What Is cnspec?
An introduction to cnspec, an open source, cloud-native tool for securing your full stack
cnspec is an open source, cloud-native tool that assesses the security of your entire infrastructure. It scans your systems against security policies and identifies misconfigurations, unpatched vulnerabilities, and compliance gaps.
How it works
cnspec uses security policies written in MQL (Mondoo Query Language) to evaluate your infrastructure. Each policy is a collection of checks against the target system. For example, a policy's checks might include:
- The system must use a secure SSL/TLS configuration.
- Multi-factor authentication must be required.
- User data must not include any secrets.
Mondoo provides policies based on standards set by the Center for Internet Security (CIS) and other industry best practices. You can also write your own policies to fit your unique needs.
Scan targets
cnspec scans a wide range of infrastructure, including:
- Cloud providers — AWS, Azure, GCP, OCI
- Operating systems — Linux, Windows, macOS, AIX, FreeBSD
- Containers and orchestration — Kubernetes, Docker, container registries
- SaaS platforms — GitHub, GitLab, Okta, Slack, Microsoft 365, Google Workspace, Cloudflare, Snowflake, Tailscale
- Network devices — Arista EOS, Cisco IOS/NX-OS, F5 BIG-IP, Fortinet FortiOS, Juniper Junos OS, Palo Alto PAN-OS, Ubiquiti UniFi
For the full list, read Supported Scan Targets.
Output and reporting
You can export scan results in human-readable formats, or in machine-friendly formats like JUnit or JSON. This makes it easy to integrate security scanning into your development process or production monitoring.
You can also save and share results using Mondoo Platform. Mondoo's web-based console lets you explore your infrastructure data and track issues over time. To learn more, visit mondoo.com.