Skip to main content

Scan From Your Workstation

Mondoo's security assessment CLI, cnspec, makes it easy to secure your Kubernetes cluster and all running workloads.


To ensure the maximum security, we recommend scanning container images before they are deployed into production, such as within a CI/CD pipelines or within a container registry. To learn more, read the Mondoo CI/CD Overview.


To scan a Kubernetes cluster with Mondoo's cnspec CLI, you must install and set up kubectl to communicate with your cluster. Make sure you can see your pods:

kubectl get pods
luna-frontend-7fb96c846b-jjnhz 1/1 Running 0 30d
luna-frontend-7fb96c846b-tmg95 1/1 Running 0 30d
luna-frontend-7fb96c846b-xrl6c 1/1 Running 0 30d
postgresql-5bb9d69b96-d9zzg 1/1 Running 0 30d


Mondoo leverages the configuration from kubectl. No additional configuration is required. To scan all namespaces, run:

cnspec scan k8s

Scanning container images in pods

To optionally scan container images defined in Kubernetes pods run:

cnspec scan k8s --discover container-images

Scanning specific namespaces

By default Mondoo will scan all Kubernetes namespace. To target a specific namespace use the --namespace flag:

cnspec scan k8s --namespace EXAMPLE_NAMESPACE