Mondoo
Docs
Write Custom Policies

Create Checks in cnspec Shell

Use cnspec's interactive shell to learn about checks

cnspec provides an interactive shell in which you can explore. The shell helps you understand the checks that cnspec policies use, and write your own as well. It's also a great way to interact with both local and remote targets on the fly.

Run the shell:

cnspec shell local

The shell provides a help command to get information about the resources that power cnspec. Running help without any arguments lists every available MQL resource and its fields. Run help RESOURCE for details on a specific resource. For example:

cnspec> help ports

Returns this help:

ports:              TCP/IP ports on the system
  list []port:      All ports in use by processes (both listening and non-listening)
  listening []port: All listening ports

The shell also features auto-complete, which makes it easy to explore.

Once inside the shell, you can enter MQL queries to live test against your system. For example:

ports.listening.none( port == 23 )

To clear the terminal, type clear.

To exit the cnspec shell, press Ctrl + D or type exit.

Learn more

Make Policies Flexible with Variants

Use variants to change what a policy checks based on different conditions

Migrate from Trivy

A practical guide for migrating from Aqua Trivy to cnspec, covering container scanning, IaC, Kubernetes, CI/CD, and custom policies.

On this page

Learn more