CLI Commands

cnspec discover

Discover the assets defined by an inventory file's discovery targets and filters or by CLI parameters, without running any queries.

Use cnspec discover to find the assets defined by an inventory file's discovery targets and filters, or by CLI parameters. It prints a per-platform asset count to stdout without running any queries, so you can preview exactly what a scan would target before you run it. This is useful for validating discovery configuration and understanding the scope of a connection.

To also write every discovered asset to a file, pass --output-full PATH. Choose the file format with --output-format: json (default), jsonl, or yaml.

Discover the assets in an AWS account:

cnspec discover aws

Discover the assets defined by an inventory file:

cnspec discover --inventory-file inventory.yml

Write every discovered asset to a file as YAML:

cnspec discover aws --output-full assets.yaml --output-format yaml

Options

      --discover strings        Enable the discovery of nested assets. Supports: all, auto, container, container-images
  -h, --help                    help for discover
      --inventory-file string   Set the path to the inventory file
  -f, --output-format string    Format for --output-full: json (default), jsonl, or yaml. (default "json")
  -o, --output-full string      Write every discovered asset to this path. When empty, only the per-platform count summary is printed.
      --record string           Record all resource calls and use resources in the recording
      --sudo                    Elevate privileges with sudo
      --use-recording string    Use a recording to inject resource data (read-only)

Options inherited from parent commands

      --api-proxy string        Set the proxy for communications with Mondoo Platform API
      --auto-update             Enable automatic provider installation and update (default true)
      --config string           Set config file path (default $HOME/.config/mondoo/mondoo.yml)
      --log-level string        Set the log level: error, warn, info, debug, trace (default "info")
      --logging-config string   Path to a logging configuration file (YAML or JSON) that selects the log writer, level, and writer-specific options
  -v, --verbose                 Enable verbose output

SEE ALSO

On this page