# Mondoo Documentation > Mondoo is a security and compliance platform that provides full-stack > infrastructure security, vulnerability management, and compliance auditing. - [Full documentation](https://mondoo.com/docs/llms-full.txt) ## Platform ### Get Started - [What Is Mondoo?](https://mondoo.com/docs/start/what-is-mondoo): Mondoo finds, prioritizes, and resolves the vulnerabilities and misconfigurations that put your business at risk across cloud, Kubernetes, containers, servers, SaaS, network devices, and your SDLC. - [Quickstart](https://mondoo.com/docs/start/quickstart): Go from a new Mondoo account to your first prioritized security findings in about 15 minutes. Create a space, connect one asset, and see what needs fixing. - [Core Concepts](https://mondoo.com/docs/start/concepts): The handful of concepts that appear everywhere in Mondoo. Learn what an asset, policy, check, finding, and risk score are, and which Mondoo tool to use for what. #### Plan Your Mondoo Organization - [Overview](https://mondoo.com/docs/start/organize/overview): Plan how to structure your assets in Mondoo using regions, organizations, spaces, and workspaces. - [Regions](https://mondoo.com/docs/start/organize/regions): Choose US or EU regions in Mondoo to meet localized data protection requirements like GDPR. - [Organizations](https://mondoo.com/docs/start/organize/organizations): Group spaces together and manage team member access using Mondoo organizations. - [Spaces](https://mondoo.com/docs/start/organize/spaces): Organize assets, policies, and reports into spaces to manage team access, security models, and compliance requirements. - [Workspaces](https://mondoo.com/docs/start/organize/workspaces): Group the assets you want to monitor together using simple rules like platform, risk rating, tags, and more. Mondoo keeps the view up to date as your inventory changes. - [Navigate the Mondoo App](https://mondoo.com/docs/start/navigate): Learn how to navigate the Mondoo App to access regions, organizations, spaces, workspaces, and security tasks. ### Integrate Your Assets - [Overview](https://mondoo.com/docs/infra/overview): Connect the assets in your infrastructure to Mondoo so it can continuously assess their security and compliance. #### Cloud - [Overview](https://mondoo.com/docs/infra/cloud/overview): Secure your cloud infrastructure by scanning AWS, Azure, GCP, Kubernetes, OCI, and VMware for misconfigurations and vulnerabilities. ##### AWS - [Overview](https://mondoo.com/docs/infra/cloud/aws/overview): Secure your AWS environment by continuously scanning EC2, EKS, S3, IAM, and more for misconfigurations and vulnerabilities. - [Scan Continuously](https://mondoo.com/docs/infra/cloud/aws/aws-integration-scan): Choose between the Mondoo-hosted AWS integration and the serverless AWS integration for continuous account scanning. ###### Mondoo-Hosted - [Scan Continuously (Hosted)](https://mondoo.com/docs/infra/cloud/aws/hosted/integration-hosted): Configure the Mondoo-hosted AWS integration to continuously scan your AWS accounts and EC2 instances using Workload Identity Federation or an AWS access key. ###### Serverless - [Scan Continuously (Serverless)](https://mondoo.com/docs/infra/cloud/aws/lambda/integration-lambda): Deploy the Mondoo serverless AWS integration for continuous scanning of your AWS accounts and EC2 instances. - [Cross-Account Scanning](https://mondoo.com/docs/infra/cloud/aws/lambda/cross-account-scanning): Configure the Mondoo serverless AWS integration to scan many AWS accounts from a single hub account using a read-only cross-account IAM role. - [Serverless Integration FAQ](https://mondoo.com/docs/infra/cloud/aws/lambda/aws-integration-faq): Understand how the Mondoo serverless AWS integration works, including resources created, required permissions, communication, and cost. - [Serverless Integration Troubleshooting](https://mondoo.com/docs/infra/cloud/aws/lambda/aws-integration-troubleshooting): Debug deployment, scanning, and update issues for the Mondoo serverless AWS integration. ##### Azure - [Overview](https://mondoo.com/docs/infra/cloud/azure/overview): Secure your Azure subscriptions by continuously scanning compute, databases, networks, and more for misconfigurations and vulnerabilities. - [Automatically Set Up Continuous Scanning](https://mondoo.com/docs/infra/cloud/azure/azure-integration-scan-subscription): Use the automated setup to configure the Mondoo Azure integration to scan Azure subscriptions - [Test or Troubleshoot](https://mondoo.com/docs/infra/cloud/azure/troubleshoot): Troubleshoot a Mondoo Azure integration by scanning from cnspec to isolate certificate, secret, and app registration issues. ##### GCP - [Overview](https://mondoo.com/docs/infra/cloud/gcp/overview): Secure your GCP projects by continuously scanning compute, GKE, Pub/Sub, and more for misconfigurations and vulnerabilities. - [Scan Continuously](https://mondoo.com/docs/infra/cloud/gcp/gcp-integration-scan): Configure the Mondoo GCP integration to continuously scan your Google Cloud projects and resources using Workload Identity Federation or a service account key. ##### Kubernetes - [Overview](https://mondoo.com/docs/infra/cloud/kubernetes/overview): Secure your Kubernetes clusters by scanning nodes, workloads, and images for misconfigurations and vulnerabilities. - [Scan Continuously](https://mondoo.com/docs/infra/cloud/kubernetes/scan-kubernetes-with-operator): Deploy the Mondoo Kubernetes Operator to continuously scan clusters, nodes, and workloads for security misconfigurations. - [Scan External Clusters](https://mondoo.com/docs/infra/cloud/kubernetes/scan-external-clusters): Use the Mondoo Kubernetes Operator to scan remote clusters without installing the operator on each one. - [Oracle Cloud Infrastructure (OCI)](https://mondoo.com/docs/infra/cloud/oci): Continuously secure your Oracle Cloud Infrastructure (OCI) tenancy with Mondoo. - [VMware](https://mondoo.com/docs/infra/cloud/vmware): Continuously assess VMware vSphere and ESXi hosts for security vulnerabilities and misconfigurations. #### SaaS - [Overview](https://mondoo.com/docs/infra/saas/overview): Continuously scan GitHub, GitLab, Google Workspace, Microsoft 365, Okta, and Slack for misconfigurations and security issues. - [GitHub](https://mondoo.com/docs/infra/saas/github): Continuously scan GitHub organizations and repositories for misconfigurations and vulnerabilities. - [GitLab](https://mondoo.com/docs/infra/saas/gitlab): Continuously scan GitLab groups for misconfigurations and vulnerabilities. - [Overview](https://mondoo.com/docs/infra/saas/google_workspace): Continuously scan Google Workspace for security misconfigurations using a GCP service account with domain-wide delegation. ##### Microsoft 365 - [Overview](https://mondoo.com/docs/infra/saas/m365/overview): Continuously scan Microsoft 365 for security misconfigurations across Exchange Online, SharePoint, Teams, OneDrive, and more. - [Automatically Set Up Continuous Scanning](https://mondoo.com/docs/infra/saas/m365/m365-auto): Use the automated setup to configure the Mondoo Microsoft 365 integration via a generated command in Azure Cloud Shell. - [Manual Setup - Continuous Scanning](https://mondoo.com/docs/infra/saas/m365/m365-manual): Manually register the Azure app and configure the Mondoo Microsoft 365 integration. - [Test and Troubleshoot](https://mondoo.com/docs/infra/saas/m365/troubleshoot): Test configuration of the Mondoo Microsoft 365 integration. - [Okta](https://mondoo.com/docs/infra/saas/okta): Continuously scan Okta for misconfigurations and security issues. - [Slack](https://mondoo.com/docs/infra/saas/slack): Continuously scan a Slack workspace for misconfigurations and security issues. #### Networking - [Overview](https://mondoo.com/docs/infra/networking/overview): Continuously scan public-facing hosts for SSL/TLS, HTTP header, and other network security misconfigurations. - [Secure a Domain or IP Address](https://mondoo.com/docs/infra/networking/domain-ip): Continuously scan a domain or IP address for HTTP or HTTPS security best practices. - [Secure a Host with Shodan](https://mondoo.com/docs/infra/networking/shodan): Use Mondoo with Shodan to monitor domains and IP addresses for exposed resources. #### Servers and Endpoints - [Overview](https://mondoo.com/docs/infra/opsys/overview): Continuously scan Linux, macOS, Windows, AIX, and FreeBSD systems with cnspec, Mondoo's cross-platform CLI. - [Mondoo and cnspec](https://mondoo.com/docs/infra/opsys/mondoo-cnspec): Learn how cnspec evaluates systems to expose misconfigurations and vulnerabilities across your infrastructure. ##### Deployment Automation - [Overview](https://mondoo.com/docs/infra/opsys/automation/overview): Deploy cnspec across your servers and endpoints with the automation tools you already use. - [Ansible](https://mondoo.com/docs/infra/opsys/automation/ansible): How to use Ansible with Mondoo to scan your Windows and Linux hosts for security misconfigurations and vulnerabilities. - [Chef Infra](https://mondoo.com/docs/infra/opsys/automation/chef): Deploy cnspec across your infrastructure using Chef Infra to automate security scanning. - [cloud-init](https://mondoo.com/docs/infra/opsys/automation/cloudinit): Use cloud-init to install and register cnspec automatically when instances launch. - [Secrets Management](https://mondoo.com/docs/infra/opsys/automation/vault): Learn how you can use secrets managers such as HashiCorp Vault, Google Cloud Secrets Manager, and AWS Secrets Manager with Mondoo. #### Supply Chain - [Overview](https://mondoo.com/docs/infra/supply/overview): Catch security issues in CI/CD, build pipelines, and container registries before they reach production. ##### CI/CD Platforms - [Overview](https://mondoo.com/docs/infra/supply/cicd/overview): Integrate Mondoo with major CI/CD platforms to catch security issues before they reach production. - [Azure Pipelines](https://mondoo.com/docs/infra/supply/cicd/azure-pipelines): Integrate Mondoo with Azure Pipelines to scan Kubernetes manifests, Terraform, and Docker images during builds. - [CircleCI](https://mondoo.com/docs/infra/supply/cicd/circleci): Integrate Mondoo with CircleCI to scan Kubernetes manifests, Terraform, and Docker images during builds. - [GitHub Actions](https://mondoo.com/docs/infra/supply/cicd/github-actions): Use the Mondoo GitHub Action to scan infrastructure code and containers for security issues in CI/CD workflows. - [GitLab CI/CD](https://mondoo.com/docs/infra/supply/cicd/gitlab): Integrate Mondoo security scans into GitLab CI/CD pipelines to catch issues before deployment. - [Jenkins](https://mondoo.com/docs/infra/supply/cicd/jenkins): Integrate Mondoo with Jenkins and CloudBees CI to scan infrastructure code and container images. #### External Security Data - [Overview](https://mondoo.com/docs/infra/imports/overview): Pull findings from CrowdStrike, Microsoft Defender, and SentinelOne into Mondoo alongside your own scan results. - [CrowdStrike Falcon](https://mondoo.com/docs/infra/imports/crowdstrike): Import CrowdStrike Falcon Spotlight findings into Mondoo alongside your own scan results. - [Microsoft Defender for Cloud](https://mondoo.com/docs/infra/imports/defender): Import Microsoft Defender for Cloud findings into Mondoo alongside your own scan results. ### Asset Intelligence - [Overview](https://mondoo.com/docs/intel/overview): Discover, inventory, search, and annotate every asset in your infrastructure with Mondoo. - [Inventory Your Assets](https://mondoo.com/docs/intel/inventory): View the assets Mondoo has discovered and enable query packs to collect extra configuration data. - [Search Your Inventory](https://mondoo.com/docs/intel/search): Find assets, CVEs, checks, and vendor advisories anywhere in your Mondoo organization with full-text search. - [Annotate Assets](https://mondoo.com/docs/intel/annotations): Tag assets with custom key-value metadata so you can group, filter, and search them. ### Security - [Overview](https://mondoo.com/docs/security/overview): Mondoo continuously assesses your infrastructure and tells you, in priority order, what to fix first. #### Assess & Improve Security - [Overview](https://mondoo.com/docs/security/posture/overview): Use Mondoo to continuously assess and improve your security posture. ##### Understand & Act - [How Mondoo Works](https://mondoo.com/docs/security/posture/pac): The four core concepts Mondoo uses to evaluate security: policies, checks, findings, and risk scores. - [Monitor Your Infrastructure](https://mondoo.com/docs/security/posture/monitor): Where to view security in the Mondoo App using the org overview, space dashboard, and asset detail views. ##### Initiatives - [Initiatives](https://mondoo.com/docs/security/posture/initiatives) - [Space Risk Score](https://mondoo.com/docs/security/posture/initiatives/understanding-space-risk-score) - [Risk Reduction](https://mondoo.com/docs/security/posture/initiatives/how-risk-reduction-is-calculated) - [Effort](https://mondoo.com/docs/security/posture/initiatives/how-effort-is-calculated) ##### Findings & Scoring - [Prioritize Findings](https://mondoo.com/docs/security/posture/findings): How Mondoo turns each finding into a 0-100 risk score that drives prioritization. - [Risk Dimensions](https://mondoo.com/docs/security/posture/risk-dimensions): How Mondoo adjusts finding severity based on real-world asset context across five dimensions: attack surface, blast radius, business priority, exploitability, and news. - [Asset and Space Scores](https://mondoo.com/docs/security/posture/asset-score): How Mondoo rolls up individual finding scores into asset risk scores and space risk scores. ##### Policies & Vulnerabilities - [Manage Policies](https://mondoo.com/docs/security/posture/policies): Enable, disable, and preview the security policies Mondoo uses to evaluate a space. - [Vulnerabilities (CVEs)](https://mondoo.com/docs/security/posture/vulnerabilities): Find known vulnerabilities (CVEs) in your infrastructure and use Mondoo's scoring to prioritize fixes. - [Vendor Advisories](https://mondoo.com/docs/security/posture/advisories): Find vendor security advisories that affect your infrastructure and prioritize using Mondoo's risk scoring. #### Customize Security - [Overview](https://mondoo.com/docs/security/customize/overview): Tailor Mondoo's scoring, exceptions, properties, and risk dimensions to your organization's priorities. ##### Exceptions for Findings - [Overview](https://mondoo.com/docs/security/customize/exceptions/overview): Use exceptions to acknowledge findings without letting them clutter your priorities. - [Set Exceptions on Asset Findings](https://mondoo.com/docs/security/customize/exceptions/asset-findings): Set exceptions on findings (checks, CVEs, or advisories) on a single asset. - [Set Exceptions on Policies](https://mondoo.com/docs/security/customize/exceptions/policies): Add, approve, reject, and remove exceptions for checks across a whole space. - [Change Check Properties](https://mondoo.com/docs/security/customize/props): Override the values that policy checks compare against. - [Change a Policy's Scoring System](https://mondoo.com/docs/security/customize/score): Change how a policy combines check results into an asset risk score within a space. - [Configure Risk Dimensions](https://mondoo.com/docs/security/customize/risk): Adjust how much each risk dimension influences scores, disable dimensions, and add custom detections. ### Compliance - [Overview](https://mondoo.com/docs/compliance/overview): Use Mondoo to continuously assess and prove your compliance with major frameworks. #### Monitor Compliance - [Enable Frameworks](https://mondoo.com/docs/compliance/monitor/frameworks): Enable compliance frameworks in Mondoo so it monitors your infrastructure against SOC 2, HIPAA, PCI DSS, and other standards. - [Gather Evidence](https://mondoo.com/docs/compliance/monitor/progress): View compliance progress, drill into controls and assets, and generate PDF reports for auditors. #### Customize Compliance - [Overview](https://mondoo.com/docs/compliance/customize/overview): Tailor Mondoo's compliance assessment to your audit by setting scope, defining exceptions, and adjusting the approval workflow. - [Define Scope](https://mondoo.com/docs/compliance/customize/scope): Set controls out of scope to exclude them from your compliance score and from generated reports. - [Set Exceptions on Controls](https://mondoo.com/docs/compliance/customize/exceptions): Add, approve, reject, and remove exceptions on compliance controls. - [Set Exceptions on Checks](https://mondoo.com/docs/compliance/customize/exceptions-checks): Add, approve, reject, and remove exceptions on individual checks within a compliance control. ### Track and Fix Findings - [Overview](https://mondoo.com/docs/ticketing/overview): Connect Mondoo to Jira, GitHub, GitLab, Zendesk, or Azure DevOps to create and track security remediation findings. - [Security Pipeline](https://mondoo.com/docs/ticketing/security-pipeline): Automated patching that delivers fixes as pull requests in your git repository, so your existing review process stays in control. #### Connect a Ticketing System - [Set up Ticketing and Azure DevOps](https://mondoo.com/docs/ticketing/setup-azuredevops): Connect Mondoo to Azure DevOps to create security remediation work items directly from the Mondoo App. - [Set up Ticketing and GitHub Issues](https://mondoo.com/docs/ticketing/setup-github): Connect Mondoo to GitHub Issues to create security remediation issues directly from the Mondoo App. - [Set up Ticketing and GitLab Issues](https://mondoo.com/docs/ticketing/setup-gitlab): Connect Mondoo to GitLab Issues to create security remediation issues directly from the Mondoo App. - [Set up Ticketing and Jira](https://mondoo.com/docs/ticketing/setup-jira): Connect Mondoo to Atlassian Jira to create security remediation issues directly from the Mondoo App. - [Set up Ticketing and Zendesk](https://mondoo.com/docs/ticketing/setup-zendesk): Connect Mondoo to Zendesk to create security remediation tickets directly from the Mondoo App. - [Set up Ticketing with Email](https://mondoo.com/docs/ticketing/setup-email): Configure email-based ticketing to automatically create issues in your existing project management workflow. #### Create & Manage Tickets - [Create Tickets from Advisories](https://mondoo.com/docs/ticketing/advisories): Generate remediation tickets directly from security advisories to track vulnerability fixes in your workflow. - [Create Tickets from Checks](https://mondoo.com/docs/ticketing/checks): Generate remediation tickets directly from failed security checks to track fixes in your workflow. - [Manage Ticketing](https://mondoo.com/docs/ticketing/manage): View, close, and configure tickets across Mondoo and your external ticketing system. ### Run Reports - [Overview](https://mondoo.com/docs/reporting/overview): Choose the right Mondoo output for your audience, whether you need board decks, ad-hoc CSVs, continuous data exports, or auditor PDFs. #### Executive Reports - [Overview](https://mondoo.com/docs/reporting/executive-reports): Generate a board-ready chapter on your vulnerability management program from live Mondoo data and export each slide to PowerPoint or PNG. - [Create a Report](https://mondoo.com/docs/reporting/executive-reports/create): Generate an Executive Report with the four-step wizard and export individual slides to PowerPoint or PNG. - [Ad-Hoc CSV Exports](https://mondoo.com/docs/reporting/csv-export): Generate an on-demand CSV snapshot of a space's security and compliance data for Excel, Tableau, Power BI, or any tool that reads CSV. #### Continuous Data Exports - [Continuous Data Exports](https://mondoo.com/docs/reporting/export/overview): Continuously export assets, vulnerabilities, and scan results from Mondoo to cloud storage or a data warehouse. ##### Object Storage - [Amazon S3](https://mondoo.com/docs/reporting/export/s3): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to an Amazon S3 bucket. - [Azure Blob Storage](https://mondoo.com/docs/reporting/export/azure-blob): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to Azure Blob Storage containers. - [Google Cloud Storage](https://mondoo.com/docs/reporting/export/gcs-bucket): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to a Google Cloud Storage bucket using a service account key or Workload Identity Federation (WIF). - [S3-Compatible Service](https://mondoo.com/docs/reporting/export/s3-compatible): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to MinIO, Ceph, or any other S3-compatible storage service. ##### Databases & Warehouses - [Google BigQuery](https://mondoo.com/docs/reporting/export/bigquery-integration): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to a Google BigQuery dataset using a service account key or Workload Identity Federation (WIF). - [PostgreSQL](https://mondoo.com/docs/reporting/export/postgresql): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to a PostgreSQL database. - [Snowflake](https://mondoo.com/docs/reporting/export/snowflake): Set up continuous export of assets, vulnerabilities, and scan results from Mondoo to a Snowflake database. ##### Reference ##### Schema Reference - [Export JSONL Schema](https://mondoo.com/docs/reporting/export/schema): Understand the JSONL schema structure for assets, risks, vulnerabilities, and check results in Mondoo exports. - [Asset](https://mondoo.com/docs/reporting/export/schema/asset): Reference the asset object schema and properties used in Mondoo JSONL exports. - [Check Results](https://mondoo.com/docs/reporting/export/schema/check): Reference the check result object schema and properties used in Mondoo JSONL exports. - [Query Results](https://mondoo.com/docs/reporting/export/schema/result): Reference the query result object schema and properties used in Mondoo JSONL exports. - [Risk Factors](https://mondoo.com/docs/reporting/export/schema/risk): Reference the risk factor object schema and properties used in Mondoo JSONL exports. - [Vulnerabilities](https://mondoo.com/docs/reporting/export/schema/vulns): Reference the vulnerability object schema and properties used in Mondoo JSONL exports. - [Packages](https://mondoo.com/docs/reporting/export/schema/packages): Reference the package object schema and properties used in Mondoo JSONL exports. - [Controls](https://mondoo.com/docs/reporting/export/schema/controls): Reference the control object schema and properties used in Mondoo JSONL exports. ### Manage Mondoo - [Overview](https://mondoo.com/docs/maintain/overview): Manage Mondoo access, alerting, logging, and account settings. #### Manage Access to Mondoo - [Overview](https://mondoo.com/docs/maintain/access/overview): Control team member permissions, SSO integration, and non-human user access for your Mondoo organizations and spaces. - [Manage Team Members](https://mondoo.com/docs/maintain/access/team_members): Invite team members and assign roles to control access to Mondoo organizations and spaces. ##### Single Sign-On & Provisioning - [Manage Access with OIDC Groups](https://mondoo.com/docs/maintain/access/oidc-team-access): Automatically assign users to Mondoo teams based on identity provider group membership using OIDC group claims. An alternative to SCIM that requires no provisioning infrastructure. - [Manage Access with Entra (SCIM)](https://mondoo.com/docs/maintain/access/scim-ms): Enable Microsoft Entra ID SSO authentication and SCIM 2.0 user management for centralized Mondoo access control. - [Manage Access with Okta](https://mondoo.com/docs/maintain/access/scim-okta): Enable Okta SSO authentication and SCIM 2.0 user management for centralized Mondoo access control. ##### Non-Human Access ##### Grant Services, Scripts, and Apps Access to Mondoo - [Overview](https://mondoo.com/docs/maintain/access/non-human/overview): Configure service accounts, identity providers, and API tokens for automated and programmatic Mondoo access. - [Manage Service Accounts](https://mondoo.com/docs/maintain/access/non-human/service_accounts): Set up service account credentials to authenticate CI pipelines and external services with Mondoo APIs. - [Manage API Tokens](https://mondoo.com/docs/maintain/access/non-human/api-tokens): Create API tokens to authenticate with Mondoo's GraphQL API for custom integrations and automation. - [Grant Keyless Access (WIF)](https://mondoo.com/docs/maintain/access/non-human/wif): Use workload identity federation (WIF) to give external workloads secure, keyless access to Mondoo at the space, organization, or platform level. WIF eliminates the need for stored credentials by letting apps, services, and automation authenticate through trusted identity providers. #### Manage Alerts - [Overview](https://mondoo.com/docs/maintain/alerting/overview): Configure Mondoo to send security score change notifications to Slack, Teams, Telegram, or custom webhooks. - [Slack](https://mondoo.com/docs/maintain/alerting/slack): Set up Slack incoming webhooks to receive security score change alerts from your Mondoo spaces. - [Microsoft Teams](https://mondoo.com/docs/maintain/alerting/msteams): Set up Microsoft Teams workflows to receive security score change alerts from your Mondoo spaces. - [Telegram](https://mondoo.com/docs/maintain/alerting/telegram): Send Mondoo alerts to Telegram. - [Webhook](https://mondoo.com/docs/maintain/alerting/webhook): Post JSON-encoded security alerts to any HTTP endpoint using Mondoo's custom webhook integration. #### Manage Your User Settings - [Overview](https://mondoo.com/docs/maintain/user/overview): Customize your Mondoo display preferences, email notifications, and login authentication methods. - [Manage Your Login](https://mondoo.com/docs/maintain/user/login): Connect your Google, GitHub, or Microsoft account for single sign-on, or change your Mondoo email and password. - [Email Preferences](https://mondoo.com/docs/maintain/user/email): Turn weekly space reports on or off and unsubscribe from Mondoo newsletters. #### Spaces & Organizations - [Define Your SLA](https://mondoo.com/docs/maintain/sla): Set targets for how quickly your team commits to remediating findings, and track real performance against them. - [Remove Obsolete Assets](https://mondoo.com/docs/maintain/obsolete): Configure automatic cleanup of assets that haven't reported scan results or terminated EC2 instances. - [Remove a Space or Organization](https://mondoo.com/docs/maintain/delete): Delete unused Mondoo spaces or organizations. #### Audit & Reference - [View Audit Logs](https://mondoo.com/docs/maintain/log): Track administrative events and access management changes with organization and space audit logs. - [Export Audit Logs](https://mondoo.com/docs/maintain/log-export): Continuously export audit logs from Mondoo to Google Cloud Storage in OCSF format for long-term retention, SIEM ingestion, or compliance evidence. - [Service IP Addresses](https://mondoo.com/docs/maintain/allowlist): Firewall allow-list entries for installation, updates, and the Mondoo API. - [Releases and Versions](https://mondoo.com/docs/maintain/version): How Mondoo versions its releases and how the cnspec N-1 support cycle works. ### AI - [MCP server](https://mondoo.com/docs/ai/mcp): Connect Claude Desktop, Claude Code, and VS Code to the Mondoo MCP server to explore your findings, policies, and spaces with AI assistants. - [Release Highlights](https://mondoo.com/docs/releases) ### Mondoo Glossary - [Mondoo Glossary](https://mondoo.com/docs/glossary): Key terms and concepts used throughout Mondoo Platform, cnspec, and MQL documentation. ## cnspec - [cnspec Docs Home](https://mondoo.com/docs/cnspec): cnspec is an open source, cloud-native tool for securing and exploring your entire infrastructure with MQL. - [Quickstart](https://mondoo.com/docs/cnspec/quickstart): Install cnspec and run your first security scan in minutes. Scan a system, read the results, and explore your infrastructure with MQL. ### Installation - [Installation Overview](https://mondoo.com/docs/cnspec/install/overview): Install cnspec, register it with Mondoo Platform, and roll it out across your infrastructure. - [System Requirements](https://mondoo.com/docs/cnspec/install/requirements): Minimum operating system versions, CPU architectures, PowerShell version, and access rights cnspec needs to install and scan a local host. #### Install cnspec - [Linux](https://mondoo.com/docs/cnspec/install/linux): Install and configure cnspec on major Linux distributions including Ubuntu, Debian, RHEL, Amazon Linux, and SUSE. - [macOS](https://mondoo.com/docs/cnspec/install/macos): Install and configure cnspec on macOS using the automated installer, Homebrew, or the universal package. - [Windows](https://mondoo.com/docs/cnspec/install/windows): Install and configure cnspec on Microsoft Windows using PowerShell scripts, MSI packages, or Chocolatey. - [Standalone Binary](https://mondoo.com/docs/cnspec/install/binary): Download and install the cnspec standalone binary on any supported operating system. #### Register & Run - [Register cnspec with Mondoo](https://mondoo.com/docs/cnspec/install/registration): Register cnspec with Mondoo Platform to enable policy downloads and scan reporting. - [Register cnspec Using a Credentials File](https://mondoo.com/docs/cnspec/install/registration-keys): Register cnspec using a long-lived service account credentials file for automated environments and CI/CD pipelines. - [Run cnspec as a service](https://mondoo.com/docs/cnspec/install/service): Configure cnspec to run as a system service that automatically scans hosts and reports results to Mondoo Platform. #### Maintain - [Manage cnspec Providers](https://mondoo.com/docs/cnspec/install/providers): Learn how cnspec providers work, when to manage them yourself, and how to install, update, and remove them. - [Update cnspec](https://mondoo.com/docs/cnspec/install/update): Update cnspec to a new version, understand how versioning works, and learn about supported releases - [Uninstall cnspec](https://mondoo.com/docs/cnspec/install/uninstall): Remove cnspec from a device ### Learn the Essentials - [About Policies](https://mondoo.com/docs/cnspec/policies-about): Learn how cnspec uses policy as code to define, document, and enforce security requirements - [Query Your Infrastructure](https://mondoo.com/docs/cnspec/query): Run ad-hoc MQL queries against any asset using cnspec run and cnspec shell. - [Run a Query Pack](https://mondoo.com/docs/cnspec/query-packs): Query packs let you bundle multiple MQL queries together and run them against any asset with cnspec. - [Remote scans with inventory files](https://mondoo.com/docs/cnspec/inventory): Scan remote systems, network devices, and cloud accounts by defining targets and credentials in a single inventory file. ### Scan Your Infrastructure ### Cloud - [Overview](https://mondoo.com/docs/cnspec/cloud/overview): Scan public clouds, private clouds, and Kubernetes for misconfigurations and vulnerabilities with cnspec. Choose your cloud platform to get started. #### Public Clouds #### AWS - [Overview](https://mondoo.com/docs/cnspec/cloud/aws): Secure your Amazon Web Services environment by scanning for vulnerabilities and misconfigurations with cnspec. - [Secure an AWS Account](https://mondoo.com/docs/cnspec/cloud/aws/account): Scan an Amazon Web Services account against security and compliance best practices with cnspec. - [Scan Instances Using SSM](https://mondoo.com/docs/cnspec/cloud/aws/aws-ssm-scan): Configure AWS Systems Manager (SSM) to scan EC2 instances for security misconfigurations without installing agents. - [Scan Instances Using Instance Connect](https://mondoo.com/docs/cnspec/cloud/aws/aws-ec2-ic-scan): Use EC2 Instance Connect to scan EC2 instances over SSH without managing long-lived keys. - [Scan Instances Using EBS Snapshots](https://mondoo.com/docs/cnspec/cloud/aws/aws-ebs-snapshot-scan): Scan EBS volume snapshots to evaluate the security and compliance of Linux EC2 instances without connecting to them. - [Build Secure AMIs with Packer](https://mondoo.com/docs/cnspec/cloud/aws/packer): Build secure Amazon AMIs by scanning Packer builds with cnspec for vulnerabilities and misconfigurations. #### Azure - [Overview](https://mondoo.com/docs/cnspec/cloud/azure): Secure your Microsoft Azure environment by scanning for vulnerabilities and misconfigurations with cnspec. - [Secure a Subscription](https://mondoo.com/docs/cnspec/cloud/azure/subscription): Scan a Microsoft Azure subscription against security and compliance best practices with cnspec. - [Scan Virtual Machines](https://mondoo.com/docs/cnspec/cloud/azure/compute): Scan Microsoft Azure virtual machines, snapshots, and disks with cnspec. #### Google Cloud - [Overview](https://mondoo.com/docs/cnspec/cloud/gcp): Secure your Google Cloud environment by scanning for vulnerabilities and misconfigurations with cnspec. - [Secure a Project](https://mondoo.com/docs/cnspec/cloud/gcp/project): Scan a Google Cloud project against security and compliance best practices with cnspec. - [Scan Instance Snapshots](https://mondoo.com/docs/cnspec/cloud/gcp/snapshot): Scan Google Cloud Compute Engine instances by snapshotting their disks, with no impact to your production workload. - [Cross-Project Snapshot Scanning](https://mondoo.com/docs/cnspec/cloud/gcp/snapshot-cross-project): Configure cnspec to scan Google Cloud Compute Engine snapshots that reside in a different project than your scanner VM. - [Build Secure VMs with Packer](https://mondoo.com/docs/cnspec/cloud/gcp/packer): Build secure machine images in Google Cloud by scanning Packer builds with cnspec for vulnerabilities and misconfigurations. - [Workload Identity Federation](https://mondoo.com/docs/cnspec/cloud/gcp/wif): Use Workload Identity Federation to let a service account in one Google Cloud project scan resources in other Google Cloud projects without exporting keys. #### Oracle Cloud - [Overview](https://mondoo.com/docs/cnspec/cloud/oci): Secure your Oracle Cloud Infrastructure environment by scanning for vulnerabilities and misconfigurations with cnspec. - [Secure a Tenancy](https://mondoo.com/docs/cnspec/cloud/oci/account): Scan an Oracle Cloud Infrastructure tenancy against security and compliance best practices with cnspec. - [Alibaba Cloud](https://mondoo.com/docs/cnspec/cloud/alicloud): Scan an Alibaba Cloud account against security and compliance best practices with cnspec. - [DigitalOcean](https://mondoo.com/docs/cnspec/cloud/digitalocean): Scan a DigitalOcean account against security and compliance best practices with cnspec. - [Hetzner Cloud](https://mondoo.com/docs/cnspec/cloud/hetzner): Scan Hetzner Cloud projects against security and compliance best practices with cnspec. - [STACKIT](https://mondoo.com/docs/cnspec/cloud/stackit): Scan STACKIT projects against security and compliance best practices with cnspec. - [Equinix Metal](https://mondoo.com/docs/cnspec/cloud/equinix): Scan Equinix Metal infrastructure against security and compliance best practices with cnspec. - [OpenStack](https://mondoo.com/docs/cnspec/cloud/openstack): Scan OpenStack projects against security and compliance best practices with cnspec. #### Private Cloud & Virtualization #### VMware - [Overview](https://mondoo.com/docs/cnspec/cloud/vmware): Secure your VMware environment by scanning for vulnerabilities and misconfigurations with cnspec. - [VMware vSphere](https://mondoo.com/docs/cnspec/cloud/vmware/vsphere): Scan a VMware vSphere environment against security and compliance best practices with cnspec. - [VMware Cloud Director](https://mondoo.com/docs/cnspec/cloud/vmware/vcd): Scan a VMware Cloud Director environment against security and compliance best practices with cnspec. - [Proxmox VE](https://mondoo.com/docs/cnspec/cloud/proxmox): Scan Proxmox VE clusters against security and compliance best practices with cnspec. - [Nutanix](https://mondoo.com/docs/cnspec/cloud/nutanix): Scan Nutanix Prism Central environments against security and compliance best practices with cnspec. - [Portainer](https://mondoo.com/docs/cnspec/cloud/portainer): Scan Portainer container-management instances against security and compliance best practices with cnspec. #### Kubernetes #### Kubernetes - [Overview](https://mondoo.com/docs/cnspec/cloud/kubernetes): Secure your Kubernetes environment by scanning for vulnerabilities and misconfigurations with cnspec. - [Secure a Cluster](https://mondoo.com/docs/cnspec/cloud/kubernetes/cluster): Scan a Kubernetes cluster against security and compliance best practices with cnspec. ### Operating Systems - [Overview](https://mondoo.com/docs/cnspec/os/overview): Scan Linux, Windows, macOS, and Unix hosts against security and compliance best practices with cnspec, locally or over SSH. - [Linux](https://mondoo.com/docs/cnspec/os/linux): Scan Linux systems against security and compliance best practices with cnspec. - [Windows](https://mondoo.com/docs/cnspec/os/windows): Scan Windows systems against security and compliance best practices with cnspec. - [macOS](https://mondoo.com/docs/cnspec/os/mac): Scan macOS systems against security and compliance best practices with cnspec. - [FreeBSD](https://mondoo.com/docs/cnspec/os/freebsd): Scan FreeBSD systems against security and compliance best practices with cnspec. - [AIX](https://mondoo.com/docs/cnspec/os/aix): Query AIX systems and run custom security policies with cnspec. - [OPC UA](https://mondoo.com/docs/cnspec/os/opcua): Scan Linux-based industrial control systems via OPC UA with cnspec. ### Supply Chain - [Overview](https://mondoo.com/docs/cnspec/supplychain/overview): Scan containers, container images, registries, and infrastructure as code (Terraform, OpenTofu, CloudFormation, Kubernetes manifests, Helm, and more) with cnspec. #### Containers & Images - [Docker Containers](https://mondoo.com/docs/cnspec/supplychain/docker-containers): Scan running and stopped Docker containers for CVEs and security misconfigurations with cnspec. - [Docker Images](https://mondoo.com/docs/cnspec/supplychain/docker-images): Scan Docker images for security misconfigurations and CVEs with cnspec. - [Dockerfiles](https://mondoo.com/docs/cnspec/supplychain/dockerfiles): Scan Dockerfiles for security misconfigurations with cnspec. #### Container Registries - [Elastic Container Registry (ECR)](https://mondoo.com/docs/cnspec/supplychain/registry/aws_ecr): Scan Amazon Elastic Container Registry images for security vulnerabilities and misconfigurations with cnspec. - [Azure Container Registry (ACR)](https://mondoo.com/docs/cnspec/supplychain/registry/azure_acr): Scan Azure Container Registry images for security vulnerabilities and misconfigurations with cnspec. - [Docker Hub](https://mondoo.com/docs/cnspec/supplychain/registry/docker_hub): Scan Docker Hub container images for security vulnerabilities and misconfigurations with cnspec. - [Google Container Registry](https://mondoo.com/docs/cnspec/supplychain/registry/gcp_gcr): Scan Google Container Registry images for security vulnerabilities and misconfigurations with cnspec. #### Infrastructure as Code - [Terraform](https://mondoo.com/docs/cnspec/supplychain/terraform): Scan Terraform and OpenTofu configurations, plans, and state files for security misconfigurations with cnspec. No Terraform or OpenTofu CLI required. - [CloudFormation](https://mondoo.com/docs/cnspec/supplychain/cloudformation): Scan AWS CloudFormation templates for security misconfigurations with cnspec. - [Azure Bicep](https://mondoo.com/docs/cnspec/supplychain/bicep): Scan Azure Bicep files and ARM templates for security misconfigurations with cnspec. - [Kubernetes Manifests](https://mondoo.com/docs/cnspec/supplychain/kubernetes-manifests): Scan Kubernetes manifests for security misconfigurations during development and in CI/CD pipelines. - [Helm](https://mondoo.com/docs/cnspec/supplychain/helm): Scan Helm charts for security misconfigurations before installing them in your Kubernetes clusters. - [Kustomize](https://mondoo.com/docs/cnspec/supplychain/kustomize): Scan Kustomize overlays for security misconfigurations before applying them to your Kubernetes clusters. - [Ansible](https://mondoo.com/docs/cnspec/supplychain/ansible): Scan Ansible playbooks for security misconfigurations and policy violations with cnspec. #### Build Pipelines - [Packer](https://mondoo.com/docs/cnspec/supplychain/packer): Build secure machine images by scanning Packer builds with cnspec. - [Vagrant](https://mondoo.com/docs/cnspec/supplychain/vagrant): Scan Vagrant virtual machines for security misconfigurations and vulnerabilities with cnspec. ### SaaS - [Overview](https://mondoo.com/docs/cnspec/saas/overview): Scan SaaS platforms like GitHub, Microsoft 365, Google Workspace, Okta, Slack, and Snowflake for security and compliance misconfigurations with cnspec. #### Source Control & Developer Platforms - [GitHub](https://mondoo.com/docs/cnspec/saas/github): Scan GitHub organizations and repositories against security and compliance best practices with cnspec. - [GitHub with Custom App Credentials](https://mondoo.com/docs/cnspec/saas/gh-app): Authenticate cnspec to GitHub using a custom GitHub App for higher API rate limits. - [GitLab](https://mondoo.com/docs/cnspec/saas/gitlab): Scan GitLab groups and projects against security and compliance best practices with cnspec. - [Atlassian](https://mondoo.com/docs/cnspec/saas/atlassian): Query Atlassian Cloud Jira, Confluence, Admin, and SCIM with cnspec. #### Productivity & Collaboration - [Microsoft 365](https://mondoo.com/docs/cnspec/saas/m365): Scan Microsoft 365 against security and compliance best practices with cnspec. - [Google Workspace](https://mondoo.com/docs/cnspec/saas/google_workspace): Scan Google Workspace against security and compliance best practices with cnspec. - [Slack](https://mondoo.com/docs/cnspec/saas/slack): Scan Slack workspaces against security and compliance best practices with cnspec. #### Infrastructure & Data Services - [Cloudflare](https://mondoo.com/docs/cnspec/saas/cloudflare): Scan Cloudflare against security and compliance best practices with cnspec. - [Snowflake](https://mondoo.com/docs/cnspec/saas/snowflake): Scan Snowflake accounts against security and compliance best practices with cnspec. - [Datadog](https://mondoo.com/docs/cnspec/saas/datadog): Scan Datadog against security and compliance best practices with cnspec. - [Grafana](https://mondoo.com/docs/cnspec/saas/grafana): Scan Grafana against security and compliance best practices with cnspec. - [Tailscale](https://mondoo.com/docs/cnspec/saas/tailscale): Scan a Tailscale tailnet against security and compliance best practices with cnspec. - [NextDNS](https://mondoo.com/docs/cnspec/saas/nextdns): Scan NextDNS profiles against security and compliance best practices with cnspec. ### Identity - [Overview](https://mondoo.com/docs/cnspec/identity/overview): Scan identity providers like Okta and Active Directory against security and compliance best practices with cnspec. - [Okta](https://mondoo.com/docs/cnspec/identity/okta): Scan Okta against security and compliance best practices with cnspec. - [Active Directory](https://mondoo.com/docs/cnspec/identity/active-directory): Scan Active Directory domains against security and compliance best practices with cnspec. ### Network Devices - [Overview](https://mondoo.com/docs/cnspec/network/overview): Scan network devices like Cisco, Arista, Juniper, Fortinet, Palo Alto, F5, MikroTik, and Ubiquiti against security and compliance best practices with cnspec. - [Cisco IOS/NX-OS](https://mondoo.com/docs/cnspec/network/cisco): Scan Cisco IOS XR/XE and NX-OS network devices against security and compliance best practices with cnspec. - [Cisco Catalyst Center](https://mondoo.com/docs/cnspec/network/cisco-catalyst): Discover and query network devices managed by Cisco Catalyst Center with cnspec. - [Arista EOS](https://mondoo.com/docs/cnspec/network/arista): Scan Arista EOS network devices against security and compliance best practices with cnspec. - [Juniper Junos OS](https://mondoo.com/docs/cnspec/network/junos): Scan Juniper Networks devices running Junos OS against security and compliance best practices with cnspec. - [Fortinet FortiOS](https://mondoo.com/docs/cnspec/network/fortios): Scan Fortinet FortiGate firewalls running FortiOS against security and compliance best practices with cnspec. - [Palo Alto PAN-OS](https://mondoo.com/docs/cnspec/network/panos): Scan Palo Alto Networks firewalls running PAN-OS against security and compliance best practices with cnspec. - [F5 BIG-IP](https://mondoo.com/docs/cnspec/network/bigip): Scan F5 BIG-IP application delivery controllers against security and compliance best practices with cnspec. - [MikroTik RouterOS](https://mondoo.com/docs/cnspec/network/mikrotik): Scan MikroTik RouterOS routers and switches against security and compliance best practices with cnspec. - [Ubiquiti UniFi](https://mondoo.com/docs/cnspec/network/unifi): Scan Ubiquiti UniFi network controllers against security and compliance best practices with cnspec. ### Network Services - [Overview](https://mondoo.com/docs/cnspec/networking/overview): Discover hosts, scan domains and IP addresses, and check internet exposure with cnspec using DNS, TLS, HTTP, Nmap, Shodan, and ipinfo. - [Domains and IP Addresses](https://mondoo.com/docs/cnspec/networking/host): Scan domains and IP addresses for DNS, TLS, HTTP header, and email security with cnspec. - [Nmap](https://mondoo.com/docs/cnspec/networking/nmap): Discover hosts, open ports, and services using Nmap with cnspec. - [Shodan](https://mondoo.com/docs/cnspec/networking/shodan): Use cnspec with Shodan to discover internet-facing services and open ports. - [IPinfo](https://mondoo.com/docs/cnspec/networking/ipinfo): Query IP address information from ipinfo.io with cnspec. ### BMCs - [Overview](https://mondoo.com/docs/cnspec/bmc/overview): Scan server baseboard management controllers (BMCs) over IPMI and Redfish with cnspec, including HPE iLO, Dell iDRAC, and Supermicro. - [Redfish BMCs](https://mondoo.com/docs/cnspec/bmc/redfish): Scan server baseboard management controllers over the Redfish REST API with cnspec, including HPE iLO, Dell iDRAC, and Supermicro. - [IPMI](https://mondoo.com/docs/cnspec/bmc/ipmi): Query IPMI interfaces with cnspec. ### MDMs - [Jamf](https://mondoo.com/docs/cnspec/mdm/jamf): Scan Jamf Pro against security and compliance best practices with cnspec. ### AI - [Overview](https://mondoo.com/docs/cnspec/ai/overview): Scan AI infrastructure like Model Context Protocol (MCP) servers and vLLM inference servers against security best practices with cnspec. - [MCP](https://mondoo.com/docs/cnspec/ai/mcp): Scan Model Context Protocol (MCP) servers against security best practices with cnspec. - [vLLM](https://mondoo.com/docs/cnspec/ai/vllm): Scan vLLM inference servers against security best practices with cnspec. ### Malware - [YARA](https://mondoo.com/docs/cnspec/malware/yara): Scan files for malware, secrets, and custom patterns using YARA rules with cnspec. ### Write & Manage Policies ### Write Custom Policies - [Introduction](https://mondoo.com/docs/cnspec/write-policies/write-intro): Learn how to write custom security policies to meet the special needs of your organization - [Write Custom Policies](https://mondoo.com/docs/cnspec/write-policies/simple): Create your own policies for cnspec and Mondoo to scan your infrastructure - [Score Policies](https://mondoo.com/docs/cnspec/write-policies/policy-scoring): Choose how Mondoo scores assets based on a policy - [Preview Checks](https://mondoo.com/docs/cnspec/write-policies/preview): Use the preview action to run a check without affecting an asset's score, with an optional deadline after which the check starts scoring - [Reuse Queries and Checks](https://mondoo.com/docs/cnspec/write-policies/reuse): Learn how to combine policies in a bundle and make more efficient policies by reusing queries and checks - [Break up a Policy into Groups](https://mondoo.com/docs/cnspec/write-policies/chapters): Use groups to separate your policy into chapters - [Limit Target Assets with Filters](https://mondoo.com/docs/cnspec/write-policies/filters): Add policy filters to limit what types of target assets a policy or part of a policy applies to - [Define Properties](https://mondoo.com/docs/cnspec/write-policies/properties): Use properties to define the values for settings that policies check against. - [Make Policies Flexible with Variants](https://mondoo.com/docs/cnspec/write-policies/variants): Use variants to change what a policy checks based on different conditions - [Create Checks in cnspec Shell](https://mondoo.com/docs/cnspec/write-policies/cnspec-scan): Use cnspec's interactive shell to learn about checks - [Community Policies](https://mondoo.com/docs/cnspec/policies-registry): Explore open source security policies by Mondoo and the Mondoo community. - [Manage Policies](https://mondoo.com/docs/cnspec/policies-manage): Create, validate, upload, and manage cnspec policies across your infrastructure ### Results & Integrations - [Report Results](https://mondoo.com/docs/cnspec/results): Control how cnspec reports scan results, including terminal output formats, JSON, YAML, JUnit, and SARIF for CI/CD integration. - [Migrate from Trivy](https://mondoo.com/docs/cnspec/trivy-to-cnspec): A practical guide for migrating from Aqua Trivy to cnspec, covering container scanning, IaC, Kubernetes, CI/CD, and custom policies. ### Reference - [Supported Scan Targets](https://mondoo.com/docs/cnspec/cnspec-supported): A list of technologies that cnspec can scan ### Providers - [About Providers](https://mondoo.com/docs/cnspec/providers/about): Learn about cnspec providers and special considerations for containers and air-gapped or limited access assets - [Manage Providers](https://mondoo.com/docs/cnspec/providers/manage): Learn how to install, update, remove, and disable automatic updates for cnspec providers - [Custom Providers](https://mondoo.com/docs/cnspec/providers/custom): Learn how to create custom cnspec providers for any platform ### CLI Commands - [cnspec aibom](https://mondoo.com/docs/cnspec/cli/cnspec_aibom): Generate an AI bill of materials (AIBOM) that inventories AI and ML models across cloud providers, model registries, inference APIs, and local runtimes. - [cnspec completion](https://mondoo.com/docs/cnspec/cli/cnspec_completion): Generate the autocompletion script for cnspec for the specified shell. - [cnspec discover](https://mondoo.com/docs/cnspec/cli/cnspec_discover): Discover the assets defined by an inventory file's discovery targets and filters or by CLI parameters, without running any queries. - [cnspec framework active](https://mondoo.com/docs/cnspec/cli/cnspec_framework_active): Change a compliance framework status to active in the connected Mondoo Platform space. - [cnspec framework disabled](https://mondoo.com/docs/cnspec/cli/cnspec_framework_disabled): Change a compliance framework status to disabled in the connected Mondoo Platform space. - [cnspec framework download](https://mondoo.com/docs/cnspec/cli/cnspec_framework_download): Download a compliance framework from the connected Mondoo Platform space to a local file. - [cnspec framework list](https://mondoo.com/docs/cnspec/cli/cnspec_framework_list): List available compliance frameworks in the connected Mondoo Platform space. - [cnspec framework preview](https://mondoo.com/docs/cnspec/cli/cnspec_framework_preview): Change a compliance framework status to preview in the connected Mondoo Platform space. - [cnspec framework upload](https://mondoo.com/docs/cnspec/cli/cnspec_framework_upload): Upload a compliance framework to the connected Mondoo Platform space. - [cnspec framework](https://mondoo.com/docs/cnspec/cli/cnspec_framework): Manage local and Mondoo Platform hosted compliance frameworks, including uploading, downloading, and changing framework status. - [cnspec login](https://mondoo.com/docs/cnspec/cli/cnspec_login): Register cnspec with Mondoo Platform using a registration token. - [cnspec logout](https://mondoo.com/docs/cnspec/cli/cnspec_logout): Log out from Mondoo Platform and revoke the service account credentials. - [cnspec lsp](https://mondoo.com/docs/cnspec/cli/cnspec_lsp): Launch the MQL Language Server for editor integration with autocompletion and diagnostics. - [cnspec migrate](https://mondoo.com/docs/cnspec/cli/cnspec_migrate): Migrate the cnspec CLI configuration to the latest version. - [cnspec policy delete](https://mondoo.com/docs/cnspec/cli/cnspec_policy_delete): Delete a policy from the connected Mondoo Platform space using its UID or MRN. - [cnspec policy disable](https://mondoo.com/docs/cnspec/cli/cnspec_policy_disable): Disable a policy in the connected Mondoo Platform space. - [cnspec policy download](https://mondoo.com/docs/cnspec/cli/cnspec_policy_download): Download a policy from the connected Mondoo Platform space to a local bundle file. - [cnspec policy enable](https://mondoo.com/docs/cnspec/cli/cnspec_policy_enable): Enable a policy in the connected Mondoo Platform space. - [cnspec policy format](https://mondoo.com/docs/cnspec/cli/cnspec_policy_format): Apply style formatting to one or more policy bundle files. - [cnspec policy graph callees](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_callees): Show what a policy graph node contains or references (outbound edges). - [cnspec policy graph callers](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_callers): Show what references a policy graph node (inbound edges). - [cnspec policy graph context](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_context): Show LLM-friendly context with YAML snippets for a policy graph node. - [cnspec policy graph export](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_export): Export the full policy graph from a bundle file. - [cnspec policy graph paths](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_paths): Find paths between two nodes in the policy graph. - [cnspec policy graph reachable](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_reachable): Show all nodes reachable from a node in the policy graph. - [cnspec policy graph search](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph_search): Search the policy graph for nodes by name, title, or UID. - [cnspec policy graph](https://mondoo.com/docs/cnspec/cli/cnspec_policy_graph): Build and query a graph of policies, checks, frameworks, and controls from policy bundle files. - [cnspec policy info](https://mondoo.com/docs/cnspec/cli/cnspec_policy_info): Show detailed information about a policy from the connected Mondoo Platform space. - [cnspec policy init](https://mondoo.com/docs/cnspec/cli/cnspec_policy_init): Create an example policy bundle file as a starting point for writing custom policies. - [cnspec policy lint](https://mondoo.com/docs/cnspec/cli/cnspec_policy_lint): Lint a policy bundle to check for errors and ensure it compiles correctly. - [cnspec policy list](https://mondoo.com/docs/cnspec/cli/cnspec_policy_list): List enabled policies in the connected Mondoo Platform space. - [cnspec policy upload](https://mondoo.com/docs/cnspec/cli/cnspec_policy_upload): Upload a policy bundle to the connected Mondoo Platform space. - [cnspec policy](https://mondoo.com/docs/cnspec/cli/cnspec_policy): Manage local and Mondoo Platform policies, including creating, uploading, enabling, and deleting policies. - [cnspec providers delete](https://mondoo.com/docs/cnspec/cli/cnspec_providers_delete): Remove an installed provider plugin from disk. - [cnspec providers info](https://mondoo.com/docs/cnspec/cli/cnspec_providers_info): Show detailed information about one or more installed providers. - [cnspec providers install](https://mondoo.com/docs/cnspec/cli/cnspec_providers_install): Install a new provider or update an existing one to add connectivity to a specific asset type. - [cnspec providers list](https://mondoo.com/docs/cnspec/cli/cnspec_providers_list): List all installed providers on the system. - [cnspec providers resources](https://mondoo.com/docs/cnspec/cli/cnspec_providers_resources): List the resources available in a provider or show field details for a specific resource. - [cnspec providers](https://mondoo.com/docs/cnspec/cli/cnspec_providers): Manage cnspec providers that add connectivity to infrastructure assets such as cloud platforms, SaaS services, and operating systems. - [cnspec run](https://mondoo.com/docs/cnspec/cli/cnspec_run): Run an MQL query on the command line and display the results. - [cnspec sbom](https://mondoo.com/docs/cnspec/cli/cnspec_sbom): Generate a software bill of materials (SBOM) for a given asset. - [cnspec scan](https://mondoo.com/docs/cnspec/cli/cnspec_scan): Run a security scan on an asset based on one or more Mondoo policies. - [cnspec serve](https://mondoo.com/docs/cnspec/cli/cnspec_serve): Start cnspec in background mode to run scheduled security scans. - [cnspec shell](https://mondoo.com/docs/cnspec/cli/cnspec_shell): Open an interactive MQL query shell to explore and test queries against assets. - [cnspec status](https://mondoo.com/docs/cnspec/cli/cnspec_status): Verify cnspec access to Mondoo Platform by sending a ping to check credentials. - [cnspec vault add-secret](https://mondoo.com/docs/cnspec/cli/cnspec_vault_add-secret): Store a secret in a configured vault environment. - [cnspec vault configure](https://mondoo.com/docs/cnspec/cli/cnspec_vault_configure): Configure a vault environment for securely storing credentials, with support for AWS, GCP, HashiCorp Vault, and more. - [cnspec vault](https://mondoo.com/docs/cnspec/cli/cnspec_vault): Manage vault environments for securely storing and retrieving credentials used in cnspec scans. - [cnspec version](https://mondoo.com/docs/cnspec/cli/cnspec_version): Display the installed cnspec version. - [cnspec vuln](https://mondoo.com/docs/cnspec/cli/cnspec_vuln): Scan a target asset for known vulnerabilities. - [cnspec](https://mondoo.com/docs/cnspec/cli/cnspec): The cnspec CLI is a cloud-native security testing tool for assessing the security of your entire infrastructure. - [Debug scans](https://mondoo.com/docs/cnspec/debug): Run cnspec in debug mode for troubleshooting assistance ## MQL - [MQL Docs Home](https://mondoo.com/docs/mql): MQL (Mondoo Query Language) is a graph-based language for querying and validating infrastructure. Learn what MQL is, where it runs, and how to get started. ### Write MQL - [MQL guide](https://mondoo.com/docs/mql/mql-write): Learn MQL fundamentals including selectors, filters, assertions, error handling, and the interactive shell. A complete guide to querying and securing your infrastructure with Mondoo. - [Terraform](https://mondoo.com/docs/mql/terraform): Learn how to write Mondoo MQL checks for Terraform HCL, Plan, and State. Use the cnspec shell, Mondoo Terraform provider, filters, and variants to build production-grade Policy as Code across your IaC and runtime. - [Embedding MQL](https://mondoo.com/docs/mql/embedding): How to embed MQL queries in CLI scripts and Go code. ### Reference - [Functions](https://mondoo.com/docs/mql/functions): Complete reference for all MQL built-in functions - [MQL Providers and Resources](https://mondoo.com/docs/mql/resources): Complete reference of all MQL resources for querying infrastructure ## xgrep - [Overview](https://mondoo.com/docs/xgrep): xgrep is a fast, Semgrep-compatible code scanner with AST-based matching, taint analysis, and code intelligence built for AI agents. ### Getting Started - [Overview](https://mondoo.com/docs/xgrep/getting-started): What xgrep is — a fast, unified SAST, secret scanning, and software composition analysis (SCA) tool — the accuracy-first design goals behind it, and how to go from install to first scan. - [Installation](https://mondoo.com/docs/xgrep/getting-started/installation): Install xgrep from the @mondoohq/xgrep npm package. - [First scan](https://mondoo.com/docs/xgrep/getting-started/first-scan): Find a real vulnerability with one command — no rules to write, no configuration. ### Code Scanning - [Overview](https://mondoo.com/docs/xgrep/code-scanning): Run xgrep's SAST (static application security testing) engine against your code — taint and dataflow analysis that traces untrusted input to dangerous sinks, plus output formats, supported languages, Semgrep parity, and custom rules. - [CLI reference](https://mondoo.com/docs/xgrep/code-scanning/cli-reference): xgrep flags and subcommands. - [Output formats](https://mondoo.com/docs/xgrep/code-scanning/output-formats): xgrep emits human-readable text, Semgrep-compatible JSON, SARIF 2.1.0, a GitLab SAST report, or a CycloneDX 1.6 CBOM. - [CBOM](https://mondoo.com/docs/xgrep/code-scanning/cbom): Generate a CycloneDX 1.6 Cryptography Bill of Materials — an inventory of the cryptographic assets in your code — with xgrep sbom --cbom. - [Supported languages](https://mondoo.com/docs/xgrep/code-scanning/supported-languages): Languages with tree-sitter AST matching, and the generic/text files matched with regex patterns. #### SAST by Language - [SAST by language](https://mondoo.com/docs/xgrep/code-scanning/languages): What xgrep detects in each language — JavaScript/TypeScript, Java, C#, Python, Go, Ruby, C/C++, Swift — plus infrastructure and config files. - [JavaScript / TypeScript](https://mondoo.com/docs/xgrep/code-scanning/languages/javascript): What xgrep detects in JavaScript and TypeScript — injection, XSS, supply-chain, auth, and crypto issues — with Express-aware taint analysis. - [Java](https://mondoo.com/docs/xgrep/code-scanning/languages/java): What xgrep detects in Java — injection, deserialization, XXE, SSRF, weak crypto, and Android/Spring-specific issues — with request-to-sink taint analysis. - [C#](https://mondoo.com/docs/xgrep/code-scanning/languages/csharp): What xgrep detects in C# / .NET — injection, XSS, deserialization, broken access control, and weak crypto — including ASP.NET and Razor. - [Python](https://mondoo.com/docs/xgrep/code-scanning/languages/python): What xgrep detects in Python — injection, SSRF, deserialization, weak crypto, and Django/Flask-specific issues — with request-to-sink taint analysis. - [Go](https://mondoo.com/docs/xgrep/code-scanning/languages/go): What xgrep detects in Go — injection, SSRF, weak crypto, integer-overflow and memory-safety issues, and error-handling bugs — with taint analysis. - [Ruby](https://mondoo.com/docs/xgrep/code-scanning/languages/ruby): What xgrep detects in Ruby — injection, XSS, mass assignment, deserialization, weak crypto, and supply-chain backdoors — including Rails and ERB. - [C / C++](https://mondoo.com/docs/xgrep/code-scanning/languages/c): What xgrep detects in C and C++ — memory safety, unbounded/dangerous libc functions, injection, and crypto/TLS misuse — with taint analysis from untrusted input to dangerous sinks. - [Swift](https://mondoo.com/docs/xgrep/code-scanning/languages/swift): What xgrep detects in Swift — injection, weak crypto, hardcoded keys, insecure TLS, and input-validation issues — for iOS and Cocoa apps. - [Kotlin](https://mondoo.com/docs/xgrep/code-scanning/languages/kotlin): What xgrep detects in Kotlin — injection, XSS, unsafe deserialization, weak crypto, insecure TLS, open redirect, and ReDoS — for Android apps and JVM backends. - [File filtering](https://mondoo.com/docs/xgrep/code-scanning/file-filtering): Which files xgrep scans by default and how to control it — git-tracked files, ignore patterns, globs, and size limits. - [Semgrep/OpenGrep compatibility](https://mondoo.com/docs/xgrep/code-scanning/semgrep-compatibility): Feature parity between xgrep's CLI and Semgrep / OpenGrep — subcommands, flags, output, and xgrep-only extras. #### Rules - [Overview](https://mondoo.com/docs/xgrep/code-scanning/rules): xgrep's built-in rule corpus, how to filter it, and how to write your own rules. - [Built-in rules](https://mondoo.com/docs/xgrep/code-scanning/rules/builtin): Browse the open-source security rules that ship with xgrep, filterable by language, category, and severity. - [Writing rules](https://mondoo.com/docs/xgrep/code-scanning/rules/writing-rules): The xgrep rule format and the rule features it supports. - [Syntax reference](https://mondoo.com/docs/xgrep/code-scanning/rules/syntax-reference): Reference for xgrep pattern operators and metavariables. - [Taint analysis](https://mondoo.com/docs/xgrep/code-scanning/rules/taint-analysis): Write source-to-sink dataflow rules with xgrep's taint mode. - [Analysis mode](https://mondoo.com/docs/xgrep/code-scanning/rules/analysis-mode): Use xgrep's built-in native analyzers via mode: analysis rules. - [Testing rules](https://mondoo.com/docs/xgrep/code-scanning/rules/testing-rules): Validate rules against annotated test files with xgrep test. ### Secrets - [Overview](https://mondoo.com/docs/xgrep/secrets): Secret scanning that finds hardcoded credentials — API keys, tokens, and private keys — across your source code and full git history, with 270+ detectors for 150+ providers. On by default. - [Git history](https://mondoo.com/docs/xgrep/secrets/git-history): A secret that was committed and later deleted still lives in the repository's history. Scan the full commit history with --history. - [Decoding & validation](https://mondoo.com/docs/xgrep/secrets/decoding-and-validation): Find secrets hidden one encoding layer deep with --decode, and confirm which credentials are actually live with --validate. ### Dependencies - [Overview](https://mondoo.com/docs/xgrep/dependencies): xgrep is a Software Composition Analysis (SCA) tool — generate a CycloneDX or SPDX SBOM, trace dependency usage offline, and scan your open-source dependencies for known CVEs, across 11 ecosystems. - [Generating an SBOM](https://mondoo.com/docs/xgrep/dependencies/generating-an-sbom): Produce a CycloneDX or SPDX Software Bill of Materials for a project's dependencies with xgrep sbom — fully offline. - [Querying dependencies](https://mondoo.com/docs/xgrep/dependencies/querying-dependencies): List, group, and trace a project's dependencies with xgrep deps — flat inventory, per-manifest tree, and go-mod-why-style usage. - [Scanning for vulnerabilities](https://mondoo.com/docs/xgrep/dependencies/scanning-for-vulnerabilities): xgrep scan combines SAST and SCA in one run — it builds an SBOM and matches your open-source dependencies against known CVEs via Mondoo Platform. ### IDE Integration - [Overview](https://mondoo.com/docs/xgrep/ide): Run xgrep inside your editor for real-time security diagnostics, quickfixes, and workspace scans — zero-config in VS Code, and over LSP everywhere else. - [VS Code](https://mondoo.com/docs/xgrep/ide/vscode): Install the Mondoo VS Code extension and get xgrep diagnostics with zero Language Server configuration. - [Other editors](https://mondoo.com/docs/xgrep/ide/editors): Connect Neovim, Vim, Helix, Emacs, Sublime Text, JetBrains, and any LSP-capable editor to xgrep's Language Server. ### Code Intelligence - [Overview](https://mondoo.com/docs/xgrep/code-intelligence): Navigate and understand codebases with xgrep — overview, search, go-to-definition, references, change-impact, and the code graph. - [Inspect](https://mondoo.com/docs/xgrep/code-intelligence/inspect): AST-powered code navigation — search symbols, go to definitions, find references, and assess change impact. - [Code graph](https://mondoo.com/docs/xgrep/code-intelligence/code-graph): Build and query xgrep's code graph — callers, callees, call paths, and inlined-source neighborhoods. ### Integrations - [Overview](https://mondoo.com/docs/xgrep/integrations): Plug xgrep into AI agents (MCP), CI pipelines (SARIF), and Mondoo Platform. - [MCP server](https://mondoo.com/docs/xgrep/integrations/mcp-server): Run xgrep as a Model Context Protocol server for AI agents — the full tool list, inputs, and how it differs from the CLI. - [CI](https://mondoo.com/docs/xgrep/integrations/ci): Run xgrep in CI and publish results to GitHub Code Scanning, GitLab SAST, or Azure DevOps. - [Mondoo Platform](https://mondoo.com/docs/xgrep/integrations/mondoo-platform): Publish xgrep code findings and dependency vulnerabilities to Mondoo Platform, where they attach to the scanned repository as an asset and join your security posture. ### AI Agents - [Overview](https://mondoo.com/docs/xgrep/ai-agents): Use xgrep as a security-scanning and code-intelligence backend for AI agents. - [Skills](https://mondoo.com/docs/xgrep/ai-agents/skills): Packaged AI-agent skills built on xgrep — inspect, rule creation, triage, and secure coding, for Claude Code or Codex. ## VS Code - [Mondoo Security for VS Code](https://mondoo.com/docs/vscode): Catch security issues in your code while you write it, and verify that the infrastructure you run is configured securely, without leaving VS Code. - [Getting started](https://mondoo.com/docs/vscode/getting-started): Install the Mondoo Security extension, see your first code findings within a minute, and run your first infrastructure check. - [Code security](https://mondoo.com/docs/vscode/security-scanning): Find, fix, and dismiss security issues in your code while you develop, so they never reach code review or production. - [Infrastructure security](https://mondoo.com/docs/vscode/infrastructure-security): Check systems, cloud accounts, containers, and clusters against security policies, and develop those policies with full IDE support. - [Bill of materials](https://mondoo.com/docs/vscode/bill-of-materials): Inventory what's inside your software, from source-code dependencies to the packages on a running asset to your AI models, without leaving VS Code. - [Settings reference](https://mondoo.com/docs/vscode/settings): Every Mondoo Security extension setting with its default value and scope.