Skip to main content

Mondoo 6.8 is out!

ยท 3 min read
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 6.8 is out! This release includes Azure Pipeline / Jenkins CI/CD support and Kubernetes container image scanning!

Get this release: Installation Docs | Package Downloads | Docker Container

๐ŸŽ‰ NEW FEATURESโ€‹

Azure Pipelines and Jenkins Supportโ€‹

Problem: You want to set up security scanning of projects in your CI pipelines, but you're not using a CI platform supported by Mondoo.

Solution: Mondoo now supports CI integrations with Azure Pipelines and Jenkins, raising our out-of-the-box CI/CD integrations to six. Still don't see the CI/CD integration you need? Let us know at hello@mondoo.com.

CI Setup Window

Mondoo Operator for Kubernetes Container Image Scanningโ€‹

Problem: You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.

Solution: Following up on last week's new CLI-based container image scanning, we're now integrating public container image scanning directly into the Mondoo Operator. When enabled, the Mondoo Operator will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.

Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the kube-apiserver pod:

Cluster Scan Results

We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:

Container CVEs

๐Ÿงน IMPROVEMENTSโ€‹

Policy and MQL Improvementsโ€‹

Solution: We continue to improve the out-of-the-box Mondoo policies and the MQL resources that power those policies, giving your the most reliable scan results with Mondoo:

  • Replaced platform.runtimeEnv with the simpler platform.runtime. platform.runtimeEnv is now deprecated and will be removed in Mondoo Client 7.0.
  • Deprecated platform.virtualization.isContainer in favor of either platform.kind or platform.runtime. platform.virtualization.isContainer will be removed in Mondoo Client 7.0.
  • Added the ability to determine if a branch is the default branch with isDefault in the github.branch resource.
  • Resolved failures in the github.branch resource when branch protection is not configured.
  • Resolved failures that could occur in some valid MQL blocks, which caused failures in the Kubernetes Application Benchmark policy.
  • Resolved incorrect policy scores when all controls in a policy fail.
  • Added severity scores to the Kubernetes Application Benchmark policy to make prioritizing fixes easier.
  • Expanded the Ensure HTTP Proxy server is stopped and not enabled control in the Linux Security Baseline policy to check for the Tinyproxy proxy service.
  • Added a new platform.runtime.

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Resolve Mondoo Operator for Kubernetes node scans of Minikube not scanning all nodes.
  • Fully clean up all Mondoo Operator resources when uninstalling.
  • Use a Red Hat UBI-based Mondoo image when scanning in Red Hat OpenShift.
  • Fix handling of the Mondoo Operator's running UID when running in OpenShift.
  • Add a liveness probe to the Mondoo Operator pods to improve Mondoo scan scores.
  • Resolve potential panics when the first Kubernetes Operator check-in occurs.
  • Resolve failures to properly exit in the Kubernetes Operator when a scan request failed.
  • Reduce resource utilization by lowering the initial requested CPU and memory limits for the Kubernetes Operator's node scanning pods.