Mondoo
Docs
Cloud

Secure Hetzner Cloud with cnspec

Scan Hetzner Cloud projects against security and compliance best practices with cnspec.

Scan your Hetzner Cloud project to find security risks before they become incidents. cnspec evaluates servers, networks, load balancers, volumes, firewalls, floating IPs, and SSH keys — all without installing agents on your infrastructure.

Prerequisites

To scan Hetzner Cloud with cnspec, you must have:

Authenticate

Create an API token in Hetzner Cloud:

  1. Log in to the Hetzner Cloud Console.
  2. Select your project.
  3. In the left navigation, choose Security > API Tokens.
  4. Generate a new token. Read access is sufficient for assessment.

You can pass the token on the command line with --token, or export it once and reuse it across commands:

export HCLOUD_TOKEN=your_token_here

If you need to target a non-default Hetzner Cloud API endpoint, use the --endpoint flag or the HCLOUD_ENDPOINT environment variable.

Verify with a quick Hetzner Cloud check

Confirm that cnspec can reach your Hetzner Cloud project:

cnspec run hetzner -c 'hetzner.servers.length >= 0'

If cnspec connects, it confirms the check passed.

Scan Hetzner Cloud

Scan your Hetzner Cloud project:

cnspec scan hetzner

Or pass the token explicitly:

cnspec scan hetzner --token YOUR_API_TOKEN

Scan with the Mondoo Hetzner Cloud Security policy

Mondoo maintains an out-of-the-box Hetzner Cloud Security policy that checks server configuration, firewall rules, SSH keys, network isolation, and more.

Mondoo Platform users: Enable the policy in your space. In the Mondoo Console, go to Findings > Policies, search for "Hetzner", and add the policy. All future scans of your Hetzner Cloud projects automatically evaluate against it. To learn more, read Manage Policies.

Open source users: Pass the policy bundle URL directly to cnspec:

cnspec scan hetzner --token YOUR_API_TOKEN \
  --policy-bundle https://raw.githubusercontent.com/mondoohq/cnspec/refs/heads/main/content/mondoo-hetzner-security.mql.yaml

You can also create your own policies to meet your specific requirements.

Explore and test checks interactively

Open a cnspec shell to discover resources and try out checks:

cnspec shell hetzner

List servers

cnspec> hetzner.servers { name status serverType.name datacenter.name }

Find servers without backups enabled

cnspec> hetzner.servers.where(backupWindow == "") { name status }

List networks and their subnets

cnspec> hetzner.networks { name ipRange subnets }

List firewalls and their rules

cnspec> hetzner.firewalls { name rules servers }

List load balancers

cnspec> hetzner.loadBalancers { name loadBalancerType.name location.name services }

List volumes

cnspec> hetzner.volumes { name size location.name server }

List SSH keys

cnspec> hetzner.sshKeys { name fingerprint }

Learn more

Workload Identity Federation

Use Workload Identity Federation to let a service account in one Google Cloud project scan resources in other Google Cloud projects without exporting keys.

Overview

Secure your Kubernetes environment by scanning for vulnerabilities and misconfigurations with cnspec.

On this page

PrerequisitesAuthenticateVerify with a quick Hetzner Cloud checkScan Hetzner CloudScan with the Mondoo Hetzner Cloud Security policyExplore and test checks interactivelyList serversFind servers without backups enabledList networks and their subnetsList firewalls and their rulesList load balancersList volumesList SSH keysLearn more