Skip to main content

Mondoo 11.7 is out!

Β· 6 min read
Mondoo Core Team

πŸ₯³ Mondoo 11.7 is out! This release includes Ansible playbook scanning, Shodan host security querying, updated policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Ansible playbook scanning​

Query and secure your Ansible playbooks with cnquery and cnspec using our new ansible provider.

cnquery shell ansible my_playbook.yml
β†’ connected to Ansible Playbook
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> ansible.plays { tasks }
ansible.plays: [
0: {
tasks: [
0: ansible.task name="ensure apache is at the latest version"
1: ansible.task name="write the apache config file"
2: ansible.task name="ensure apache is running"

With this provider, you can create custom security policies to enforce your organizational standards in CI jobs:

- uid: ansible-best-practices
name: Ansible Best Practices
version: 1.0.0
- name: Mondoo, Inc
- filters:
- mql: asset.platform == "ansible"
- uid: mondoo-ansible-block-error-handling
- uid: mondoo-ansible-block-error-handling
title: Ensure Tasks are wrapped in block error handling
mql: ansible.plays.all(tasks.none(block == empty))

Shodan search engine querying​

Query domain and IP security information in the Shodan search engine with the new shodan provider in cnquery and cnspec.

cnquery shell shodan

For authentication, use the SHODAN_TOKEN environment variable.

export SHODAN_TOKEN="<token>"

Example queries​

Query the base information for a host by IP address:

cnquery>"") { * } {
tags: []
hostnames: [
0: ""
org: "Google LLC"
asn: "AS15169"
ip: ""
isp: "Google LLC"
vulnerabilities: null
os: null
ports: [
0: 443
1: 53

Query the hostname for an IP address:

cnquery>"").hostnames [
0: ""

Display all open ports for a host:

cnquery>"").ports [
0: 443
1: 53

Query the DNS information for a domain:

cnquery> shodan.domain("") { * }
shodan.domain: {
name: ""
nsrecords: [
0: shodan.nsrecord domain="" subdomain="" type="A"
1: shodan.nsrecord domain="" subdomain="" type="AAAA"
2: shodan.nsrecord domain="" subdomain="" type="MX"
3: shodan.nsrecord domain="" subdomain="" type="NS"
4: shodan.nsrecord domain="" subdomain="" type="NS"
5: shodan.nsrecord domain="" subdomain="" type="SOA"
6: shodan.nsrecord domain="" subdomain="" type="TXT"
7: shodan.nsrecord domain="" subdomain="" type="TXT"
8: shodan.nsrecord domain="" subdomain="www" type="A"
9: shodan.nsrecord domain="" subdomain="www" type="AAAA"
10: shodan.nsrecord domain="" subdomain="www" type="TXT"
11: shodan.nsrecord domain="" subdomain="www" type="TXT"
tags: [
0: "ipv6"
1: "spf"
subdomains: [
0: "www"

Query the DNS NS records for a domain:

cnquery> shodan.domain("").nsrecords.where(type == "NS") { subdomain  type value }
shodan.domain.nsrecords.where: [
0: {
type: "NS"
subdomain: ""
value: ""
1: {
type: "NS"
subdomain: ""
value: ""

Query the DNS AAAA records for the "www" subdomain:

cnquery> shodan.domain("").nsrecords.where(type == "AAAA").where(subdomain == "www") { subdomain  type value }
shodan.domain.nsrecords.where.where: [
0: {
subdomain: "www"
value: "2606:2800:21f:cb07:6820:80da:af6b:8b2c"
type: "AAAA"

Discovery and querying options​

Discover all exposed hosts on a network:

cnquery shell shodan --networks "" --discover hosts

Connect to a specific IP address and display all open ports:

cnquery shell shodan host

Connect to a domain and display subdomains:

cnquery shell shodan domain

Discover Kubernetes manifests in GitHub and GitLab​

Extend your discovery of IaC assets in your GitHub and GitLab repositories or projects to include Kubernetes manifests: With one command, Mondoo tracks down all your manifest files, no matter where they're hiding.

cnquery scan gitlab --group mondoolabs --discover k8s-manifests
cnspec scan github organization MY_ORG --discover k8s-manifests

Directly scan and query SBOM files​

cnquery now lets you directly query SBOM file content as if the files were real running assets:

cnquery shell sbom cyclonedx_file.json

To inspect SBOM content from Docker Hub:

docker buildx imagetools inspect mondoo/client --format "{{json .SBOM }}"  |  jq '."linux/amd64"."SPDX"' |  cnquery shell sbom -


CIS Google Cloud Foundations 3.0​

Secure your Google Cloud infrastructure with the latest recommendations from the Center for Internet Security (CIS). This updated policy includes new checks as well as updated audit and remediation steps to match the latest Google Cloud console experience.

Expanded FreeBSD end of life information​

Plan your FreeBSD upgrades with expanded EOL detection for FreeBSD 13.2 and 14.0.

Resource updates​


  • New nodeGroups field exposing a new aws.eks.nodegroup resource


  • New targetGroups field exposing a new aws.elb.targetgroup resource


  • New networkInterfaces field exposing a new aws.ec2.networkinterface field


  • New subnet field


  • New resource for inspecting GKE Binary Authorization configuration


  • New sslMode field
  • New enablePrivatePathForGoogleCloudServices field


  • New permissionGrantPoliciesAssigned field under defaultUserRolePermissions


  • Deprecated in favor of windows.serverFeature, which better describes this as a server-only resource


  • New resource to check for optional Windows features on desktop Windows releases


  • Improve the output of many complex MQL queries in console check results.
  • Discover all resources when scanning Kubernetes manifests
  • Fix incorrect asset names when scanning Kubernetes manifests without namespaces
  • Improve wording in the weekly space summary emails.
  • Improve wording and fix a documentation link in the Jira integration setup page.
  • Fix an error querying the gcp.project.gke.cluster.networkPolicy resource.
  • Fix connection not found errors when scanning some asset types.
  • Improve wording in cnquery and cnspec help.
  • Prevent some operating system scans from showing up as "other" operating systems in the console.
  • Don't fail discovery when a single VMware ESXi host cannot be reached.
  • Remove non-functional sorting by risk factors in tables.
  • Add a "Type" column in search results when filtering by "All" so it's more clear if entries are assets, checks, or CVEs.
  • Fix missing "Space" column information in search when searching at the organization level.
  • Add Ensure user consent to apps accessing company data on their behalf is not allowed check to the CIS Microsoft 365 Foundations Benchmark policy.