Mondoo 12.0 is out!
🥳 Mondoo 12.0 is out! This release includes simplified command line output, improved cloud asset discovery and more!
Get this release: Installation Docs | Package Downloads | Docker Container
🧹 IMPROVEMENTS
Cloud resource discovery by default
Gain deeper visibility and control over your cloud environments with enhanced resource discovery by default. Command line scans now automatically enumerate individual cloud resources, matching the comprehensive asset discovery previously exclusive to platform integrations. Instead of seeing a single asset for your cloud account, you now get detailed insights into each resource, making it easier to pinpoint issues, create precise exceptions, and accelerate remediation with clearer query results.
Simplified command line output
Focus on what matters with simpler command line output by default. cnspec now skips data queries and compliance framework results by default so you can focus on vulnerabilities and misconfigurations. Output now also uses the same 0-100 scoring threshold displayed in the console, so results match no matter where you view your scans.
Improved Terraform resource querying
This update streamlines how you query Terraform resources, making it easier to access the data you need. Instead of complex filtering, you can now directly reference resources by type or name, reducing query complexity and improving readability.
For example with this simple HCL file:
resource "aws_instance" "example-1" {
ami = "ami-a1b2c3d4"
instance_type = "t2.micro"
}
resource "aws_instance" "example-2" {
ami = "ami-a1b2c3d4"
instance_type = "t2.micro"
}
You can now find the right resources with simpler one line queries:
# return all the "aws_instance" resources:
terraform.resources("aws_instance")
# return a specific resource by name:
terraform.resources("aws_instance", "example-1")
# return resources via a regular expression:
terraform.resources(/aws_/)
# return resources by type and name with a combination of strings and regular expressions:
terraform.resources("aws_instance", /example-[0-9]+/)
Network discovery provider
Automatically discover and scan all your subdomains with the new networkdiscovery
provider for cnspec.
$ cnspec scan networkdiscovery example.com --discover subdomains
→ using service account credentials
→ discover related assets for 1 asset(s)
apple.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
banana.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
celery.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
durian.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
eggplant.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
fuji.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
grapes.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
honeydew.example.com ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: LOW
... 22699 more assets ...
8/22712 scanned ─────────────────────────────────── 0%
...
🔨 BREAKING CHANGES
We've taken the opportunity in this major release to remove many deprecated MQL resources and fields. If you're using out of the box Mondoo, CSI, or BSI policies don't worry as we've fully updated all content for the latest capabilities. If you're writing your own custom policies you may need to make minor adjustments for compatibility with version 12.0 and later.
aws.account.id
now returns only account number instead ofaws.account/1234
aws.elasticache.clusters
replaced withaws.elasticache.cacheClusters
aws.guardduty.detector.unarchivedFindings
replaced withaws.guardduty.detector.findings
aws.iam.group.createDate
replaced withaws.iam.group.createdAt
aws.iam.instanceProfile.createDate
replaced withaws.iam.instanceProfile.createdAt
aws.iam.policy.createDate
replaced withaws.iam.policy.createdAt
aws.iam.policy.createDate
replaced withaws.iam.policy.createdAt
aws.iam.policy.id
replaced withaws.iam.policy.policyId
aws.iam.policy.updateDate
replaced withaws.iam.policy.updatedAt
aws.iam.role.createDate
replaced withaws.iam.role.createdAt
aws.iam.user.createDate
replaced withaws.iam.user.createdAt
aws.iam.usercredentialreportentry.userCreationTime
replaced withaws.iam.usercredentialreportentry.createdAt
aws.rds.dbClusters
replaced withaws.rds.clusters
aws.rds.dbInstances
replaced withaws.rds.instances
aws.vpc.peeringConnection.peeringVpc.allowEgressFromLocalClassicLinkToRemoteVpc
removed due to the removal of classic EC2 networkingaws.vpc.peeringConnection.peeringVpc.allowEgressFromLocalVpcToRemoteClassicLink
removed due to the removal of classic EC2 networkingazure.subscription.authorization
replaced withazure.subscription.iam
azure.subscription.authorizationService.roleDefinition.isCustom
replaced withazure.subscription.authorizationService.roleDefinition.type
azure.subscription.authorizationService.roleDefinitions
replaced withazure.subscription.authorizationService.roles
esxi.service.uninstallable
removed as this is alwaysfalse
k8s.container.image
replaced withk8s.container.imageName
k8s.ephemeralContainer.image
replaced withk8s.ephemeralContainer.imageName
k8s.initContainer.image
replaced withk8s.initContainer.imageName
k8s.podSecurityPolicies
andk8s.podsecuritypolicy
removed due to the removal of this feature in Kubernetesmicrosoft.application.createdDateTime
replaced withmicrosoft.application.createdAt
microsoft.application.displayName
replaced withmicrosoft.application.name
microsoft.tenant.displayName
replaced withmicrosoft.tenant.name
platform.vulnerabilityReport
on VMware replaced withasset.vulnerabilityReport
In the GitHub provider the previously deprecated and hidden --repository
and --user
command line flags are removed in favor of the --repos
and --users
flags.
If scanning using inventories in cnquery and cnspec the previously deprecated and hidden flags --inventory-ansible
and --inventory-domainlist
have been removed in favor of --inventory-format-ansible
and --inventory-format-domainlist
.
Other improvements
- macOS nodes now use their serial number to identify the asset in order to prevent duplicate assets when users tether devices on mobile phones or change their machine name.
- Shell completion is now enabled by default for cnquery and cnspec on Windows.
- Detect Microsoft Exchange SU updates for improved CVE discovery with Microsoft Exchange.
- cnspec now automatically adds resource context to query results. This means that if you run for example a check on a Terraform HCL, and you are testing all resources, it will now capture the expected and actual values on each resource that fails so you can more easily remediate findings.