud-native tool that evaluates the security of your entire infrastructure. Using intuitive policy as code, cnspec scans everything and identifies gaps that attackers can use to breach your systems.

Security header screenshot

What causes security breaches?

Breaches caused by misconfigurations cost companies ~$3.18 trillion in 2019. All an attacker needs is one entry point to compromise your entire system.

One interface to scan everything

cnspec is a single interface for scanning all of your infrastructure and services.You don't need to study the syntax for dozens of different APIs.

Catch defects before they leave your development environment

Easily integrate cnspec with your CI/CD pipelines so you can stop infrastructure problems before they become incidents.

Tap into our library of pre-made policies, or make & share your own

Get rolling right away with our off-the-shelf security policies. Extend, customize, and share them with the community.

Extend and customize security policies

cnspec is built and maintained with love by the inventors of policy as code.
Take our pre-made policies, or policies from the community, and change them to fit your needs.
We make it simple with a graph database approach and a simple query language.

LEARN MORE
  • 1. Craft the assertion
  • 2. Add metadata
  • 3. Bundle it into a policy
No Kubernetes namespace should be left at default!

Reveal misconfigurations

Through 2025, 99% of cloud security failures will be attributed to misconfiguration (Gartner).

cnspec detects risky configurations in your live systems. It provides an overall score and reveals details like weak authentication, bad encryption practices, and open ports.


Object Object


Queries


Policies

Scan for vulnerabilities

Keeping up with the latest patches can seem impossible. cnspec finds CVEs across your entire infrastructure.

Security feedback can feel like a firehose blast in your face.

cnspec includes severity so you can prioritize your response.

Security best practices for your full stack

Secure the cloud services you rely on

cnspec integrates with GitHub and GitLab to ensure that your sources are safe.

Establish a security baseline

Get a holistic view of your entire security posture. Create baselines and measure improvement.

Catch configuration drift

From TLS expiration to DNS configuration, we keep up with the latest recommended security practices so you don't have to.

Share and export results

Save scan output to JSON for flexible reporting and tracking. Or quickly share scan results with a link.

Mondoo's cnquery lets you answer any question about your infrastructure

Built for automation

Add automation around cnspec and use its data to trigger actions. Check out our GitHub action and Packer integrations or build your own!

For example, set up a GitHub Action to automate your Kubernetes manifest scans using cnspec:

# GitHub Action
name: cnspec kubernetes manifest scan
on:
  push:
  paths:
    - "k8s/*.yaml"
jobs:
  install:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: mondoohq/actions/k8s-manifest@main

Works with everything

Amazon AWS

Instances

S3

Databases

Lambda

ECR

Kubernetes

Clusters

Cluster nodes

Manifest files

Workloads

Containers

Azure

Instances

Blog Storage

Databases

Container registries

DNS records

Operating Systems

Linux hosts

macOS hosts

Windows hosts

FreeBSD hosts

GitHub

Organizations

Teams

Users

Repositories

GitLab

Groups

Projects

Secure your infrastructure with cnspec

cnspec is an open source initiative of Mondoo, Inc.

We also made cnquery, an open source, cloud-native tool that answers every question about your infrastructure. For integrated, continuous cloud security scanning and much more, try Mondoo.

Learn more about cnquery

Mondoo

Mondoo Platform

cnquery

cnspec

Data Privacy Policy | About Mondoo

Ⓒ 2023, Mondoo, Inc.