Quickstart

Install cnspec and run your first security scan in minutes. Scan a system, read the results, and explore your infrastructure with MQL.

This quickstart takes you from zero to your first security report in a few minutes. You'll install cnspec, scan the machine you're working on, learn how to read the results, and explore your system interactively with MQL.

You don't need a Mondoo Platform account to follow along. Everything here runs entirely from the command line.

Step 1: Install cnspec

Install cnspec with the automated script for your operating system.

Linux and macOS:

bash -c "$(curl -sSL https://install.mondoo.com/sh)"

Windows (PowerShell):

Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned -Force; iex ((New-Object System.Net.WebClient).DownloadString('https://install.mondoo.com/ps1/cnspec')); Install-Mondoo -Product cnspec;

Confirm the install:

cnspec version

Prefer a package manager, the MSI installer, Homebrew, or a standalone binary? See the Installation Overview for every install method and system requirements.

Step 2: Run your first scan

Point cnspec at the local machine and let it pick the right policy automatically:

cnspec scan local

cnspec detects the operating system, downloads the matching security policy, and evaluates your system against every check in that policy. The first scan takes a moment while cnspec installs the provider it needs.

cnspec ships with policies based on Center for Internet Security (CIS) benchmarks and other industry standards. When you run cnspec scan local, it selects and applies the policies that fit the detected platform, so you get a meaningful report with no configuration.

Step 3: Read the results

When the scan finishes, cnspec prints a report. Three things tell you what happened:

  1. Each check shows a pass or fail result. A check verifies one specific requirement, such as whether SSH root login is disabled.

    ✓ Pass:  Ensure SSH root login is disabled
✕ Fail:  Ensure IP forwarding is disabled
✓ Pass:  Ensure no user has an empty password

  2. Failed checks include remediation guidance. cnspec explains why the check matters and how to fix it.

  3. An overall score from 0 to 100 summarizes the asset's posture. A score of 100 means every check passed.

Want more or less detail? Add the -o flag to change the output format. For example, -o full prints every check with its description and remediation, and -o summary prints just the scores:

cnspec scan local -o full

cnspec can also write results as JSON, YAML, JUnit, and SARIF for CI/CD pipelines. To learn about every output format and how to send results to a file or queue, read Report Results.

Step 4: Explore your system with MQL

A scan answers "Is my system secure?" The cnspec shell answers "What is true about my system right now?" It opens an interactive session where you query any asset using MQL (Mondoo Query Language).

Open a shell against the local machine:

cnspec shell local

Inside the shell, ask questions about the system. List every user and whether the account is enabled:

cnspec> users { name uid enabled }

Check a specific setting, such as whether SSH root login is disabled:

cnspec> sshd.config.params["PermitRootLogin"] == "no"
[ok] value: "no"

Type help to list the resources you can query, or exit to leave the shell. The same MQL you prototype here becomes the checks in a policy.

To run a single query without opening a shell, use cnspec run local -c "QUERY". To learn more, read Query Your Infrastructure.

Step 5: Scan something real

local is just the start. cnspec scans cloud accounts, Kubernetes clusters, SaaS platforms, network devices, and more, without installing an agent on the target. Pick what you want to secure:

A cloud account

Scan AWS, Azure, Google Cloud, Kubernetes, and more.

An operating system

Scan Linux, Windows, and macOS hosts, locally or over SSH.

A SaaS platform

Scan GitHub, Microsoft 365, Google Workspace, Okta, and more.

Your supply chain

Scan containers, Dockerfiles, Terraform, and Kubernetes manifests.

For the complete list of everything cnspec can scan, see Supported Scan Targets.

Where to go next

Now that you've run a scan, here's how to go deeper:

Understand policies

Learn how policies define what cnspec checks, and how policy as code works.

Connect to Mondoo Platform

Register cnspec to track posture over time, manage findings, and scan continuously.

Write your own policies

Turn the queries you prototype in the shell into custom checks and policies.

Scan many assets at once

Use an inventory file to scan your whole fleet with a single command.

cnspec Docs Home

cnspec is an open source, cloud-native tool for securing and exploring your entire infrastructure with MQL.

Installation Overview

Install cnspec, register it with Mondoo Platform, and roll it out across your infrastructure.

On this page

Step 1: Install cnspecStep 2: Run your first scanStep 3: Read the resultsStep 4: Explore your system with MQLStep 5: Scan something realWhere to go next