Skip to main content

Mondoo 12.0 is out!

ยท 4 min read
Tim Smith
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 12.0 is out! This release includes simplified command line output, improved cloud asset discovery and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container

๐Ÿงน IMPROVEMENTSโ€‹

Cloud resource discovery by defaultโ€‹

Gain deeper visibility and control over your cloud environments with enhanced resource discovery by default. Command line scans now automatically enumerate individual cloud resources, matching the comprehensive asset discovery previously exclusive to platform integrations. Instead of seeing a single asset for your cloud account, you now get detailed insights into each resource, making it easier to pinpoint issues, create precise exceptions, and accelerate remediation with clearer query results.

For those running in GCP, weโ€™ve also added five new platforms to make scan results easier to view and remediate:

  • gcp-sql-mysql
  • gcp-sql-postgresql
  • gcp-sql-sqlserver
  • gcp-dns-zone
  • gcp-kms-keyring

Simplified command line outputโ€‹

Focus on what matters with simpler command line output by default. cnspec now skips data queries and compliance framework results by default so you can focus on vulnerabilities and misconfigurations. Output now also uses the same 0-100 scoring threshold displayed in the console, so results match no matter where you view your scans.

Improved Terraform resource queryingโ€‹

This update streamlines how you query Terraform resources, making it easier to access the data you need. Instead of complex filtering, you can now directly reference resources by type or name, reducing query complexity and improving readability.

For example with this simple HCL file:

resource "aws_instance" "example-1" {
  ami           = "ami-a1b2c3d4"
  instance_type = "t2.micro"
}

resource "aws_instance" "example-2" {
  ami           = "ami-a1b2c3d4"
  instance_type = "t2.micro"
}

You can now find the right resources with simpler one line queries:

# return all the "aws_instance" resources:
terraform.resources("aws_instance")

# return a specific resource by name:
terraform.resources("aws_instance", "example-1")

# return resources via a regular expression:
terraform.resources(/aws_/)

# return resources by type and name with a combination of strings and regular expressions:
terraform.resources("aws_instance", /example-[0-9]+/)

Network discovery providerโ€‹

Automatically discover and scan all your subdomains with the new networkdiscovery provider for cnspec.

$ cnspec scan networkdiscovery example.com --discover subdomains
โ†’ using service account credentials
โ†’ discover related assets for 1 asset(s)

 apple.example.com         โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 banana.example.com        โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 celery.example.com        โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 durian.example.com        โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 eggplant.example.com      โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 fuji.example.com          โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 grapes.example.com        โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
 honeydew.example.com      โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ”โ” 100% score: LOW
... 22699 more assets ...

 8/22712 scanned           โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€   0%


...

๐Ÿ”จ BREAKING CHANGESโ€‹

We've taken the opportunity in this major release to remove many deprecated MQL resources and fields. If you're using out of the box Mondoo, CSI, or BSI policies don't worry as we've fully updated all content for the latest capabilities. If you're writing your own custom policies you may need to make minor adjustments for compatibility with version 12.0 and later.

  • aws.account.id now returns only account number instead of aws.account/1234
  • aws.elasticache.clusters replaced with aws.elasticache.cacheClusters
  • aws.guardduty.detector.unarchivedFindings replaced with aws.guardduty.detector.findings
  • aws.iam.group.createDate replaced with aws.iam.group.createdAt
  • aws.iam.instanceProfile.createDate replaced with aws.iam.instanceProfile.createdAt
  • aws.iam.policy.createDate replaced with aws.iam.policy.createdAt
  • aws.iam.policy.createDate replaced with aws.iam.policy.createdAt
  • aws.iam.policy.id replaced with aws.iam.policy.policyId
  • aws.iam.policy.updateDate replaced with aws.iam.policy.updatedAt
  • aws.iam.role.createDate replaced with aws.iam.role.createdAt
  • aws.iam.user.createDate replaced with aws.iam.user.createdAt
  • aws.iam.usercredentialreportentry.userCreationTime replaced with aws.iam.usercredentialreportentry.createdAt
  • aws.rds.dbClusters replaced with aws.rds.clusters
  • aws.rds.dbInstances replaced with aws.rds.instances
  • aws.vpc.peeringConnection.peeringVpc.allowEgressFromLocalClassicLinkToRemoteVpc removed due to the removal of classic EC2 networking
  • aws.vpc.peeringConnection.peeringVpc.allowEgressFromLocalVpcToRemoteClassicLink removed due to the removal of classic EC2 networking
  • azure.subscription.authorization replaced with azure.subscription.iam
  • azure.subscription.authorizationService.roleDefinition.isCustom replaced with azure.subscription.authorizationService.roleDefinition.type
  • azure.subscription.authorizationService.roleDefinitions replaced with azure.subscription.authorizationService.roles
  • esxi.service.uninstallable removed as this is always false
  • k8s.container.image replaced with k8s.container.imageName
  • k8s.ephemeralContainer.image replaced with k8s.ephemeralContainer.imageName
  • k8s.initContainer.image replaced with k8s.initContainer.imageName
  • k8s.podSecurityPolicies and k8s.podsecuritypolicy removed due to the removal of this feature in Kubernetes
  • microsoft.application.createdDateTime replaced with microsoft.application.createdAt
  • microsoft.application.displayName replaced with microsoft.application.name
  • microsoft.tenant.displayName replaced with microsoft.tenant.name
  • platform.vulnerabilityReport on VMware replaced with asset.vulnerabilityReport

In the GitHub provider the previously deprecated and hidden --repository and --user command line flags are removed in favor of the --repos and --users flags.

If scanning using inventories in cnquery and cnspec the previously deprecated and hidden flags --inventory-ansible and --inventory-domainlist have been removed in favor of --inventory-format-ansible and --inventory-format-domainlist.

Other improvementsโ€‹

  • macOS nodes now use their serial number to identify the asset in order to prevent duplicate assets when users tether devices on mobile phones or change their machine name.
  • Shell completion is now enabled by default for cnquery and cnspec on Windows.
  • Detect Microsoft Exchange SU updates for improved CVE discovery with Microsoft Exchange.
  • cnspec now automatically adds resource context to query results. This means that if you run for example a check on a Terraform HCL, and you are testing all resources, it will now capture the expected and actual values on each resource that fails so you can more easily remediate findings.