Mondoo 9.1 is out!

🥳 Mondoo 9.1 is out! This release includes support for private GitLab instance scanning, new Azure networking resources, and more!

Get this release: Installation Docs | Package Downloads | Docker Container

---

🎉 NEW FEATURES

Continuous scanning of hosted GitLab instances

Running your own private GitLab instance? No problem. Now Mondoo can continuously scan your private GitLab instances, automatically discovering sub-groups, projects, and even IaC code in projects.

New and expanded Azure/MS365 resources

New resources and fields expand the ability to secure and inventory your Microsoft cloud assets with Mondoo. We've exposed critical networking information in Azure as well as service principal and enterprise application data in Azure AD (now Microsoft Entra ID), giving you the data you need for custom security policies or compliance audits.

New Resources

• azure.subscription.networkService.appSecurityGroup: Azure Network Application Security Group
• azure.subscription.networkService.backendAddressPool: Azure Network Backend Address Pool
• azure.subscription.networkService.bgpSettings: Azure Network BGP Settings
• azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress: Azure BGP Settings IP Configuration
• azure.subscription.networkService.firewall: Azure Network Firewall
• azure.subscription.networkService.firewall.applicationRule: Azure Network Firewall Application Rule
• azure.subscription.networkService.firewall.ipConfig: Azure Network Firewall IP Configuration
• azure.subscription.networkService.firewall.natRule: Azure Network Firewall NAT Rule
• azure.subscription.networkService.firewall.networkRule: Azure Network Firewall Network Rule
• azure.subscription.networkService.firewallPolicy: Azure Network Firewall Policy
• azure.subscription.networkService.frontendIpConfig: Azure Network Frontend IP Configuration
• azure.subscription.networkService.inboundNatPool: Azure Network Inbound NAT Pool
• azure.subscription.networkService.inboundNatRule: Azure Network Inbound NAT Rule
• azure.subscription.networkService.loadBalancer: Azure Network Load Balancer
• azure.subscription.networkService.loadBalancerRule: Azure Network Load Balancer Rule
• azure.subscription.networkService.natGateway: Azure Network NAT gateway
• azure.subscription.networkService.outboundRule: Azure Network Outbound Rule
• azure.subscription.networkService.probe: Azure Network Probe
• azure.subscription.networkService.subnet Azure Network Subnet
• azure.subscription.networkService.virtualNetwork: Azure Network Virtual Network
• azure.subscription.networkService.virtualNetworkGateway.connection: Azure Network Virtual Network Gateway Connection
• azure.subscription.networkService.virtualNetworkGateway.ipConfig: Azure Network Virtual Network Gateway IP Configuration
• azure.subscription.networkService.virtualNetworkGateway: Azure Network Virtual Network Gateway
• microsoft.serviceprincipal.assignment: Microsoft Service Principal Assignment

New microsoft.serviceprincipal fields

• type: Service principal type
• name: Service principal name
• tags: Service principal tags
• enabled: Whether users can sign into the service principal (application)
• homepageUrl: Service principal homepage URL
• termsOfServiceUrl: Service principal terms of service URL
• replyUrls: Service principal reply URLs
• assignmentRequired: Whether users or other apps must be assigned to this service principal before using it
• visibleToUsers: Whether the service principal is visible to users
• notes: Service principal notes
• assignments: The list of assignments (users and groups) this service principal has

🧹 IMPROVEMENTS

Expanded AWS resource fields

We're back again this week with 25 new AWS resource fields, giving you the information you need to inventory and secure your assets:

aws.ec2.instance

• vpcArn: The ARN of the VPC associated with the instance

aws.efs.filesystem

• availabilityZone: Availability zone where the file system exists if a specific AZ is defined
• createdAt: Creation timestamp

aws.es.domains

• elasticsearchVersion: The version of Elasticsearch running
• domainId: The Elasticsearch domain ID
• domainName: The Elasticsearch domain name

aws.secretsmanager.secrets

• createdAt: Creation date of the secret
• description: Description of the secret
• lastChangedDate: The last date the secret was changed
• lastRotatedDate: The last date the secret was automatically rotated
• nextRotationDate: The date of the next secret rotation
• primaryRegion: The primary region of the secret
• rotationEnabled: Whether rotation is enabled for the secret

aws.redshift.clusters

• availabilityZone: Availability zone where the cluster exists
• clusterRevisionNumber: Specific revision number of the database in the cluster
• clusterStatus: Current state of this cluster. Values: available, creating, deleting, rebooting, renaming, and resizing
• clusterSubnetGroupName: Name of the subnet group that is associated with the cluster
• clusterVersion: Version of the Redshift engine running on the cluster
• createdAt: Cluster creation timestamp
• dbName: Name of the initial database that was created when the cluster was created
• enhancedVpcRouting: Whether enhanced VPC routing is enabled for the cluster traffic
• masterUsername: Master user name for the cluster
• nextMaintenanceWindowStartTime: The next scheduled maintenance window
• numberOfNodes: The number of nodes in the cluster
• vpcId: The ID of the VPC where the cluster is running

New related property in terraform.block resource

Discover all resources related to a given Terraform resource.

For example, given the following Terraform snippet:

resource "aws_iam_role" "dev-resources-iam-role" {
  name        = "SSM-role-${local.name}-${random_string.suffix.result}"
  # ...
}

resource "aws_iam_instance_profile" "dev-resources-iam-profile" {
  name = "ec2_ssm_profile-${local.name}-${random_string.suffix.result}"
  role = aws_iam_role.dev-resources-iam-role.name
  # ...
}

Using this MQL:

terraform.resources {
  nameLabel
  related {
    nameLabel
  }
}

We get:

terraform.resources: [
  0: {
    nameLabel: "aws_iam_instance_profile"
    related: [
      0: {
        nameLabel: "aws_iam_role"
      }
    ]
  }
  1: {
    nameLabel: "aws_iam_role"
    related: [
      0: {
        nameLabel: "aws_iam_instance_profile"
      }
    ]
  }
]

Improved results pagination

The larger your infrastructure, the larger the results of your security scans. Now it's easier to navigate those large results no matter where you are in the Mondoo Console. We've reworked our results pagination to make it more consistent and to allow you show more results per page when you need to view those extra large data sets.

Expanded openSUSE Linux CVE data

Mondoo now includes data on CVEs in openSUSE Linux 15.2 through the latest 15.6 pre-releases.

🐛 BUG FIXES AND UPDATES

• Fix links from "Top Recommended Actions" on asset pages to go directly to check pages.
• Update multi-selection in CI/CD pages to match the updated design throughout the console.
• Fix inconsistent table header cell padding in the Compliance Hub pages.
• Improve rendering of the organization dashboards to prevent lines covering text.
• Fix asset name detection in cloud instances.
• Fix provider auto update CLI flag failures.
• Fix CIS Kubernetes policies to properly apply to kubelets.
• Fix CIS iptables checks to work with iptables >= 1.8.9 format.
• Fix failures running Kubernetes Cluster and Workload Security's "Pods should not run Kubernetes dashboard" query.
• Improve wording in the cnspec scan --help command and don't print duplicate providers.
• Fix failures running the aws.es.domains resource.
• Fix dns.fqdn not returning an FQDN when scanning the system via SSH or Vagrant.
• Avoid adding nil Terraform blocks when fetching related blocks.
• Fix errors fetching processes that would be printed on the command line.
• Fix cnspec scan to run a local scan like cnspec < 9.0.
• Provide a friendly error message when scanning unsupported Kubernetes API releases.
• Fix asset overview only showing the first available AWS tag.
• Add back missing Scan Overview section in the asset overview.
• Make sure AWS-specific information displays on the asset overview page for scanned instances.
• Improve the reliability of CIS sudo-related checks.
• Fix failures running the CIS Ensure default user umask is configured and Ensure default user umask is 027 or more restrictive checks on some distributions.
• Don't show the button to upload new policies or query packs if the user only has viewer privileges in the space.
• Add back the Audit section in asset check pages.