Mondoo
Docs
Cloud

Secure DigitalOcean with cnspec

Scan a DigitalOcean account against security and compliance best practices with cnspec.

Scan your DigitalOcean account to find security risks before they become incidents. cnspec evaluates Droplets, firewalls, Kubernetes clusters, managed databases, load balancers, VPCs, Spaces keys, and more — all without installing agents on your infrastructure.

Prerequisites

To scan DigitalOcean with cnspec, you must have:

Authenticate

Create a personal access token in DigitalOcean:

  1. Log in to the DigitalOcean control panel.
  2. In the left navigation, choose API.
  3. On the Tokens tab, generate a new personal access token. Read scopes are sufficient for assessment.

You can pass the token on the command line with --token, or export it once and reuse it across commands:

export DIGITALOCEAN_TOKEN=your_token_here

Verify with a quick DigitalOcean check

Confirm that cnspec can reach your DigitalOcean account:

cnspec run digitalocean -c 'digitalocean.account.email != empty'

If cnspec connects, it prints your account's email and confirms the check passed.

Scan DigitalOcean

Scan your DigitalOcean account:

cnspec scan digitalocean

Or pass the token explicitly:

cnspec scan digitalocean --token YOUR_API_TOKEN

Scan with the Mondoo DigitalOcean Security policy

Mondoo maintains an out-of-the-box DigitalOcean Security policy that checks droplet configuration, firewall rules, SSH keys, database access, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "DigitalOcean", and add the policy. All future scans of your DigitalOcean account automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan digitalocean --token YOUR_API_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-digitalocean-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell digitalocean

Retrieve account information

cnspec> digitalocean.account { email emailVerified status dropletLimit }

List Droplets

cnspec> digitalocean.droplets { name status region size memory vcpus }

Find Droplets without backups enabled

cnspec> digitalocean.droplets.where(backupsEnabled == false) { name region }

List firewalls and their rules

cnspec> digitalocean.firewalls { name status inboundRules outboundRules dropletIds }

List Kubernetes clusters

cnspec> digitalocean.kubernetesClusters { name version region status autoUpgrade ha }

List managed databases

cnspec> digitalocean.databases { name engine version numNodes region }

List load balancers

cnspec> digitalocean.loadBalancers { name status algorithm region redirectHttpToHttps }

List VPCs

cnspec> digitalocean.vpcs { name region ipRange default }

List SSH keys

cnspec> digitalocean.sshKeys { name fingerprint }

Learn more

Scan Virtual Machines

Scan Microsoft Azure virtual machines, snapshots, and disks with cnspec.

Equinix

Scan Equinix Metal infrastructure against security and compliance best practices with cnspec.

On this page

PrerequisitesAuthenticateVerify with a quick DigitalOcean checkScan DigitalOceanScan with the Mondoo DigitalOcean Security policyExplore and test checks interactivelyRetrieve account informationList DropletsFind Droplets without backups enabledList firewalls and their rulesList Kubernetes clustersList managed databasesList load balancersList VPCsList SSH keysLearn more