Skip to main content

Get Started with cnspec

Welcome to cnspec, an open source project created by Mondoo!

Learn about cnspec

To discover cnspec's capabilities, read What Is cnspec?

Download and install cnspec

Install cnspec with our installation script:

Linux and macOS

bash -c "$(curl -sSL https://install.mondoo.com/sh)"

(You can read the Linux/macOS installation script.)

Windows

Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1'));
Install-Mondoo;

(You can read the Windows installation script.)

Installation options

Manual installation packages are available on GitHub releases.

To learn about other installation methods, versioning, and other considerations, read Extended Installation Options for cnspec.

Scan locally

Use the cnspec scan command to check local and remote targets for misconfigurations and vulnerabilities. cnspec detects the target platform and runs policy checks specific to that system.

This command evaluates the security of your local machine:

cnspec scan local

This (truncated) sample result shows the individual checks that cnspec performs according to the policy. It includes a summary of the scan with a letter grade:

Asset: (macOS) Mac.localdomain
------------------------------

Passing:
✓ Control access to audit records
✓ Disable Bonjour advertising service
✓ Disable Content Caching
✓ Disable File Sharing
...
✓ Password Age
✓ Password History
✓ Retain install.log for 365 or more days with no maximum size
✓ Set a minimum password length

Failing:
✕ MEDIUM (40):    Reduce the sudo timeout period


Scanned 1 asset

macOS
  LOW (1):      Mac.localdomain

Scan remote targets

You can also specify remote targets to scan.

This example scans a docker image:

cnspec scan docker image ubuntu:24.04

This scans an aws account using the local AWS configuration profile:

cnspec scan aws

This scans a Kubernetes cluster using your local kubectl config:

cnspec scan k8s

This scans a GitHub repository:

export GITHUB_TOKEN=<personal_access_token>
cnspec scan github repo <org/repo>

Create a JSON report

To save the results of your scan to a JSON file, append your scan command with the -o flag:

-o json > FILENAME.json

For FILENAME, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named k8s-test-results.json:

cnspec scan k8s -o json > k8s-test-results.json

Save, review, and share reports with Mondoo Platform

To save, review, and share reports, sign up for a free Mondoo account. Mondoo's web-based console allows you to navigate, search, and inspect all of your reports.

To learn about more of Mondoo Platform's capabilities, visit mondoo.com.

Learn more