mondoo scan

Scan assets with one or more policies

Synopsis

This command triggers a new policy scan for an asset. By default, the local system is scanned with its pre-configured policies:

$ mondoo scan local

Users can also manually select a local policy to execute and run it without storing results in the server:

$ mondoo scan local --policy-bundle policyfile.yaml --incognito

In addition, mondoo can scan assets remotely via ssh. By default, the operating system ssh agent and ssh config configuration is used to retrieve the credentials:

$ mondoo scan ssh ec2-user@52.51.185.215
$ mondoo scan ssh ec2-user@52.51.185.215:2222

Mondoo supports scanning AWS, Azure, and GCP accounts and instances. Find out more in each sub-commands help menu. Here are a few examples:

$ mondoo scan aws --region us-east-1
$ mondoo scan azure --subscription ID --group NAME
$ mondoo scan gcp --project ID

You can also access docker containers and images. This supports both local containers and images as well as images in docker registries:

$ mondoo scan docker container b62b276baab6
$ mondoo scan docker image ubuntu:latest

Additionally, you can quickly scan a container registry:

$ mondoo scan cr harbor.yourdomain.com
$ mondoo scan cr 123456789.dkr.ecr.us-east-1.amazonaws.com/repository

Mondoo also support GCP's container registry, GCR:

$ mondoo scan gcp gcr PROJECT_ID

Vagrant is supported as well:

$ mondoo scan vagrant HOST

You can also leverage an inventory file:

$ mondoo scan --inventory-file inventory.yml

You can also leverage your existing ansible inventory:

$ ansible-inventory -i hosts.ini --list | mondoo scan --inventory-ansible

Further documentation is available at https://mondoo.com/docs/

mondoo scan [flags]

Options

      --annotation stringToString        annotation for asset (default [])
      --ask-pass                         ask for connection password
  -t, --connection string                set the method used to connect to the asset. supported connections are 'local://', 'docker://' and 'ssh://'
      --detect-cicd                      tries to detect CI/CD environments and sets the asset category to 'cicd' if detected (default true)
      --discover string                  enable the discovery of nested assets. Supported are 'all|auto|instances|host-instances|host-machines|container|container-images|pods|cronjobs|statefulsets|deployments|jobs|replicasets|daemonsets' (default "auto")
      --discover-filter stringToString   additional filter for asset discovery (default [])
  -h, --help                             help for scan
      --id-detector string               user-override for platform id detection mechanism, supported are hostname, machine-id, aws-ec2, cloud-detect, ssh-host-key, transport-platform-id
  -i, --identity-file string             selects a file from which the identity (private key) for public key authentication is read
      --incognito                        incognito mode. do not report scan results to the Mondoo platform.
      --insecure                         disable TLS/SSL checks or SSH hostkey config
      --inventory-ansible                set inventory format to ansible
      --inventory-domainlist             set inventory format to domain list
      --inventory-file string            path to inventory file
      --no-pager                         disable interactive scan output pagination
      --option stringToString            addition connection options, multiple options can be passed in via --option key=value (default [])
  -o, --output string                    set output format: compact, summary, full, report, yaml, junit, json, csv (default "compact")
      --pager string                     enable scan output pagination with custom pagination command. default is 'less -R'
  -p, --password string                  password e.g. for ssh/winrm
      --path string                      path to a local file or directory that the connection should use
      --policy strings                   list of policies to be executed (requires incognito mode), multiple policies can be passed in via --policy POLICY
      --policy-bundle strings            path to local policy bundle file
      --score-threshold int              if any score falls below the threshold, exit 1
      --sudo                             run with sudo

Options inherited from parent commands

      --config string      config file (default is $HOME/.config/mondoo/mondoo.yml)
      --log-level string   set log-level: error, warn, info, debug, trace (default "info")
  -v, --verbose            verbose output

SEE ALSO

• mondoo - Mondoo CLI
• mondoo scan arista - Scan an Arista endpoint
• mondoo scan aws - Scan an AWS account or instance
• mondoo scan azure - Scan a Microsoft Azure account or instance
• mondoo scan container - Scan a container, an image, or a registry
• mondoo scan docker - Scan a Docker container or image
• mondoo scan gcp - Scan a Google Cloud Platform (GCP) account
• mondoo scan github - Scan a GitHub organization or repository
• mondoo scan gitlab - Scan a GitLab group
• mondoo scan host - Scan a host endpoint
• mondoo scan k8s - Scan a Kubernetes cluster
• mondoo scan local - Scan a local target
• mondoo scan mock - Scan a mock target (a simulated asset)
• mondoo scan ms365 - Scan a Microsoft 365 endpoint
• mondoo scan ssh - Scan a SSH target
• mondoo scan terraform - Scan all Terraform files in a path (.tf files)
• mondoo scan vagrant - Scan a Vagrant host
• mondoo scan vsphere - Scan a VMware vSphere API endpoint
• mondoo scan winrm - Scan a WinRM target