Skip to main content

Get Started with cnspec

Welcome to cnspec, an open source project created by Mondoo!

Learn about cnspec

To discover cnspec's capabilities, read What Is cnspec?

Download and install cnspec

Install cnspec with our installation script:

Linux and macOS

bash -c "$(curl -sSL"

(You can read the Linux/macOS installation script.)


Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString(''));
Install-Mondoo -Product cnspec;

(You can read the Windows installation script.)

Installation options

Manual installation packages are available on GitHub releases.

To learn about other installation methods, versioning, and other considerations, read Extended Installation Options for cnspec.

Scan locally

Use the cnspec scan subcommand to check local and remote targets for misconfigurations and vulnerabilities. cnspec detects the target platform and runs policy checks specific to that system.

This command evaluates the security of your local machine:

cnspec scan local

This (truncated) sample result shows the individual checks that cnspec performs according to the policy. It includes a summary of the scan with a letter grade:

✓ Pass: Disable Media Sharing
✓ Pass: Do not enable the "root" account
✓ Pass: Disable Bluetooth Sharing
✕ Fail: Enable security auditing
✓ Pass: Enable Firewall
✕ Fail: Ensure Firewall is configured to log
✓ Pass: Ensure nfs server is not running.
✓ Pass: Disable Content Caching
✕ Fail: Ensure AirDrop Is Disabled
✓ Pass: Control access to audit records


Target: user-macbook-pro
Score: A 80/100 (100% completed)
✓ Passed: ███████████ 70% (21)
✕ Failed: ███ 17% (5)
! Errors: ██ 13% (4)
» Skipped: 0% (0)

A 80 macOS Security by Mondoo

Scanned 1 assets

B Stella.home

For detailed output, run this scan with "-o full".

Scan remote targets

You can also specify remote targets to scan.

This example scans a docker image:

cnspec scan docker image ubuntu:22.04

This scans an aws account using the local AWS configuration profile:

cnspec scan aws

This scans a Kubernetes cluster using your local kubectl config:

cnspec scan k8s

This scans a GitHub repository:

export GITHUB_TOKEN=<personal_access_token>
cnspec scan github repo <org/repo>

Create a JSON report

To save the results of your scan to a JSON file, append your scan command with the -o flag:

-o json > FILENAME.json

For FILENAME, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named k8s-test-results.json:

cnspec scan k8s -o json > k8s-test-results.json

Save, review, and share reports with Mondoo Platform

To save, review, and share reports, sign up for a free Mondoo account. Mondoo's web-based console allows you to navigate, search, and inspect all of your reports.

To learn about more of Mondoo Platform's capabilities, visit

Learn more