Skip to main content

mondoo scan

Scans assets with one or more polices


This command triggers a new policy scan for an asset. By default, the local system is scanned with its pre-configured policies:

$ mondoo scan

Users can also manually select a local policy to execute and run it without storing results in the server:

$ mondoo scan policyfile.yaml --incognito

In addition, mondoo can scan assets remotely via ssh. By default, the operating system ssh agent and ssh config configuration is used to retrieve the credentials:

$ mondoo scan -t ssh://ec2-user@
$ mondoo scan -t ssh://ec2-user@

You can also access docker images located in docker registries:

$ mondoo scan -t docker://ubuntu:latest
$ mondoo scan -t docker://elastic/elasticsearch:7.2.0
$ mondoo scan -t docker://
$ mondoo scan -t docker://

If docker is installed locally, containers and images can be also be accessed via their id:

$ mondoo scan -t docker://docker-image-id
$ mondoo scan -t docker://docker-container-id

Mondoo supports scanning EC2 accounts and instances. It will use your AWS configuration and your local SSH configuration to determine the required username for each individual EC2 instance:

$ mondoo scan -t aws://profile/name/region/us-east-1
$ mondoo scan -t aws://region/us-east-1
$ mondoo scan -t aws://user/ec2-user
$ mondoo scan -t aws://profile/mondoo-inc/region/us-east-1/user/ec2-user

To scan a your GCP project, you'll have to setup GCP credentials and configure SSH access to all instances:

$ mondoo scan -t gcp://project/projectid
$ mondoo scan -t gcp://project/projectid/user/ec2-user

For Azure Compute, you need to configure your Azure credentials and have SSH access to your instances:

$ mondoo scan -t az://subscriptions/subscriptionid/resourceGroups/groupname

Mondoo CLI allows you to quickly scan a container registry:

$ mondoo scan -t cr://registry
$ mondoo scan -t cr://registry/namespace/repository
$ mondoo scan -t cr://
$ mondoo scan -t cr://
$ mondoo scan -t cr://
$ mondoo scan -t cr://

GCR also allows to scan on project level:

$ mondoo scan -t gcr://
$ mondoo scan -t gcr://

You can also leverage an inventory file:

$ mondoo scan --inventory inventory.yml

You can also leverage your existing ansible inventory:

$ ansible-inventory -i hosts.ini --list | mondoo scan --ansible-inventory

The scan subcommand returns the following exit codes:

* 0 - A+ rating of all scanned assets/policies
* 1 - execution error during execution
* 101 - A rating for any of scanned assets/policies
* 102 - A- rating for any of scanned assets/policies
* 110 - B+ rating for any of scanned assets/policies
* 111 - B rating for any of scanned assets/policies
* 112 - B- rating for any of scanned assets/policies
* 120 - C+ rating for any of scanned assets/policies
* 121 - C rating for any of scanned assets/policies
* 122 - C- rating for any of scanned assets/policies
* 130 - D+ rating for any of scanned assets/policies
* 131 - D rating for any of scanned assets/policies
* 132 - D- rating for any of scanned assets/policies
* 150 - F rating for any of scanned assets/policies

Pagination of results is enabled by default, but can be disabled with --no-pager option.

    $ mondoo scan --no-pager

Custom pagination can also be configured with --pager and PAGER environment variable. If both are set the flag will take precedence.

    $ mondoo scan --pager 'less -R'

Further documentation is available at

mondoo scan [flags]


      --ansible-inventory                set inventory format to Ansible
--ask-pass ask for connection password
-t, --connection string The connection is the identifier a way to reach the asset. Supported connections are 'local://', 'docker://' and 'ssh://'
--discover string enables the discovery of nested assets. Supported are 'all|instances|host-instances|container|container-images'
--discover-filter stringToString additional filter for asset discovery (default [])
--domainlist-inventory set inventory format to domain list
--exit-0-on-success returns 0 as exit code if the scan execution was successful
-h, --help help for scan
--id-detector string user-override for platform id detection mechanism
-i, --identity-file string Selects a file from which the identity (private key) for public key authentication is read
--incognito Incognito mode will not store the result on the server
--insecure disables TLS/SSL checks or SSH hostkey config
--inventory string inventory file
--label stringToString label for asset (default [])
--no-pager Deactivate interactive scan output pagination
--option stringToString addition connection options, multiple options can be passed in via --option key=value (default [])
-o, --output string Output format. One of csv|json|junit|yaml
--pager string Enable pagination with custom pagination command. Default is 'less -R' (default "less -R")
-p, --password string password e.g. for ssh/winrm
--path string path to a local file or directory that the connection should use
--policy strings list of policies to be executed (requires incognito mode), multiple policies can be passed in via --policy POLICY
--sudo runs with sudo

Options inherited from parent commands

      --config string      config file (default is $HOME/.config/mondoo/mondoo.yml)
--log-level string set log-level: error, warn, info, debug, trace (default "info")
-v, --verbose verbose output