Skip to main content

cnspec scan azure

Scan a Microsoft Azure subscription or virtual machine.


Scan a Microsoft Azure subscription or virtual machine. cnspec uses your local Azure configuration for the account scan. To scan Azure virtual machines, you must configure your Azure credentials and have SSH access to the virtual machines.

cnspec scan azure [flags]


      --annotation stringToString        Add an annotation to the asset. (default [])
--ask-pass Ask for connection password.
--asset-name string User override for the asset name.
--certificate-path string Path (in PKCS #12/PFX or PEM format) to the authentication certificate.
--certificate-secret string Passphrase for the authentication certificate file.
--client-id string Application (client) ID of the service principal.
--client-secret string Secret for application.
--detect-cicd Try to detect CI/CD environments and, if successful, set the asset category to 'cicd'. (default true)
--discover string Enable the discovery of nested assets. Supported: 'all|auto|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
--discover-filter stringToString Additional filter for asset discovery. (default [])
-h, --help help for azure
--id-detector string User override for platform ID detection mechanism. Supported: hostname, machine-id, aws-ec2, cloud-detect, ssh-host-key, transport-platform-id
-i, --identity-file string Select a file from which to read the identity (private key) for public key authentication.
--incognito Run in incognito mode. Do not report scan results to Mondoo Platform.
--insecure Disable TLS/SSL checks or SSH hostkey config.
--inventory-ansible Set the inventory format to Ansible.
--inventory-domainlist Set the inventory format to domain list.
--inventory-file string Set the path to the inventory file.
-j, --json Set output to JSON (shorthand).
--option --option key=value Additional connection options. You can pass multiple options using --option key=value. (default [])
-o, --output string Set output format: compact, csv, full, json, junit, report, summary, yaml (default "compact")
-p, --password string Password, such as for SSH/WinRM.
--path string Path to a local file or directory for the connection to use.
--policy strings Lists policies to execute. This requires incognito mode. You can pass multiple policies using --policy POLICY
-f, --policy-bundle strings Path to local policy bundle file.
--props stringToString Custom values for properties (default [])
--score-threshold int If any score falls below the threshold, exit 1.
--share create a web-based private reports when cnspec is unauthenticated. Defaults to false.
--subscription string ID of the Azure subscription to scan.
--subscriptions string Comma-separated list of Azure subscriptions to include.
--subscriptions-exclude string Comma-separated list of Azure subscriptions to exclude.
--sudo Elevate privileges with sudo.
--tenant-id string Directory (tenant) ID of the service principal.

Options inherited from parent commands

      --api-proxy string   Set proxy for communications with Mondoo API
--config string Set config file path (default $HOME/.config/mondoo/mondoo.yml)
--log-level string Set log level: error, warn, info, debug, trace (default "info")
-v, --verbose Enable verbose output