Mondoo
Docs

What Is cnspec?

An introduction to cnspec, an open source, cloud-native tool for securing your full stack

cnspec is an open source, cloud-native tool for securing and exploring your entire infrastructure. It scans systems against security policies and provides an interactive shell for querying and inventorying any asset using MQL (Mondoo Query Language).

How it works

cnspec operates in two modes:

  • Scan mode (cnspec scan) — Evaluate assets against security policies and produce pass/fail results.
  • Shell mode (cnspec shell) — Interactively query any asset and explore its data in real time.

Policy-based scanning

cnspec uses security policies written in MQL to evaluate your infrastructure. Each policy is a collection of checks against the target system. For example, a policy's checks might include:

  • The system must use a secure SSL/TLS configuration.
  • Multi-factor authentication must be required.
  • User data must not include any secrets.

Mondoo provides policies based on standards set by the Center for Internet Security (CIS) and other industry best practices. You can also write your own policies to fit your unique needs.

Explore and query your infrastructure

Beyond policy-based scanning, cnspec provides an interactive shell for ad-hoc querying. Use cnspec shell to connect to any target and explore its configuration in real time using MQL.

Use interactive querying to:

  • Inventory all packages, users, or services across your fleet
  • Investigate specific configurations during incident response
  • Prototype and test MQL queries before adding them to policies
  • Answer one-off questions without writing a full policy

Scan targets

cnspec scans a wide range of infrastructure, including:

  • Public clouds — AWS, Azure, GCP, OCI
  • Private clouds — VMware vSphere
  • Operating systems — Linux, Windows, macOS, AIX, FreeBSD
  • Containers — Docker, container registries (ECR, ACR, GCR, Harbor, Docker Hub)
  • Orchestration — Kubernetes (EKS, GKE, AKS, OpenShift, self-managed)
  • SaaS platforms — GitHub, GitLab, Okta, Slack, Microsoft 365, Google Workspace, Cloudflare, Snowflake, Tailscale
  • Network devices — Arista EOS, Cisco IOS/NX-OS, F5 BIG-IP, Fortinet FortiOS, Juniper Junos OS, Palo Alto PAN-OS, Ubiquiti UniFi
  • Server applications — Apache2, Microsoft Exchange, and Nginx

For the full list, read Supported Scan Targets.

Output and reporting

You can export scan results in human-readable formats, or in machine-friendly formats like JUnit or JSON. This makes it easy to integrate security scanning into your development process or production monitoring.

You can also save and share results using Mondoo Platform. Mondoo's web-based console lets you explore your infrastructure data and track issues over time. To learn more, visit mondoo.com.

Get started

cnspec Docs Home

cnspec documentation home

Installation Overview

Install and register assets with Mondoo, distribute cnspec across your infrastructure, run cnspec as a service, and other installation options.

On this page

How it worksPolicy-based scanningExplore and query your infrastructureScan targetsOutput and reportingGet started