Mondoo
Docs
Asset Intelligence

Annotate Assets

Tag assets with custom key-value metadata so you can group, filter, and search them.

A Mondoo annotation is a key-value pair you attach to an asset. Annotations let you record the things Mondoo can't discover on its own, such as owner, team, project, ticket number, or physical asset tag, so you can group and find assets later.

Common examples:

KeyValue
ownercosmo@lunalectric.com
team01research
buildterraform
asset-tagluna000262

Some keys you'll use the same value for across many assets (build: terraform). Others get a unique value per asset (asset-tag: luna000262).

Annotations show up on the asset page in the Mondoo App, get included when you export data, and are indexed by search so you can find assets by their annotations.

Annotations are metadata you add in Mondoo. They aren't the same as AWS tags, Kubernetes labels, or other metadata Mondoo collects from the asset itself. Those show up separately.

Add or edit annotations in the Mondoo App

Only team members with Editor or Owner access can change annotations.

  1. In the Mondoo App, navigate to the asset you want to annotate.

  2. On the asset page, scroll to the MONDOO ANNOTATIONS card in the bottom-right.

    Find MONDOO ANNOTATIONS on the Mondoo asset page

  3. To add an annotation, select the + icon, enter a key and value, then select the check mark.

    Add an annotation to a Mondoo asset

  4. To change or remove an annotation, select the pencil icon next to it. Edit the key or value and confirm with the check mark, or select the trash can to delete the annotation.

    Annotation on a Mondoo asset

Add annotations when scanning with cnspec

If you're scanning assets with cnspec from a CI/CD pipeline, a workstation, or a server, you can set annotations at scan time instead of clicking through the UI.

From the command line

Pass --annotation key=value to cnspec scan:

cnspec scan local --annotation asset-tag=luna000264

You can pass the flag multiple times to add multiple annotations.

From the local Mondoo configuration

Add an annotations block to the local mondoo.yml config on the asset. Every scan from that asset picks up the annotations.

On Linux or macOS, the file lives at:

  • /etc/opt/mondoo/mondoo.yml (applies to every user on the host)
  • ~/.config/mondoo/mondoo.yml (applies to one user)

On Windows:

  • C:\ProgramData\mondoo\mondoo.yml (applies to every user)
  • C:\Users\{username}\.config\mondoo\mondoo.yml (applies to one user)
annotations:
  team: research
  owner: cosmo@lunalectric.com

From a cnspec inventory file or template

A cnspec inventory file lists the assets to scan. You can attach annotations to each asset in that file:

spec:
  assets:
    - name: web-prod-1
      connections:
        - type: local
      annotations:
        project: mars-rover

For CI/CD pipelines, an inventory template lets you pull values from environment variables so one file works for many runs:

spec:
  assets:
    - name: { { getenv "ASSET_NAME" } }
      connections:
        - type: local
          discover:
            targets:
              - auto
      annotations:
        project: { { getenv "PROJECT" } }

Run the scan with the variables set:

ASSET_NAME="web-prod-1" PROJECT="mars-rover" cnspec scan --inventory-template template.yaml

Search Your Inventory

Find assets, CVEs, checks, and vendor advisories anywhere in your Mondoo organization with full-text search.

Overview

Manage Mondoo access, alerting, logging, and account settings.

On this page

Add or edit annotations in the Mondoo AppAdd annotations when scanning with cnspecFrom the command lineFrom the local Mondoo configurationFrom a cnspec inventory file or templateRelated