Welcome to cnspec, an open source project created by Mondoo!
To discover cnspec's capabilities, read What Is cnspec?
Download and install cnspec
Install cnspec with our installation script:
Linux and macOS
bash -c "$(curl -sSL https://install.mondoo.com/sh)"
(You can read the Linux/macOS installation script.)
Set-ExecutionPolicy Unrestricted -Scope Process -Force;
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072;
iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnspec'));
Install-Mondoo -Product cnspec;
(You can read the Windows installation script.)
Manual installation packages are available on GitHub releases.
To learn about other installation methods, versioning, and other considerations, read Extended Installation Options for cnspec.
cnspec scan subcommand to check local and remote targets for misconfigurations and vulnerabilities. cnspec detects the target platform and runs policy checks specific to that system.
This command evaluates the security of your local machine:
cnspec scan local
This (truncated) sample result shows the individual checks that cnspec performs according to the policy. It includes a summary of the scan with a letter grade:
✓ Pass: Disable Media Sharing
✓ Pass: Do not enable the "root" account
✓ Pass: Disable Bluetooth Sharing
✕ Fail: Enable security auditing
✓ Pass: Enable Firewall
✕ Fail: Ensure Firewall is configured to log
✓ Pass: Ensure nfs server is not running.
✓ Pass: Disable Content Caching
✕ Fail: Ensure AirDrop Is Disabled
✓ Pass: Control access to audit records
Score: A 80/100 (100% completed)
✓ Passed: ███████████ 70% (21)
✕ Failed: ███ 17% (5)
! Errors: ██ 13% (4)
» Skipped: 0% (0)
A 80 macOS Security by Mondoo
Scanned 1 assets
For detailed output, run this scan with "-o full".
View and share a scan report in a web browser
After cnspec finishes the scan and returns command-line results, it prompts:
Do you want to view or share these scan results in a browser using
Mondoo's reporting service?" [Y/n]
y to tell cnspec to make your scan results available in a report that you and others can access using a web browser. cnspec provides a unique URL for your report.
To learn more, read View and Share a Scan Report in a Web Browser
Scan remote targets
You can also specify remote targets to scan.
This example scans a docker image:
cnspec scan docker image ubuntu:22.04
This scans an aws account using the local AWS config:
cnspec scan aws
This scans a Kubernetes cluster using your local kubectl config:
cnspec scan k8s
This scans a GitHub repository:
cnspec scan github repo <org/repo>
Create a JSON report
To save the results of your scan to a JSON file, append your scan command with the
-o json > FILENAME.json
FILENAME, substitute the name you want to give the file. For example, this scans a Kubernetes cluster and reports the results to a file named
cnspec scan k8s -o json > k8s-test-results.json
Save, review, and share reports with Mondoo Platform
To save, review, and share reports, sign up for a free Mondoo account. Mondoo's web-based console allows you to navigate, search, and inspect all of your reports.
To learn about more of Mondoo Platform's capabilities, visit mondoo.com.
To learn how to sign up for a free Mondoo account and register cnspec, read Log into Mondoo Platform for More Capabilities.
To get started with AWS, read Assess AWS Security.
To get started with Google Cloud, read Assess Google Cloud Security.
To get started with Kubernetes, read Assess Kubernetes Security.
To explore cnspec commands, read the CLI Reference.
To learn more about policies, read Manage Policies.
To learn how to structure and build your own policies, read the Mondoo Policy Authoring Guide.
To learn what technologies cnspec integrates with, read Supported Scan Targets.