Skip to main content

Get Started with cnspec

Welcome to cnspec, an open source project created by Mondoo!

Download and install cnspec

Install cnspec with our installation script:

Linux and macOS

bash -c "$(curl -sSL"

Read the script before you run it:


Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString(''));
Install-Mondoo -Product cnspec;

Read the script before you run it:

Manual Installation

Manual installation packages are available on GitHub releases.

About cnspec

cnspec is an open source, cloud-native tool that assesses the security of your entire infrastructure. It scans everything and tells you where there are gaps that hackers can use to breach your systems.

Attackers rely on misconfigurations and deprioritized vulnerabilities; all they need is one entry point to compromise your entire infrastructure. cnspec finds all the security issues that welcome ransomware, data theft, and other attacks.

Security policies written in high-level code are the basis for cnspec scans. Each policy is a collection of checks against the target system. For example, a policy's checks might include:

  • The system must use a secure SSL/TLS configuration.
  • Multi-factor authentication must be required.
  • User data must not include any secrets.

Each policy is based on standards set by the Center for Internet Security (CIS) and industry best practices. It's easy to extend or modify a policy to fit your unique needs.

You can share scan results or export them to JSON. This opens up endless possibilities for reporting and audits.

You can also create automation around cnspec to make security scanning a part of your development process or your production monitoring.

Scan locally​

Use the cnspec scan subcommand to check local and remote targets for misconfigurations and vulnerabilities. cnspec detects the target platform and runs policy checks specific to that system.

This command evaluates the security of your local machine:

cnspec scan local

This (truncated) sample result shows the individual checks that cnspec performs according to the policy. It includes a summary of the scan with a letter grade:

✓ Pass: Disable Media Sharing
✓ Pass: Do not enable the "root" account
✓ Pass: Disable Bluetooth Sharing
✕ Fail: Enable security auditing
✓ Pass: Enable Firewall
✕ Fail: Ensure Firewall is configured to log
✓ Pass: Ensure nfs server is not running.
✓ Pass: Disable Content Caching
✕ Fail: Ensure AirDrop Is Disabled
✓ Pass: Control access to audit records


Target: user-macbook-pro
Score: A 80/100 (100% completed)
✓ Passed: ███████████ 70% (21)
✕ Failed: ███ 17% (5)
! Errors: ██ 13% (4)
» Skipped: 0% (0)

A 80 macOS Security by Mondoo

Scan remote targets​

You can also specify remote targets to scan.

This example scans a docker image:

cnspec scan docker image ubuntu:22.04

This scans an aws account using the local AWS config:

cnspec scan aws

This scans a Kubernetes cluster using your local kubectl config:

cnspec scan k8s

This scans a GitHub repository:

export GITHUB_TOKEN=<personal_access_token>
cnspec scan github repo <org/repo>

Create a JSON report

To save the results of your scan to a JSON file, append your scan command with the -o flag:

-o json > FILENAME.json

For FILENAME, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named k8s-test-results.json:

cnspec scan k8s -o json > k8s-test-results.json

Learn more​