Skip to main content


Policies are the specifications that cnspec uses when it scans a system. They're collections of security requirements expressed as highly readable code. Each policy is stored in a separate YAML file. You can see all available policies in the mondoohq/cnspec-policies GitHub repo.

Policy as code​

Security policies and compliance frameworks typically are documents. Text describes each guideline and its rationale, and sometimes the consequences of not complying.

But documents don't check your systems. The work to verify that your infrastructure follows security standards is often manual, time intensive, and error prone. Manually demonstrating compliance for an audit, for example, can take weeks just to provide a snapshot of a single moment.

Policy as code lets you automate compliance with security benchmarks and best practices. The code does the job of both documenting the guidelines and testing your systems to ensure they follow those guidelines.

cnspec policies and policy bundles

Each cnspec policy is codified as a collection of queries that check for certain configuration settings. For example, the Mondoo Linux Security - Users and Groups policy includes these assertions:

  • There are no users in the root group.
  • No duplicate user names exist.
  • All system accounts are non-login.

Policy bundles are YAML files that contain at least one policy. They group related policies. For example, the Mondoo Linux Security policy bundle contains a Configure SSH Server policy that is specific to Linux, a Logging policy that is specific to Linux, and other policies that define secure Linux practices.

Policies and Policy Bundles

Find cnspec policy bundles in Mondoo's cnspec-policies GitHub repo.

Learn more