Skip to main content

Integrate Mondoo with CI/CD Platforms

Mondoo integrates with major CI/CD platforms to shift security out of production and into the development and testing phases of the software development life cycle (SDLC). This shift prevents insecure changes from making it to test environments and keeps security findings from holding up production deployments.

With Mondoo security scanning in CI/CD systems, you can:

Supported platforms

Mondoo supports these CI/CD platforms:

General CI/CD setup

No matter if you want to scan Kubernetes manifests, container images, or deployed VMs, the setup follows a basic pattern:

  1. Install cnspec or use the Mondoo Docker image.

  2. Store Mondoo credentials securely in your CI system.

  3. Run cnspec to scan systems or repository files.

Exit code handling

Exit codes allow CI systems to properly raise failure conditions to users. Mondoo has several methods of controlling how and when a scan causes a CI system to fail a job.

Pass on successful scan

By default, cnspec scan returns these exit codes:

  • 0 indicates a successful scan with no critical policy failures.

  • 1 indicates that the scan found critical policy failures.

Instead of blocking the pipeline, you can choose to always pass the build if the scan was successful using the --score-threshold 0 flag.

cnspec scan docker a3592cc01fdf --score-threshold 0

Store Mondoo credentials

Mondoo uses a private key to encrypt all communication with the Mondoo API. Because CI/CD systems do not allow persistent configuration on build nodes, the configuration must be passed into the CI/CD job.

All CI/CD environments have a way to store environment variables. Some provide extra capabilities to store secrets, which we recommend. Set an environment variable with the content of the agent credentials file.

The JSON configuration file includes the agent's private key and certificate. The PEM format requires proper newlines, and some CI/CD systems interpret the newlines, which causes failures reading the credentials. To prevent this, encode the credentials data using base64 encoding. Mondoo automatically encodes credentials generated for CI integrations to avoid errors.