Mondoo
Docs
2026

Mondoo 13.0 is out!

·By Tim Smith, Dominik Richter

Back to releases

🥳 Mondoo 13.0 is out! cnspec is now your single tool for security and inventory, replacing the need for separate cnquery and cnspec binaries. This release also includes a ground-up rewrite of the Mondoo Kubernetes Operator, massive cloud resource expansion, over 100 new security checks, and more!

cnspec 13: Your one stop shop for security and inventory

The cnquery CLI experience has been folded into cnspec, giving you a single tool to both explore and secure your infrastructure. If you're used to running cnquery shell, you can now run cnspec shell instead, and you can run query packs directly from cnspec as well. All existing functionality from cnquery has been carried over - it's just fewer commands to remember. If you were using cnquery to run query packs, lint, or generate SBOMs, you can simply replace it with cnspec now and only use one command going forward.

For developers of resources and providers, however, we have added the new mql command. It serves as a tiny helper if you only need a shell or the ability to run MQL queries. If you're looking to contribute, you'll find all our providers and resources in the mql GitHub repository just as they were in cnquery.

Running cnquery still works but will give you a friendly nudge to help retrain your muscle memory. It uses cnspec under the hood, so you can safely update your scripts and automation to use cnspec instead.

Mondoo Kubernetes Operator 13: ground-up rewrite for massive scalability

The Mondoo Kubernetes Operator has been completely rewritten from the ground up to deliver massive scalability improvements and improved container scanning. Key changes include:

  • Direct cnspec execution: Kubernetes scanning now uses the plain cnspec container image directly instead of a custom scanner binary, simplifying the architecture.
  • External cluster scanning: Scan remote Kubernetes clusters from a central operator installation, even when local cluster scanning is disabled. This enables hub-and-spoke deployment models for large fleet management.
  • Server-Side Apply (SSA): Resource reconciliation now uses Kubernetes Server-Side Apply for more reliable and conflict-free updates.
  • Air gapped deployment support: Use the MondooOperatorConfig cluster-scoped configuration resource for proxy settings and private image registry support, making it easier to deploy in air-gapped and enterprise environments.
  • Multiple private registry secrets: Support for configuring multiple image pull secrets for environments with complex registry setups.
  • Image digest support: MondooAuditConfig now supports specifying container images by digest for stricter image verification.
  • Vault integration rewrite: VaultAuth has been rewritten to use operator-side vault-client-go, replacing the previous init container approach for cleaner secret injection.
  • GKE Autopilot compatibility: Added ephemeral storage limits for seamless operation on GKE Autopilot clusters.
  • OCI Helm charts: Helm charts are now published to OCI registries in addition to traditional chart repositories.
  • ECR authentication: Native support for authenticating to Amazon ECR for container image pulls.
  • Asset annotations: Support for adding custom annotations to scanned assets for better organization and filtering.
  • Cloud-native logging: Fixed logging severity levels for proper integration with GKE and cloud log explorers.

🧹 IMPROVEMENTS

Take your network security to the next level

cnspec now supports Juniper Networks Junos devices, letting you scan and secure your network infrastructure alongside the rest of your fleet. An out-of-the-box Mondoo policy for Junos is included, so you can start assessing your network devices right away.

Expanded Dockerfile capabilities

Secure containers before they're built with expanded Dockerfile security capabilities:

  • docker.file.healthcheck - Query HEALTHCHECK instructions
  • docker.file.volume - Query VOLUME instructions
  • docker.file.shell - Query SHELL instructions
  • docker.file.workdir - Query WORKDIR instructions

Massive cloud and SaaS resource expansion

This release dramatically expands cloud resource coverage across AWS, Azure, and GCP providers:

  • AWS: 18+ new resource types covering Lambda, Route 53, Cognito, DocumentDB, Kinesis, Firehose, MemoryDB, EventBridge, Athena, Glue, Elastic Beanstalk, WorkSpaces, AppStream, Directory Service, Shield Advanced, Network Firewall, MSK, and MQ. Approximately 70 new fields on existing resources across 23 services, plus new typed resource fields for KMS keys, VPCs, and security groups.
  • Azure: 79 new fields across 17 resources, 26 security-relevant fields across 9 resources, 37 new fields on compute and storage resources, and Defender dict values converted into typed resources. Additional Azure resources are now scanned as their own platforms.
  • GCP: 10 additional resource types now discoverable as standalone assets. New resources for Firestore, Spanner, Bigtable, AlloyDB, Cloud Armor, SSL, Cloud NAT, CAS, Audit Config, Org Policy, Filestore, Cloud Tasks, Cloud Scheduler, App Engine, Cloud Deploy, Dataflow, Artifact Registry, custom IAM roles, instance groups, network firewall policies, health checks, URL maps, target proxies, and network peerings.
  • GitHub: Repository dependency graph SBOM resource and new security resources.
  • GitLab: New security resources and namespace resource with subscription plan info.
  • Google Workspace: 22 new fields across existing resources.

Expanded out of the box security policies

Out-of-the-box Mondoo policies now include over 100 new checks:

  • 68 new security checks for AWS and Azure, securing new cloud resources such as Lambda, Cognito, Kinesis, Network Firewall, and Shield Advanced
  • 43 new GCP checks covering Cloud Armor, SSL, NAT, audit logging, org policies, databases, and network resources
  • 18 new checks for GitHub, GitLab, M365, and Google Workspace
  • Dockerfile policy split into separate security and best practices policies, with new checks in each powered by new Dockerfile capabilities in 13.0
  • Compliance mappings for NIST 800-171 and NIST 800-53

New OS resources

Simplify your custom policies with new OS resources for easy querying of key system resources:

  • logrotate: Query logrotate configuration across your systems
  • nftables: Query nftables firewall rules
  • apache2: Query Apache HTTP Server configuration
  • mdadm: Query Linux software RAID arrays
  • ZFS: Query ZFS pools and datasets
  • sudoers: Extended to support all major OS paths
  • rsyslog: Extended to support additional operating systems

Extended lifecycle support detection

Mondoo now detects vendor extended lifecycle support across multiple platforms:

  • Ubuntu Pro support detection
  • RHEL ELS (Extended Life Cycle Support) detection via repo files
  • Oracle ELS support detection
  • Windows 10 ESU detection
  • Windows 11 client hotpatch detection

Fetch policies from HTTPS URIs

cnspec can now fetch policy bundles directly from HTTPS URIs, making it easier to reference and use policies hosted on remote servers:

Bash
cnspec scan --policy-bundle https://example.com/policy.mql.yaml

Scan exceptions in output

cnspec scan output now includes an Exceptions segment, giving you visibility into which checks have been excepted and why.

Other provider improvements

  • Improved performance when scanning AWS
  • Network interface resources now include ipv4, ipv6, primaryIPv4, and primaryIPv6 fields
  • Improved where clause error messages for easier debugging
  • Platform detection for LEDE Linux and Wind River Linux
  • Improved handling of unsupported Docker image manifest types
  • Intune device ID detection on Windows clients
  • Python package resource cleanup with new requiresPython and projectUrls fields

🔨 BREAKING CHANGES

Removed deprecated MQL resources

This major release removes many previously deprecated MQL resources and fields. If you're using out-of-the-box Mondoo, CIS, or BSI policies, don't worry, as we've fully updated all content for the latest capabilities. If you're writing custom policies, you may need to make minor adjustments for compatibility with version 13.0 and later.

Admission controller removed from Kubernetes Operator

The admission controller has been removed from the operator. If you were using the admission controller for webhook-based scanning, you will need to adjust your workflow.

Azure MariaDB resources removed

Support for the sunset Azure MariaDB service has been removed. Since Microsoft has powered off all existing MariaDB instances, there is no actual impact to this change. Any custom policies referencing the removed Azure MariaDB resources should be updated.

March Highlights

Previous Page

February Highlights

Next Page

On this page

🥳 Mondoo 13.0 is out! cnspec is now your single tool for security and inventory, replacing the need for separate cnquery and cnspec binaries. This release also includes a ground-up rewrite of the Mondoo Kubernetes Operator, massive cloud resource expansion, over 100 new security checks, and more!cnspec 13: Your one stop shop for security and inventoryMondoo Kubernetes Operator 13: ground-up rewrite for massive scalability🧹 IMPROVEMENTSTake your network security to the next levelExpanded Dockerfile capabilitiesMassive cloud and SaaS resource expansionExpanded out of the box security policiesNew OS resourcesExtended lifecycle support detectionFetch policies from HTTPS URIsScan exceptions in outputOther provider improvements🔨 BREAKING CHANGESRemoved deprecated MQL resourcesAdmission controller removed from Kubernetes OperatorAzure MariaDB resources removed