Skip to main content

Mondoo 9.14 is out!

ยท 5 min read
Mondoo Core Team

๐Ÿฅณ Mondoo 9.14 is out! This release includes agentless Azure VM scanning, new MQL helpers, and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


Scan Azure VMs / snapshots / disksโ€‹

Use new Azure scanning capabilities to scan running VMs, instances, or disks without deploying or managing agents.

Scan snapshots of your VMs to perform agentless scans without impact to your running workloads:

cnspec scan azure compute snapshot <snapshot-name> --client-id <id> --tenant-id <id> --client-secret <value>

Scan snapshots outside your current resource group using the fully qualified Azure resource ID:

cnspec scan azure compute snapshot "/subscriptions/subId/resourceGroups/my-rg/providers/Microsoft.Compute/snapshots/test-debian-snap" --client-id <id> --tenant-id <id>--client-secret <secret>

Scan disks on running VMs with automatic running disk cloning:

cnspec scan azure compute disk <disk-id> --client-id <id> --tenant-id <id> --client-secret <value>

Not concerned about the impact to running workloads? Scan VMs directly without managing agent deploys:

cnspec azure compute instance <instance-name> --client-id <id> --tenant-id <id> --client-secret <value>

New MQL helpers for policy authoringโ€‹

New helpers for MQL give you the power to create robust security and compliance policies to meet your custom business needs.

Quickly access data in a mapโ€‹

Use dot notation to access data in maps:

cnquery> {a: 1, b: 2, c:3}.a
[a]: 1

Check whether a time is within a rangeโ€‹

See if time values fall within a range. This works with all timestamps:

cnquery> password.lastChangedDate.inRange(*,
[ok] value: true

Check whether a number is within a rangeโ€‹

See if an integer value is within a range:

cnquery> 2.inRange(1,3)
[ok] value: true

#### Check strings against a list of values

Check a string value against a list of acceptable values.

cnquery> "PASS".in(["PASS","ALLOW","OK"])
[ok] value: true

Parse duration valuesโ€‹

Work with duration values using a new duration helper:

cnquery> parse.duration("3d")
parse.parse.duration: 3 days
cnquery> parse.duration("7days")
parse.parse.duration: 7 days

Check the contents of mapsโ€‹

Check keys, values, and combination of the two within maps:

{'a': 1, 'b': 2}.contains( key == 'b' )
{'a': 1, 'b': 2}.all( value > 0 )
{'a': 1, 'b': 2}.one( value != 1 )
{'a': 1, 'b': 2}.none( key == /d-f/ )

Semantic version parsingโ€‹

Compare versions without the need for complex integer parsing:

cnquery> semver('1.9.0') < semver('1.10.0')
[ok] value: "1.9.0"

New Email Security policyโ€‹

A new Email Security policy includes 14 new checks for critical email security protocols, including:

  • Sender Policy Framework (SPF)
  • Domain Keys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

This policy really shines with our continuous domain and IP scanning integration (released in Mondoo 9.11). It's also handy on the CLI using cnspec.

Email Security policy checks

New Terraform Asset Inventory Packโ€‹

Use the new Terraform Asset Inventory Pack to inventory versions and resources within your Terraform state files, including resources on AWS, Azure, and GCP clouds.

Terraform state file inventory


macOS and Windows policy data queries moved to query packsโ€‹

To give you additional control over when cnspec collects configuration data on your assets, we've moved all data queries from our macOS and Windows security policies to the dedicated asset inventory query packs. For those who want security scanning only, this change speeds up cnspec scans. If you want to continue collecting this configuration data, enable the macOS and Windows asset inventory query packs in your space.

Expanded MQL resourcesโ€‹


  • Fix members field to properly fetch cluster members
  • New port field
  • New endpoint field
  • New availabilityZones field


  • New port field
  • New endpoint field


  • Add type field to the default resource output


  • Add path field to the default resource output


  • Add source field to the default resource output


  • Add identifier field to the default resource output


  • Do not include out of scope control PDFs in the framework report archive.
  • Show correct exception counts in Compliance Hub controls and PDF reports.
  • Fix platform filters on Entra ID checks in the SOC 2 Security policy.
  • Prevent Kubernetes operator from failing if it cannot report scan results
  • Add retries to provider installations.
  • Fix the status command to respect HTTP proxies.
  • Improve console load times with a 21% reduction in the size of JavaScript files.
  • Improve service restarts when upgrading Windows clients via the install.ps1 script.
  • Fix scanning registry keys over WinRM connections.
  • Don't require downloading the OS provider to collect basic OS configuration information.
  • Ensure the appropriate providers are installed when running cnspec bundle init.
  • Fix errors in the user and group resources when specifying a single user / group to query.
  • Fix the Mondoo package version to match that of cnspec and cnquery on Arch Linux.
  • Fix incorrect rendering of some CIS policies.
  • Update the EOL date for Windows 10 Pro LTSC.
  • Fix package vulnerability data not loading for some Linux distribution releases.