Mondoo Docs
Integrate Your AssetsServers and EndpointsDeployment Automation

Secrets Management

Learn how you can use secrets managers such as HashiCorp Vault, Google Cloud Secrets Manager, and AWS Secrets Manager with Mondoo.

In order to facilitate SSH scanning to a fleet of instances, Mondoo integrates with several vault systems:

  • AWS Secrets Manager
  • AWS SSM Parameter Store
  • Google Cloud Secrets Manager
  • HashiCorp Vault
  • macOS Keychain
  • Windows credential store
  • SystemD Secret Service
  • Encrypted File

HashiCorp Vault

Write a secret to the Create vault secret:

vault kv put secret/vcenter/mondoo-read password="< password >" type="password" user="mondoo-read@vsphere.local"

Create an inventory yaml file with HashiCorp Vault:

inventory.yml
apiVersion: v1
kind: Inventory
metadata:
  name: mondoo-inventory
  labels:
    environment: production
spec:
  assets:
    - name:
      connections:
        - type: vsphere
          host: < ip of the ESXi or vCenter >
          insecure: true
          credentials:
            - secret_id: vcenter/mondoo-read
          discover:
            targets:
              - auto
      annotations:
        Owner: patrick@mondoo.com
  vault:
    name: cnspec-hashivault
    type: hashicorp-vault
    options:
      url: < Url to vault >
      token: < Token >

Encrypted file

Configure cnspec's vault to use the keyring cnspec-client-vault for secrets:

cnspec vault configure mondoo-client-vault --type encrypted-file --option=password='changeme' --option path='/etc/opt/mondoo/vault.enc'

This outputs the following configuration:

spec:
  vault:
    name: mondoo-client-vault
    options:
      password: changeme
      path: /etc/opt/mondoo/vault.enc
    type: encrypted-file

Create an inventory yaml file with Linux Vault:

apiVersion: v1
kind: Inventory
metadata:
  name: cnspec-inventory
  labels:
    environment: production
spec:
  assets:
    - name:
      connections:
        - type: vsphere
          host: < ip of the ESXi or vCenter >
          insecure: true
          credentials:
            - secret_id: vcenter
          discover:
            targets:
              - auto
  vault:
    name: mondoo-client-vault
    options:
      password: changeme
      path: /etc/opt/mondoo/vault.enc
    type: encrypted-file

Add a secret for a VMware vSphere API to the encrypted file vault:

sudo cnspec vault add-secret vcenter '{ "type": "password",   "user": "chris@vsphere.local", "password": "password" }' --inventory-file /etc/opt/mondoo/inventory.yml

cloud-init and Mondoo

This page covers how to use cloud-init to install cnspec on hosts to run policies as code.

Software Supply Chain Security with Mondoo

This page provides an overview of how to use Mondoo for software supply chain security.

On this page

HashiCorp VaultEncrypted file