Mondoo
Docs
Providers

About cnspec Providers

Learn about cnspec providers and special considerations for containers and air-gapped or limited access assets

cnspec can scan and query dozens of different platforms, from AWS accounts to Windows hosts. Providers are the components of cnspec that allow it to work with specific platforms.

When you run a cnspec command, cnspec automatically downloads and installs the provider(s) you need. This saves download time, memory, and disk space, and ensures you always have the latest version.

To learn what providers are available and the resources each one exposes, read Manage cnspec Providers.

For example, suppose you download cnspec and install it on a Linux workstation. When you run a local scan, cnspec automatically downloads the operating systems (os) provider and runs the scan. The os provider remains on your workstation for next time.

If you then run cnspec shell aws, cnspec downloads the aws provider and opens the shell. The aws provider also remains on your workstation for future use.

Most users don't need to think about providers. cnspec manages them for you. However, there are some situations where you might want to manage providers yourself:

  • Containers
  • Read-only mode
  • Air-gapped environments

Containers

By default, when you spin up a container with cnspec installed and run any cnspec command, cnspec retrieves the latest version of the providers it needs. When the container is destroyed, the providers are destroyed. The next time you spin up a container based on the same image, the download and installation repeat.

To avoid this, you can:

Read-only mode

Some security situations dictate that cnspec must not be allowed to write to the machine on which it's installed. cnspec does operate in read-only mode; however, it can't download and install the providers it needs. Therefore, when you install cnspec on a machine on which cnspec won't have write access, you must also install the provider. To learn how, read Install a provider.

If you install cnspec in an environment where it can't automatically update providers, you're responsible for installing provider updates.

To prevent error messages when you run commands in read-only mode, disable provider auto-update. To learn how, read Disable automatic provider updates.

Air-gapped environments

In an air-gapped environment, cnspec can't download the providers needed to scan or test the system. Therefore, when you install cnspec on an air-gapped machine, you must also install the provider. To learn how, read Install a provider.

If you install cnspec in an air-gapped environment, you're responsible for installing provider updates.

To prevent error messages when you run commands, disable provider auto-update. To learn how, read Disable automatic provider updates.

Supported Scan Targets

A list of technologies that cnspec can scan

Manage Providers

Learn how to install, update, remove, and disable automatic updates for cnspec providers

On this page

ContainersRead-only modeAir-gapped environments