Skip to main content

Manage Policies

If you customize or build your own policies, you can store and share access to them using Mondoo Platform.

Scale cnspec across your infrastructure

The easiest way to scale cnspec across your infrastructure is to have all of your infrastructure pull policies from a central location. One simple approach is to sign up for a free account on Mondoo Platform. The platform is designed for multi-tenancy and provides a secure, private environment that keeps data about your assets in your own account. With Mondoo Platform, all assets can report on policies and you can define custom exceptions for your infrastructure.

To use cnspec with Mondoo Platform, run:

cnspec login

Once authenticated, you can scan any target:

cnspec scan <target>

cnspec returns the results from the scan to STDOUT and to Mondoo Platform.

Upload policies to your account

With an account on Mondoo Platform, you can upload policies:

cnspec policy upload mypolicy.mql.yaml

Create a policy bundle

To learn about policies and policy bundles, read Policies.

To set up a new policy bundle:

cnspec bundle init example.mql.yaml

Validate a policy bundle

Validate a policy bundle to ensure that the bundle compiles and that all queries and references work:

cnspec bundle validate example.mql.yaml

Commands for managing policies

To learn more about managing policies, read about these commands:

List enabled policies in the connected spacecnspec policy list
Enable a policy in the connected spacecnspec policy enable
Disable a policy in the connected spacecnspec policy disable
Show more information about a policy from the connected spacecnspec policy info
Download a policy to a local bundle filecnspec policy download
Create an example policy bundlecnspec policy init
Apply style formatting to one or more policy bundlesApply style formatting to one or more policy bundles
Lint a policy bundle(/cnspec/cli/cnspec_policy_lint/)
Upload a policy to the connected spacecnspec policy upload
Delete a policy from the connected spacecnspec policy delete