Skip to main content

cnspec scan

Run a security scan on an asset based on one or more Mondoo policies.

To learn more, read Get Started with cnspec.


This command triggers a new policy-based scan on an asset. By default, cnspec scans the local system with the default policies built specifically for the platform. If you register cnspec with Mondoo, this command scans using the applicable enabled policies.

cnspec scan local

You can also specify a local policy and run it without storing results in Mondoo Platform:

cnspec scan local --policy-bundle POLICYFILE.yaml --incognito

In addition, cnspec can scan assets remotely using SSH. By default, cnspec uses the operating system's SSH agent and SSH config to retrieve the credentials:

cnspec scan ssh ec2-user@
cnspec scan ssh ec2-user@

Examples: cloud

Scan AWS

cnspec scan aws --region us-east-1

To learn more, read Assess AWS Security with cnspec.

Scan Azure

cnspec scan azure --subscription SUBSCRIPTION_ID --group GROUP_NAME

To learn more, read Assess Azure Security with cnspec.

Scan Google Cloud (GCP)

cnspec scan gcp project PROJECT_ID

To learn more, read Assess Google Cloud Security with cnspec.

Scan Kubernetes

cnspec scan k8s
cnspec scan k8s MANIFEST_FILE

To learn more, read Assess Kubernetes Security with cnspec.

Scan Oracle Cloud Infrastructure (OCI)

cnspec scan oci

To learn more, read Assess Oracle Cloud Infrastructure (OCI) Security with cnspec.

Examples: SaaS

Scan GitHub

cnspec scan github repo ORG/REPO

To learn more, read Assess GitHub Security with cnspec.

Scan GitLab

cnspec scan gitlab --group YOUR_GROUP_NAME --token YOUR_TOKEN

Scan Google Workspace

export GOOGLEWORKSPACE_CLOUD_KEYFILE_JSON=/home/user/my-project-6646123456789.json
cnspec scan google-workspace --customer-id 5amp13iD --impersonated-user-email

To learn more, read Assess Google Workspace Security with cnspec.

Scan Jira

cnspec scan atlassian jira --host HOST_URL --user USER@DOMAIN --user-token YOUR_TOKEN

Scan Microsoft 365 (MS 365)

cnspec scan ms365 --certificate-path certificate.combo.pem --tenant-id YOUR_TENANT_ID --client-id YOUR_CLIENT_ID

To learn more, read Assess Microsoft 365 Security with cnspec.

Scan Okta

cnspec scan okta --organization --token API_TOKEN

To learn more, read Assess Okta Security with cnspec.

Scan Slack

cnspec scan slack --token API_TOKEN

To learn more, read Assess Slack Security with cnspec.

Examples: supply chain and containers

cnspec supports local containers and images as well as images in Docker registries.

Scan Docker

cnspec scan docker container b62b276baab6
cnspec scan docker image ubuntu:latest

Scan Harbor

cnspec scan container registry

Scan ECR

cnspec scan container registry

Scan GCR

cnspec scan gcp gcr PROJECT_ID

Scan Vagrant

cnspec scan vagrant HOST

Scan an inventory file

cnspec scan --inventory-file FILENAME

Scan an Ansible inventory file

ansible-inventory -i hosts.ini --list | cnspec scan --inventory-format-ansible --inventory-file -


      --annotation stringToString   Add an annotation to the asset. (default [])
--asset-name string User-override for the asset name
--detect-cicd Try to detect CI/CD environments. If detected, set the asset category to 'cicd'. (default true)
--discover strings Enable the discovery of nested assets. Supports: all,auto,container,container-images
-h, --help help for scan
--incognito Run in incognito mode. Do not report scan results to Mondoo Platform.
--inventory-format-ansible Set the inventory format to Ansible.
--inventory-format-domainlist Set the inventory format to domain list.
--inventory-file string Set the path to the inventory file.
-j, --json Run the query and return the object in a JSON structure.
-o, --output string Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
--output-target string Set output target to which the asset report will be sent. Currently only supports AWS SQS topic URLs and local files
--platform-id string Select a specific target asset by providing its platform ID.
--policy strings Lists policies to execute. This requires --policy-bundle. You can pass multiple policies using --policy POLICY.
-f, --policy-bundle strings Path to local policy file
--props stringToString Custom values for properties (default [])
--record string Record all resource calls and use resources in the recording
--score-threshold int If any score falls below the threshold, exit 1.
--sudo Elevate privileges with sudo.
--use-recording string Use a recording to inject resource data (read-only)

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
--auto-update Enable automatic provider installation and update (default true)
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output