cnspec scan

Scan assets with one or more policies

Synopsis

This command triggers a new policy scan for an asset. By default, cnspec scans the local system with its pre-configured policies:

$ cnspec scan local

You can also manually select a local policy to execute and run it without storing results in the server:

$ cnspec scan local --policy-bundle policyfile.yaml --incognito

In addition, cnspec can scan assets remotely via SSH. By default, cnspec uses the operating system SSH agent and SSH config to retrieve the credentials:

$ cnspec scan ssh ec2-user@52.51.185.215
$ cnspec scan ssh ec2-user@52.51.185.215:2222

cnspec supports scanning AWS, Azure, and GCP accounts and instances. Find out more in each sub-commands help menu. Here are a few examples:

$ cnspec scan aws --region us-east-1
$ cnspec scan azure --subscription ID --group NAME
$ cnspec scan gcp project ID

You can also access Docker containers and images. cnspec supports local containers and images as well as images in Docker registries:

$ cnspec scan docker container b62b276baab6
$ cnspec scan docker image ubuntu:latest

Additionally, you can quickly scan a container registry:

$ cnspec scan container registry harbor.lunalectric.com
$ cnspec scan container registry 123456789.dkr.ecr.us-east-1.amazonaws.com/repository

cnspec also supports GCP's container registry, GCR:

$ cnspec scan gcp gcr PROJECT_ID

Vagrant is supported as well:

$ cnspec scan vagrant HOST

You can also use an inventory file:

$ cnspec scan --inventory-file inventory.yml

This scan uses an existing Ansible inventory:

$ ansible-inventory -i hosts.ini --list | cnspec scan --inventory-ansible

To learn more, read https://mondoo.com/docs/.

cnspec scan [flags]

Options

      --annotation stringToString        Add an annotation to the asset. (default [])
      --ask-pass                         Ask for connection password.
      --asset-name string                User override for the asset name.
      --detect-cicd                      Try to detect CI/CD environments and, if successful, set the asset category to 'cicd'. (default true)
      --discover string                  Enable the discovery of nested assets. Supported: 'all|auto|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
      --discover-filter stringToString   Additional filter for asset discovery. (default [])
  -h, --help                             help for scan
      --id-detector string               User override for platform ID detection mechanism. Supported: hostname, machine-id, aws-ec2, cloud-detect, ssh-host-key, transport-platform-id
  -i, --identity-file string             Select a file from which to read the identity (private key) for public key authentication.
      --incognito                        Run in incognito mode. Do not report scan results to the Mondoo platform.
      --insecure                         Disable TLS/SSL checks or SSH hostkey config.
      --inventory-ansible                Set the inventory format to Ansible.
      --inventory-domainlist             Set the inventory format to domain list.
      --inventory-file string            Set the path to the inventory file.
  -j, --json                             Set output to JSON (shorthand).
      --no-pager                         Disable interactive scan output pagination.
      --option --option key=value        Additional connection options. You can pass multiple options using --option key=value. (default [])
  -o, --output string                    Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
      --pager string                     Enable scan output pagination with custom pagination command. The default is 'less -R'.
  -p, --password string                  Password, such as for SSH/WinRM.
      --path string                      Path to a local file or directory for the connection to use.
      --policy strings                   Lists policies to execute. This requires incognito mode. You can pass multiple policies using --policy POLICY
  -f, --policy-bundle strings            Path to local policy bundle file.
      --props stringToString             Custom values for properties (default [])
      --score-threshold int              If any score falls below the threshold, exit 1.
      --sudo                             Elevate privileges with sudo.

Options inherited from parent commands

      --config string      Set config file path (default $HOME/.config/mondoo/mondoo.yml)
      --log-level string   Set log level: error, warn, info, debug, trace (default "info")
  -v, --verbose            Enable verbose output

SEE ALSO

• cnspec - cnspec CLI
• cnspec scan arista - Scan an Arista endpoint.
• cnspec scan aws - Scan an AWS account or instance.
• cnspec scan azure - Scan a Microsoft Azure subscription or virtual machine.
• cnspec scan container - Scan a container, image, or registry.
• cnspec scan docker - Scan a Docker container or image.
• cnspec scan gcp - Scan a Google Cloud Platform (GCP) organization, project or folder.
• cnspec scan github - Scan a GitHub organization or repository.
• cnspec scan gitlab - Scan a GitLab group.
• cnspec scan google-workspace - Scan a Google Workspace organization.
• cnspec scan host - Scan a host endpoint (domain name).
• cnspec scan k8s - Scan a Kubernetes cluster or local manifest file(s).
• cnspec scan local - Scan your local system.
• cnspec scan mock - Scan a mock target (a simulated asset).
• cnspec scan ms365 - Scan a Microsoft 365 tenant.
• cnspec scan okta - Scan an Okta organization.
• cnspec scan slack - Scan a Slack team.
• cnspec scan ssh - Scan an SSH target.
• cnspec scan terraform - Scan all Terraform files in a path (.tf files).
• cnspec scan vagrant - Scan a Vagrant host.
• cnspec scan vcd - Scan a VMware Virtual Cloud Director organization.
• cnspec scan vsphere - Scan a VMware vSphere API endpoint.
• cnspec scan winrm - Scan a WinRM target.