cnspec Overview

cnspec is an open source, cloud-native tool for securing and exploring your entire infrastructure. It scans systems against security policies and provides an interactive shell for querying and inventorying any asset using MQL (Mondoo Query Language).

Point it at a Linux host, an AWS account, a GitHub repo, or a Kubernetes cluster, and cnspec evaluates it against built-in policies and tells you what's at risk:

cnspec scan local

cnspec ships with policies based on Center for Internet Security (CIS) benchmarks and other industry standards, and you can write your own in MQL. It works on its own from the command line, and as the scanning engine inside Mondoo Platform.

Three ways to use cnspec

• Scan with cnspec scan to evaluate an asset against one or more policies and produce a pass/fail report.
• Query with cnspec run to run a single MQL expression from the command line and print the result.
• Explore with cnspec shell to open an interactive shell and inspect any asset using MQL.

The same MQL powers all three: a query you prototype in cnspec shell becomes a check in a policy that you run with cnspec scan.

Policy-based scanning

cnspec uses security policies written in MQL to evaluate your infrastructure. Each policy is a collection of checks against the target system. For example, a policy's checks might verify that:

• The system uses a secure SSL/TLS configuration.
• Multi-factor authentication is required for all users.
• Application configuration files don't contain plaintext secrets.

Mondoo provides policies based on CIS benchmarks and other industry best practices. You can also write your own policies to fit your unique needs.

Explore and query your infrastructure

Beyond policy-based scanning, cnspec lets you query your infrastructure directly using MQL. Use cnspec shell for interactive exploration, cnspec run for one-off queries from the command line, and query packs when you want to bundle a set of queries and run them together.

Use querying to:

• Inventory all packages, users, or services across your fleet
• Investigate specific configurations during incident response
• Prototype and test MQL queries before adding them to policies
• Answer one-off questions without writing a full policy

What cnspec scans

• Public clouds — AWS, Azure, GCP, OCI, OpenStack
• Private clouds — VMware vSphere, Proxmox VE
• Operating systems — Linux, Windows, macOS, AIX, FreeBSD
• Containers — Docker and container registries (ECR, ACR, GCR, Harbor, Docker Hub)
• Orchestration — Kubernetes (EKS, GKE, AKS, OpenShift, self-managed)
• SaaS platforms — GitHub, GitLab, Okta, Slack, Microsoft 365, Google Workspace, Cloudflare, Snowflake, Tailscale
• Network devices — Arista EOS, Cisco IOS/NX-OS, F5 BIG-IP, Fortinet FortiOS, Juniper Junos OS, Palo Alto PAN-OS, Ubiquiti UniFi
• Server applications — Apache2, Microsoft Exchange, Nginx

For the full list, see Supported Scan Targets.

Output and reporting

cnspec exports results in human-readable formats and machine-friendly formats like JUnit and JSON, so you can plug security scanning into your development workflow or production monitoring. To save and share results across teams, register cnspec with Mondoo Platform — Mondoo's web console lets you explore your infrastructure data and track issues over time.

Get started

Learn more

• MQL Resource Reference — every resource cnspec can query
• Write Effective MQL — how to express checks and queries
• CLI command reference — full command documentation
• GitHub discussions — ask the community