Report Results
Control how cnspec reports scan results, including terminal output formats, JSON, YAML, JUnit, and SARIF for CI/CD integration.
cnspec writes scan results to your terminal by default. Use the -o (or --output) flag to choose a different format, and --output-target to send results to a file or message queue instead of standard output.
cnspec scan local -o FORMATTerminal formats
These formats are designed for reading directly in the terminal.
compact (default)
A condensed view of each policy with pass/fail counts and an overall score:
cnspec scan localfull
Every check, control, data point, risk factor, and vulnerability, with descriptions and remediation guidance for each finding:
cnspec scan local -o fullsummary
A one-line score per policy, with no per-check detail:
cnspec scan local -o summaryreport
A structured, printable report ideal for sharing with stakeholders:
cnspec scan local -o reportCustomize what's printed
You can refine any terminal format by appending one or more modifiers, separated by commas. Prefix any modifier with no to hide that section.
| Modifier | Effect |
|---|---|
checks / nochecks | Show or hide individual policy checks |
controls / nocontrols | Show or hide compliance controls |
data / nodata | Show or hide raw data queries |
risks / norisks | Show or hide risk factors |
vulns / novulns | Show or hide vulnerabilities |
For example, to print a compact report without data queries or controls:
cnspec scan local -o compact,nodata,nocontrolsTo print the full format but suppress vulnerabilities:
cnspec scan local -o full,novulnsMachine-readable formats
These formats are useful for automation, scripting, and integration with other tools.
json
Exports results as JSON. Use shell redirection to save to a file:
cnspec scan local -o json > results.jsonFor example, to scan a Kubernetes cluster and save the results:
cnspec scan k8s -o json > k8s-results.jsonyaml
Exports results as YAML:
cnspec scan local -o yaml > results.yamlCI/CD integration
junit
Exports results in JUnit XML format, which most CI/CD platforms (GitHub Actions, GitLab CI, Jenkins, CircleCI) can parse to display test results:
cnspec scan local -o junit > results.xmlsarif
Exports results in SARIF (Static Analysis Results Interchange Format) 2.1.0, which integrates with tools like GitHub Code Scanning and VS Code SARIF Viewer:
cnspec scan local -o sarif > results.sarifEach scanned asset produces a separate SARIF run. cnspec maps scores to SARIF severity levels: a score of 100 is a pass, 50-99 is a warning, and below 50 is an error.
Send results to a file or queue
As an alternative to shell redirection, the --output-target flag writes results directly to a destination. cnspec auto-detects the destination type from the value you pass:
Local file:
cnspec scan local -o json --output-target results.jsonYou can also use a file:// URL:
cnspec scan local -o json --output-target file:///var/log/cnspec/results.jsonAWS SQS queue:
cnspec scan local -o json --output-target https://sqs.us-east-1.amazonaws.com/123456789/my-queueAzure Service Bus topic or queue:
cnspec scan local -o json --output-target https://my-bus.servicebus.windows.net/my-topicAWS SQS and Azure Service Bus targets accept only json-v1, json-v2, yaml-v1, or yaml-v2.
Terminal formats and SARIF/JUnit can't be sent to a queue.
CSV (vulnerabilities only)
The csv format is supported only for vulnerability reports produced by cnspec vuln, not for policy scans:
cnspec vuln local -o csv > vulnerabilities.csvThe output lists each affected package with its score, installed version, fixed version, available version, advisory, and CVE list.
View results in the Mondoo Console
When cnspec completes a registered scan, it prints a link to the Mondoo Console, where you can explore graphical results.
You must register cnspec to see results in the Mondoo Console. To learn more, read Register cnspec with Mondoo Platform.
To open a printer-friendly view in a new browser tab, select the print icon near the top-right corner of the Mondoo Console.