Mondoo 13.0 is out!

🥳 Mondoo 13.0 is out! cnspec is now your single tool for security and inventory, replacing the need for separate cnquery and cnspec binaries. This release also includes a ground-up rewrite of the Mondoo Kubernetes Operator, massive cloud resource expansion, hundreds of new security checks, and more!

cnspec: Your one stop shop for security and inventory

The cnquery CLI experience has been folded into cnspec, giving you a single tool to both explore and secure your infrastructure. If you're used to running cnquery shell, you can now run cnspec shell instead, and you can run query packs directly from cnspec as well. All existing functionality from cnquery has been carried over - it's just fewer commands to remember. If you were using cnquery to run query packs, lint, or generate SBOMs, you can simply replace it with cnspec now and only use one command going forward.

For developers of resources and providers however, we have added the new mql command. It serves as a tiny helper if you only need a shell or the ability to run MQL queries. If you're looking to contribute, you'll find all our providers and resources in the mql GitHub repository just as they were in cnquery.

Running cnquery still works but will give you a friendly nudge to help retrain your muscle memory. It uses cnspec under the hood, so you can safely update your scripts and automation to use cnspec instead.

Take your network security to the next level

cnspec now supports Juniper Networks Junos devices, letting you scan and secure your network infrastructure alongside the rest of your fleet. An out-of-the-box Mondoo policy for Junos is included, so you can start assessing your network devices right away.

🧹 IMPROVEMENTS

Mondoo Kubernetes Operator 13.0 - ground-up rewrite for massive scalability

The Mondoo Kubernetes Operator has been completely rewritten from the ground up to deliver massive scalability improvements. Key changes include:

Direct cnspec execution: Kubernetes scanning now uses the plain cnspec container image directly instead of a custom scanner binary, simplifying the architecture and reducing maintenance overhead.
External cluster scanning: Scan remote Kubernetes clusters from a central operator installation, even when local cluster scanning is disabled. This enables hub-and-spoke deployment models for large fleet management.
Server-Side Apply (SSA): Resource reconciliation now uses Kubernetes Server-Side Apply for more reliable and conflict-free updates.
MondooOperatorConfig: New cluster-scoped configuration resource for proxy settings and private image registry support, making it easier to deploy in air-gapped and enterprise environments.
Multiple private registry secrets: Support for configuring multiple image pull secrets for environments with complex registry setups.
Image digest support: MondooAuditConfig now supports specifying container images by digest for stricter image verification.
Vault integration rewrite: VaultAuth has been rewritten to use operator-side vault-client-go, replacing the previous init container approach for cleaner secret injection.
GKE Autopilot compatibility: Added ephemeral storage limits for seamless operation on GKE Autopilot clusters.
OCI Helm charts: Helm charts are now published to OCI registries in addition to traditional chart repositories.
ECR authentication: Native support for authenticating to Amazon ECR for container image pulls.
Asset annotations: Support for adding custom annotations to scanned assets for better organization and filtering.
Improved job management: Completed scan jobs are cleaned up while preserving active scans during CronJob updates.
Cloud-native logging: Fixed logging severity levels for proper integration with GKE and cloud log explorers.

Massive cloud resource expansion

This release dramatically expands cloud resource coverage across AWS, Azure, and GCP providers:

AWS: 18+ new resource types covering Lambda, Route 53, Cognito, DocumentDB, Kinesis, Firehose, MemoryDB, EventBridge, Athena, Glue, Elastic Beanstalk, WorkSpaces, AppStream, Directory Service, Shield Advanced, Network Firewall, MSK, and MQ. Approximately 70 new fields on existing resources across 23 services, plus new typed resource fields for KMS keys, VPCs, and security groups.
Azure: 79 new fields across 17 resources, 26 security-relevant fields across 9 resources, 37 new fields on compute and storage resources, and Defender dict values converted into typed resources. Additional Azure resources are now scanned as their own platforms.
GCP: 10 additional resource types now discoverable as standalone assets. New resources for Firestore, Spanner, Bigtable, AlloyDB, Cloud Armor, SSL, Cloud NAT, CAS, Audit Config, Org Policy, Filestore, Cloud Tasks, Cloud Scheduler, App Engine, Cloud Deploy, Dataflow, Artifact Registry, custom IAM roles, instance groups, network firewall policies, health checks, URL maps, target proxies, and network peerings.

Over 100 new security checks

cnspec policies now include 106 new checks across AWS, Azure, and GCP security policies, plus:

68 new security checks for AWS and Azure, securing all new cloud resources such as Lambda, Cognito, Kinesis, Network Firewall, and Shield Advanced
28 new GCP checks including Cloud Armor, SSL, NAT, audit logging, org policies, and databases
18 new checks for GitHub, GitLab, M365, and Google Workspace
15 new GCP security checks for databases and network resources
Our existing Dockerfile policy split into separate security and best practices policies so you can focus on what matters most, with new checks in each powered by new Dockerfile capabilities in 13.0
Compliance mappings for NIST 800-171 and NIST 800-53 in Mondoo policies
Variant tags on checks for improved display

New OS resources

logrotate: Query logrotate configuration across your systems
nftables: Query nftables firewall rules
apache2: Query Apache HTTP Server configuration
mdadm: Query Linux software RAID arrays
ZFS: Query ZFS pools and datasets
sudoers: Extended to support all major OS paths
rsyslog: Extended to support additional operating systems

New cloud provider resources

OCI: New --profile and --config-file flags with fixed --region parsing
GitLab: New security resources and namespace resource with subscription plan info, updated to SDK v1.45.0
GitHub: Repository dependency graph SBOM resource and new security resources
M365: New microsoft.security.informationProtection.sensitivityLabels resource with 42 new fields across existing resources
Google Workspace: 22 new fields across existing resources

Improved Terraform resource querying

Terraform required_providers are now exposed as a typed resource list, making it easier to query and validate provider requirements in your infrastructure code.

Dockerfile resources

New resources for querying Dockerfile instructions:

docker.file.healthcheck - Query HEALTHCHECK instructions
docker.file.volume - Query VOLUME instructions
docker.file.shell - Query SHELL instructions
docker.file.workdir - Query WORKDIR instructions

Extended lifecycle support detection

Mondoo now detects extended lifecycle support across multiple platforms:

Ubuntu Pro support detection
RHEL ELS (Extended Life Cycle Support) detection via repo files
Oracle ELS support detection
Windows 10 ESU detection
Windows 11 client hotpatch detection

Fetch policies from HTTPS URIs

cnspec can now fetch policy bundles directly from HTTPS URIs, making it easier to reference and use policies hosted on remote servers.

Scan exceptions in output

cnspec scan output now includes an Exceptions segment, giving you visibility into which checks have been excepted and why.

AWS performance optimizations

Lazy-loaded expensive Describe fields for WAF, Kinesis, and Athena resources
Reduced redundant API calls with optimized tag loading
Added pagination to ListClusters, ListNodegroups, ListAddons, and ListBackupVaults
Optimized API calls across KMS, SageMaker, ELB, IAM, and ECS

Other provider improvements

Network interface resources now include ipv4, ipv6, primaryIPv4, and primaryIPv6 fields
Improved where clause error messages for easier debugging
Platform detection for LEDE Linux and Wind River Linux
Graceful handling of unsupported Docker image manifest types
AWS EC2 image arn field deprecated in favor of standard ID fields
Intune device ID detection on Windows clients
Python package resource cleanup with new requiresPython and projectUrls fields
Nmap provider examples updated to use cnspec commands with new --port option
Provider version tracking per resource and field

🔨 BREAKING CHANGES

Removed deprecated MQL resources

This major release removes many previously deprecated MQL resources and fields. If you're using out-of-the-box Mondoo, CIS, or BSI policies, don't worry, as we've fully updated all content for the latest capabilities. If you're writing custom policies, you may need to make minor adjustments for compatibility with version 13.0 and later.

Admission controller removed from Kubernetes Operator

The admission controller has been removed from the operator. If you were using the admission controller for webhook-based scanning, you will need to adjust your workflow.

Azure MariaDB resources removed

Support for the sunset Azure MariaDB service has been removed. Since Microsoft has powered off all existing MariaDB instances, there is no actual impact to this change. Any custom policies referencing the removed Azure MariaDB resources should be updated.