Welcome to cnspec, an open source project created by Mondoo!
Download and install cnspec
cnspec with our installation script:
Linux and macOS
bash -c "$(curl -sSL https://install.mondoo.com/sh/cnspec)"
Read the script before you run it: https://install.mondoo.com/sh/cnspec
Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnspec'));
Install-Mondoo -Product cnspec;
Read the script before you run it: https://install.mondoo.com/ps1/cnspec
Manual installation packages are available on GitHub releases.
cnspec is an open source, cloud-native tool that assesses the security of your entire infrastructure. It scans everything and tells you where there are gaps that hackers can use to breach your systems.
Attackers rely on misconfigurations and deprioritized vulnerabilities; all they need is one entry point to compromise your entire infrastructure. cnspec finds all the security issues that welcome ransomware, data theft, and other attacks.
Security policies written in high-level code are the basis for cnspec scans. Each policy is a collection of checks against the target system. For example, a policy's checks might include:
- The system must use a secure SSL/TLS configuration.
- Multi-factor authentication must be required.
- User data must not include any secrets.
Each policy is based on standards set by the Center for Internet Security (CIS) and industry best practices. It's easy to extend or modify a policy to fit your unique needs.
You can share scan results or export them to JSON. This opens up endless possibilities for reporting and audits.
You can also create automation around cnspec to make security scanning a part of your development process or your production monitoring.
cnspec scan subcommand to check local and remote targets for misconfigurations and vulnerabilities. cnspec detects the target platform and runs policy checks specific to that system.
This command evaluates the security of your local machine:
cnspec scan local
This (truncated) sample result shows the individual checks that cnspec performs according to the policy. It includes a summary of the scan with a letter grade:
✓ Pass: Disable Media Sharing
✓ Pass: Do not enable the "root" account
✓ Pass: Disable Bluetooth Sharing
✕ Fail: Enable security auditing
✓ Pass: Enable Firewall
✕ Fail: Ensure Firewall is configured to log
✓ Pass: Ensure nfs server is not running.
✓ Pass: Disable Content Caching
✕ Fail: Ensure AirDrop Is Disabled
✓ Pass: Control access to audit records
Score: A 80/100 (100% completed)
✓ Passed: ███████████ 70% (21)
✕ Failed: ███ 17% (5)
! Errors: ██ 13% (4)
» Skipped: 0% (0)
A 80 macOS Security by Mondoo
Scan remote targets
You can also specify remote targets to scan.
This example scans a docker image:
cnspec scan docker image ubuntu:22.04
This scans an aws account using the local AWS config:
cnspec scan aws
This scans a Kubernetes cluster using your local kubectl config:
cnspec scan k8s
This scans a GitHub repository:
cnspec scan github repo <org/repo>
Create a JSON report
To save the results of your scan to a JSON file, append your scan command with the
-o json > FILENAME.json
FILENAME, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named
cnspec scan k8s -o json > k8s-test-results.json
- To explore cnspec commands, read the CLI Reference.
- To learn more about policies, read Manage Policies.
- To learn what technologies cnspec integrates with, read Supported Scan Targets.