Skip to main content

Mondoo maintains an open source plugin for HashiCorp Packer for securing and validating machine images.

Install Packer Plugin cnspec

Using the packer init command

Starting from version 1.7, Packer supports a new packer init command allowing automatic installation of Packer plugins. Read the Packer documentation for more information.

To install this plugin, copy and paste this code into your Packer configuration . Then, run packer init.

packer {
required_plugins {
mondoo = {
version = ">= 0.3.0"
source = ""

Manual installation

You can find pre-built binary releases of the plugin here.

Once you have downloaded the latest archive corresponding to your target OS, uncompress it to retrieve the plugin binary file corresponding to your platform. To install the plugin, please follow the Packer documentation on installing a plugin.

Build from source

If you prefer to build the plugin from sources, clone the GitHub repository locally and run the command go build from the root directory. Upon successful compilation, a packer-plugin-cnspec plugin binary file can be found in the root directory. To install the compiled plugin, please follow the official Packer documentation on installing a plugin.


annotationsCustom annotations can be applied to Packer build assets to provide additional metadata for asset of stringsNoneNo
asset_nameOverwrite the asset name in Mondoo Platform.stringNoneNo
on_failureSet on_failure = "continue" to ignore build failures that do not meet any set score_threshold.stringNoneNo
score_thresholdSet a score threshold for Packer builds [0-100]. Any scans that fall below the score_threshold will fail unless on_failure = "continue".intNoneNo
sudoUse sudo to elevate permissions when running scans.boolNoneNo
mondoo_config_pathThe path to the configuration to be used when running Mondoo scans. If left empty, cnspec tries to determine the config automatically.stringNoneNo

Example: Complete configuration

  provisioner "mondoo" {
on_failure = "continue"
score_threshold = 85
mondoo_config_path = "/etc/mondoo-config.json"
asset_name = "example-secure-base-image"
sudo {
active = true

annotations = {
Source_AMI = "{{ .SourceAMI }}"
Creation_Date = "{{ .SourceAMICreationDate }}"

Learn more