Manage Policies with cnspec

Use cnspec commands to create, validate, and manage policies. You can run policies locally or store and share them using Mondoo Platform. To learn about policies and policy bundles, read About Policies.

Connect cnspec to Mondoo Platform

The easiest way to scale cnspec across your infrastructure is to have every asset pull its policies from a central location. Mondoo Platform provides a secure, multi-tenant environment for managing policies and scan results across your fleet.

To connect cnspec to Mondoo Platform, run:

cnspec login

Once authenticated, every scan reports to both standard output and Mondoo Platform:

cnspec scan <target>

Create a policy bundle

Generate a starter bundle with example checks and queries:

cnspec policy init example.mql.yaml

To learn how to modify existing policies or write your own, read the Policy Authoring Guide. You can also find open source policy bundles in Community Policies.

Format and validate a policy bundle

Apply consistent style formatting to a bundle:

cnspec policy format example.mql.yaml

Then lint the bundle to make sure it compiles, every MQL query parses, and every UID reference resolves:

cnspec policy lint example.mql.yaml

For CI integration, output lint results as SARIF:

cnspec policy lint example.mql.yaml --output sarif --output-file results.sarif

Upload policies to Mondoo Platform

With a Mondoo Platform account, you can upload a policy so it's available to every space in your organization:

cnspec policy upload mypolicy.mql.yaml

Policy commands reference