Skip to main content

Mondoo 11.6 is out!

Β· 4 min read
Tim Smith
Tim Smith
Mondoo Core Team

πŸ₯³ Mondoo 11.6 is out! This release includes AWS CloudFormation template scanning, Terraform plan discovery in GitHub, updated CIS content, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container

πŸŽ‰ NEW FEATURES​

AWS CloudFormation and SAM template scanning​

Catch security issues before they reach production with scanning of JSON and YAML formatted CloudFormation templates and Serverless Application Model (SAM) templates.

cnquery shell cloudformation providers/cloudformation/testdata/cloudformation.yaml
β†’ loaded configuration from /Users/chris/.config/mondoo/mondoo.yml using source default
β†’ connected to AWS CloudFormation
  ___ _ __   __ _ _   _  ___ _ __ _   _
 / __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| |  __/ |  | |_| |
 \___|_| |_|\__, |\__,_|\___|_|   \__, |
  mondooβ„’      |_|                |___/  interactive shell

cnquery> asset { name platform }
asset: {
  platform: "cloudformation"
  name: "CloudFormation Static Analysis cloudformation"
}

cnquery> cloudformation.template { * }
cloudformation.template: {
  mappings: {
    RegionMap: {
      ap-northeast-1: {
        AMI: "ami-06cd52961ce9f0d85"
      }
      ap-southeast-1: {
        AMI: "ami-08569b978cc4dfa10"
      }
      ap-southeast-2: {
        AMI: "ami-09b42976632b27e9b"
      }
      eu-west-1: {
        AMI: "ami-047bb4163c506cd98"
      }
      sa-east-1: {
        AMI: "ami-07b14488da8ea02a0"
      }
      us-east-1: {
        AMI: "ami-0ff8a91507f77f867"
      }
      us-west-1: {
        AMI: "ami-0bdb828fd58c52235"
      }
      us-west-2: {
        AMI: "ami-a0cfeed8"
      }
    }
  }
  parameters: {
    EnvType: {
      AllowedValues: [
        0: "prod"
        1: "dev"
        2: "test"
      ]
      ConstraintDescription: "must specify prod, dev, or test."
      Default: "test"
      Description: "Environment type."
      Type: "String"
    }
  }
  resources: [
    0: cloudformation.resource name="EC2Instance"
    1: cloudformation.resource name="MountPoint"
    2: cloudformation.resource name="NewVolume"
  ]
  globals: {}
  metadata: {}
  conditions: {
    CreateDevResources: {
      Fn::Equals: [
        0: {
          Ref: "EnvType"
        }
        1: "dev"
      ]
    }
    CreateProdResources: {
      Fn::Equals: [
        0: {
          Ref: "EnvType"
        }
        1: "prod"
      ]
    }
  }
  description: ""
  types: [
    0: "AWS::EC2::Instance"
    1: "AWS::EC2::VolumeAttachment"
    2: "AWS::EC2::Volume"
  ]
  transform: null
  outputs: []
  version: "2010-09-09"
}

Stay tuned for expanded CloudFormation support in Mondoo including detection of templates in GitHub and GitLab repositories and out-of-the-box security policy support.

Discover Terraform plans in GitHub repositories​

Not sure where your IaC code lives? With automatic Terraform plan file discovery in GitHub repositories, it doesn't matter. Scan your entire organization and let Mondoo do the heavy lifting: It automatically finds and scans each file.

cnspec scan github organization MY_ORG --discover repository,terraform

🧹 IMPROVEMENTS​

Updated CIS Benchmark policies​

Secure your infrastructure with the latest CIS guidelines including new checks, improved remediation steps, and more reliable queries:

  • CIS Amazon EKS Benchmark v1.5.0
  • CIS Microsoft 365 Foundations Benchmark v3.1.0

Alpine Linux 3.20 support​

Keep your container applications secure with EOL and CVE detection support for Alpine Linux 3.20

Fedora 41 CVE detection support​

The Fedora 41 development process is just getting started. But if you're on the bleeding edge, Mondoo is ready with EOL and CVE detection support for this upcoming Fedora release.

Improved Arista EOS support​

It's time to dust off your old Network+ certification and get busy with improved Arista support in Mondoo:

  • Find your devices quickly with grouping under "Network Devices" in the inventory list page
  • Understand what you're looking at with FQDN and model number information on the asset overview
  • Explore system configuration with improved resource default values in cnquery shell

New resource: aws.sqs.queues​

We added a resource for Amazon Simple Queue Service (SQS) queues

πŸ› BUG FIXES AND UPDATES​

  • Prevent the tls.ciphers resource from hanging if the server returns a Hello Retry Request.
  • Improve reliability of TLS scans by using a secp256r1 curve in the hello, which some servers require.
  • Scan all images in Amazon ECR registries, not just those with tags.
  • Improve rendering of CVEs with short descriptions.
  • Don't show the "Copy Table" button on the Asset Software tab when there is no table shown.
  • Ensure HTTP Security policy does not apply to non-host systems that include a TLS certificate.
  • Fix incorrect CVE pagination on assets.
  • Fix display of remote code exploitation risk badges.
  • Improve risk factor names for clarity.
  • Fix display of tool tips in light mode.
  • Fix sorting of CVEs and advisories on the Assets pages.
  • Improve reliability and memory usage in the Ensure local interactive user dot files access is configured gen CIS Linux policy check.
  • Fix WinRM positives in CIS Windows 2019/2022 WinRM checks.
  • Ensure all items in the asset insights heading are clickable.
  • Fix incorrect breadcrumbs on some pages.
  • Make invitations case insensitive.
  • Fix a false positive CVE detection for Python packages on Fedora.
  • Fix missing vulnerable software on the asset software tabs.
  • Update to the latest Oracle Linux and Linux Mint EOL dates.