Skip to main content

Mondoo 9.6 is out!

Β· 4 min read
Mondoo Core Team
Mondoo Core Team

πŸ₯³ Mondoo 9.6 is out! This release includes Console asset query packs, Subject Alternative Name support for certificates, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Asset inventory at your fingertips​

Query pack data now displays directly in the Mondoo Console for all assets. Explore asset configuration with the two dozen out-of-the-box query packs available in the registry. If you don't find what you're looking for there, write your own query packs to expose additional asset inventory information directly in the console.

Browse the results of asset inventory query packs with a new Data Queries tab on the individual asset view.

Asset data queries


Expanded certificate resource capabilities​

The tls.certificates resource now supports the PKIX Subject Alternative Name (SAN) extension, as well as the Subject Key Identifier (SKID) extension.

cnspec shell host
cnspec> tls.certificates { sanExtension { * }}
tls.certificates: [
0: {
sanExtension: {
uris: []
extension: pkix.extension id = 5842ac625349147af543f8049f60497ca270c0412667bbeb1042482e805069f9:
emailAddresses: []
dnsNames: [
0: "*"
1: "*"
2: "*"
3: "*"
4: "*"
5: "*"
6: "*"
7: "*"
8: "*"
1: {
sanExtension: null
2: {
sanExtension: null

Expanded cnspec status information​

Running cnspec status now prints the version number of the latest available release and a list of all installed providers. If the currently installed and latest releases don't match, the status indicates that a newer version is available for download.

./cnspec status
β†’ no Mondoo configuration file provided, using defaults
β†’ Platform: ubuntu
β†’ Version: 22.04
β†’ Hostname: localhost
β†’ IP:
β†’ Time: 2023-11-01T13:36:01+01:00
β†’ Version: 9.6.0 (API Version: 9)
β†’ Latest Version: 9.6.1
! A newer version is available
β†’ Installed Providers: terraform | aws | atlassian | gcp
β†’ Outdated Providers: terraform | aws | atlassian
β†’ API ConnectionConfig:
β†’ API Status: SERVING
β†’ API Time: 2023-11-01T12:36:02Z
β†’ API Version: 9


  • Vulnerabilities results no longer show assets that are not impacted.
  • Fix colorblind mode being enabled for all users.
  • Add data validation for AWS Access Key ID and Secret Access Key values in the S3 export integration.
  • Improve asset links in Compliance Hub to go directly to the check or data query on the asset.
  • Fix tls.certificates returning null data incorrectly.
  • Fix AWS EC2 instance names not properly registering.
  • Improve default values in the azure.subscription.monitorService.applicationInsight resource.
  • Don't display a policy's main documentation when viewing the variant.
  • Improve form validation for integrations to only run after all text has been entered.
  • Improve formatting on the policy recommendation pages for integrations.
  • Fix text input boxes that could not be read in the Azure integration.
  • Improve the error message when an organization or space user cannot be removed.
  • Don't fail when running policies from the public registry that use asset filters.
  • Don't fail if a query packs has no description.
  • Don't fail if a policy group has checks, but not data queries.
  • Fix a failure when scanning AWS EBS volumes.
  • Fix incorrect runtime information being reported for AWS assets.
  • Fix service checks to work on masked systemd services and services that end in .service
  • Expand SOC 2 policy coverage
  • Improve data returned from the Azure Inventory Query Pack.
  • Improve the reliability of queries in the CIS AKS Benchmarks policies.
  • Wrap instead of cutting off long property values in the registry.
  • Use the custom image defined in the Kubernetes operator's MondooAuditConfig section.
  • Fix garbage collection of old Kubernetes assets not running.
  • Fix scanning of GKE nodes from the Kubernetes operator.

Mondoo 9.5 is out!

Β· 6 min read
Mondoo Core Team

πŸ₯³ Mondoo 9.5 is out! This release includes VMware vSphere security advisory detection, expanded AWS/Azure/Okta resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


VMware vSphere CVE detection​

Mondoo now includes support for tracking CVEs and security advisories on VMware vSphere installations, so you can keep your most important on-premises assets secure. You'll automatically see CVE/advisory information on VMware vSphere assets in the Mondoo Console and you can scan assets manually on the command line to view this data as well:

cnquery shell vsphere USER@luna.dmz -p FOO
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> asset.vulnerabilityReport
asset.vulnerabilityReport: {
platform: {
build: "18778458"
name: "vmware-vsphere"
release: "7.0.3"
title: "VMware vSphere 7.0.3"
published: "2023-10-26T13:18:39Z"
stats: {
advisories: {}
cves: {}
exploits: {}
packages: {}
asset.vulnerabilityReport: {
advisories: [
0: {
ID: "VMSA-2022-0004"
Mrn: "//"
cves: [
0: {
ID: "CVE-2021-22041"
Mrn: "//"
cvss: [
0: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"
worstScore: {
score: 4.600000
source: "cve://nvd/2021"
vector: "4.6/AV:L/AC:L/Au:N/C:P/I:P/A:P"



New AWS resource fields and defaults​

The aws.vpc.subnet resource now includes information on the subnet's availability zone so you can better understand where subnets are located.

cnquery> aws.vpcs.first.subnets{*}
aws.vpcs.first.subnets: [
0: {
arn: "arn:aws:ec2:ap-south-1:177043123456:subnet/subnet-b231234"
id: "subnet-b231234"
cidrs: ""
mapPublicIpOnLaunch: true
defaultForAvailabilityZone: true
availabilityZone: "ap-south-1c"

We've also improved the default values returned by many AWS resources to give you better output in the cnquery shell as well as query packs. These updated defaults expose AWS resource IDs, regions, availability zones, and other metadata that makes understanding your AWS infrastructure easier with Mondoo. Enable the AWS Asset Inventory Pack in your spaces to see this improved asset inventory data today.

Improved resource output for Azure​

New default values in Azure resources make exploring asset configuration in the cnquery shell or the resource explorer better than ever. You'll see new improved output on Azure VMs that show OS and hardware types. We've also expanded NIC and disk resources to show information such as the disk size/type and the NIC MAC address type.

cnquery> azure.subscription.computeService.vms.first
azure.subscription.computeService.vms.first: azure.subscription.computeService.vm name="Windows-VM-5n6o" location="eastus" properties.hardwareProfile.vmSize="Standard_DS2_v2" properties.storageProfile.osDisk.osType="Windows"

cnquery> azure.subscription.computeService.disks.first
azure.subscription.computeService.disks.first: azure.subscription.computeService.disk name="Windows-VM-OsDisk-5n6o" location="eastus" properties.osType="Windows" properties.diskSizeGB=127.000000 properties.diskState="Attached"

cnquery> azure.subscription.networkService.interfaces.first
azure.subscription.networkService.interfaces.first: azure.subscription.networkService.interface name="Windows-VM-NIC-5n6o" location="eastus" properties.macAddress="60-45-BD-D7-7E-53" properties.nicType="Standard"

Expanded Okta group and role capabilities​

We've expanded the capabilities of our Okta provider and resources to make it easier to query your Okta configuration. You can now query Okta groups along with their roles and members using the okta.groups resource:

cnspec> okta.groups.where( =="SUPER_ADMIN")) { name roles { * } members members.length < 2 }
okta.groups.where: [
0: {
roles: [
0: {
created: 2023-04-08 22:11:00 +0200 CEST
lastUpdated: 2023-04-08 22:11:00 +0200 CEST
assignmentType: "GROUP"
id: "ABCD1234"
status: "ACTIVE"
label: "Super Administrator"
name: "Super Admins"
members.length < 2: true
members: [
0: okta.user""

You can also check which permissions are assigned to custom roles using the new okta.customRoles resource:

cnspec> okta.customRoles { * }
okta.customRoles: [
0: {
label: "Custom Role"
id: "abc12345678910"
description: "Custom Role"
permissions: []

Improved host scanning​

We've improved host scanning behavior with updates to Mondoo's host provider as well as the http and tls resources used when scanning domains and IPs. These updates make it easier to get started scanning hosts, even when the hosts aren't the best behaving.

  • Default to HTTPS when no protocol information was specified on the CLI. For example, with cnquery shell host cnquery now assumes HTTPS.
  • Improve handling of timeouts when checking TLS certs.
  • Improve error handling and logging when connecting to hosts, parsing TLS certificates, and checking TLS on non-TLS hosts.

Updated macOS CIS Benchmark policies​

It's been just a week since we last updated macOS CIS benchmark policies, but we're back again with new updates including the official release of the CIS macOS 14.0 benchmark. These new benchmarks include improved descriptions/remediation text, more robust queries, and additional checks for Intel Macs. Be sure to check out the improved results in these releases:

  • CIS Apple macOS 11.0 Big Sur Benchmark v4.0.0
  • CIS Apple macOS 12.0 Monterey Benchmark v3.0.0
  • CIS Apple macOS 13.0 Ventura Benchmark v2.0.0
  • CIS Apple macOS 14.0 Sonoma Benchmark v1.0.0

Improved Windows EOL dates​

Windows EOL data in Mondoo Platform now tracks Microsoft's enterprise and education support track, which tends to be about one year later than consumer EOL dates. We've also added Windows 10 22H2, Windows 11 22H2, and Windows 11 23H2 releases so you can track upcoming EOL dates for all your Windows workstations.

Improved field copy behavior​

Sometimes a user suggests a fix you just can't pass up. User @xorima told us the copy icon in our text fields was hard to read and made copying important text like client installation commands difficult. We retooled the icon to make it better stand out against the text and have a more clear action when the copy was complete. Thanks @xorima!

New copy behavior


  • Group Photon OS assets as operating systems in the Mondoo Console.
  • Fix data queries not always showing the policy or query pack where they were defined.
  • Don't error if the same query pack is specified more than once on the command line.
  • Don't fail if a query pack has no queries to run after platform filters are applied.
  • Properly filter out unsupported queries in a query pack to avoid failures.
  • Map checks from the CIS Distribution Independent Linux benchmark to compliance framework controls.
  • Fix cleanup of old assets scanned by the Mondoo Kubernetes operator.
  • Handle empty report data in the JUnit cnspec reporter.
  • Don't fail scanning a container registry if the container's platform cannot be detected.
  • Fix a failure running the cnspec vuln command.
  • Fix an error fetching the azure.subscription.mySql.server field.
  • Fix Microsoft 365 assets grouping under Unclassified Assets in the console inventory page.
  • Don't show the Schedule Now button for Jira integrations.
  • On the Organization page, sort spaces by name instead of space ID.

Mondoo 9.4 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ Mondoo 9.4 is out! This release includes a number of new stability improvements, as well as a number of bug fixes.​

Get this release: Installation Docs | Package Downloads | Docker Container

We encourage you to upgrade to this release as soon as possible since it contains a number of stability improvements.


This release introduces a heartbeat for all providers, which guarantees that terminated providers don't leave behind stale processes in memory. It requires the use of v9.1.x or higher version for all providers. These will update automatically. If you have deactivate automatic updates, please manually update your providers. Please also make sure to update cnquery and cnspec to 9.4.0 since older version of cnquery and cnspec do not use the new heartbeat functionality.

To verify that you are on the latest version:

cnspec version
cnspec 9.4.0 (76a83f8, 2023-10-27T00:24:13Z)

To verify that all provider versions are greater than 9.1.0:

cnspec providers list

β†’ builtin (found 2 providers)

core 9.1.0
mock 9.0.0 with connectors: mock

β†’ /opt/mondoo/providers (found 6 providers)

aws 9.1.0 with connectors: aws
azure 9.1.0 with connectors: azure
gcp 9.1.0 with connectors: gcp
os 9.1.0 with connectors: local, ssh, winrm, vagrant, container, docker, filesystem
terraform 9.1.0 with connectors: terraform
vsphere 9.1.0 with connectors: vsphere

For Windows and Linux services we improved the reliability of the services for cases where cnspec crashes. This is achieved by making sure that the service does not restart too often. The default restart limit is 3 times.


  • Fix --asset-name flag not setting asset names properly.
  • Fix failures compiling query packs that used variants.
  • Improve failures messages when MQL resources or fields cannot be found.
  • Fix failures reading "Never" time in raw data JSON data.

Mondoo 9.3 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ Mondoo 9.3 is out! This release includes support for new Azure resources, updated macOS policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


New Azure resources​


Updated Packer provider for Mondoo cnspec​

Our HashiCorp Packer cnspec provisioner now uses cnspec 9.x, giving you access to the latest providers and resources directly in your OS image build pipelines.

Updated CIS macOS benchmark policies​

Mondoo now ships with the latest macOS CIS benchmark policies, which include expanded remediation steps, improved descriptions, and more resilient queries:

  • Updated macOS 11 benchmark version to 3.1
  • Updated macOS 12 benchmark version to 2.1
  • Updated macOS 13 benchmark version to 1.1
  • New macOS 14 benchmark (preview) 1.0

Expanded compliance evidence gathering​

We've revamped several of our bundled Mondoo policies with expanded descriptions, improved queries, and best of all, compliance mappings that help you automatically gather evidence no matter what the asset type:

  • TLS/SSL Security Baseline
  • Platform End-of-Life Policy
  • Platform Vulnerability Policy

cnquery run --info flag​

A new --info flag in cnquery allows you to see which resources and fields your MQL queries use.

For example, running this query against the sshd config:

cnquery run -c "sshd.config.params[Version] == mondoo.version" --info

Returns this list of resources and fields:

Resources and Fields used:
- sshd.config
- params
- mondoo
- version


  • Fix failing ARN data queries on aws-ec2-volume assets.
  • Fix asset names from local scans not reporting to the platform.
  • Ensure some empty values in the http resource return null values instead of empty strings.
  • Improve help text in cnspec and cnquery.
  • Fix incorrect compliance check counts in controls.
  • Replace the deprecated CIS Supply Chain Management benchmark policy with the CIS GitHub Level 1 benchmark policy.
  • Add missing Atlassian provider help to cnspec and cnquery.
  • Fix failures querying SCIM data in the Atlassian provider.
  • Fix fetching a list of GitHub users in an organization.
  • Use the GitLab group ID instead of name when fetching data to prevent some failure cases.
  • Fix asset names not capturing properly for some Azure and GCP assets.
  • Report friendly errors when the Atlassian provider does not have the necessary permissions to query data.
  • Add asset.type field to EBS filesystem scans.
  • Prevent query errors when a nonexistent registry key is queried.
  • Ensure cnspec and cnquery use proxies for all traffic when specified.
  • Properly display the asset platform in the status command.
  • Fix failures retrieving secrets from vaults.
  • Fix failures scanning some Kubernetes manifest files.
  • Fix failures setting the AWS platform ID under some circumstances.
  • Group Raspbian assets as operating systems in the console.
  • Improve rendering of user avatars in the console.
  • Use consistent table layouts in the Mondoo Vulnerability Database and the space invitation pages to better match other tables in the console.
  • Save sorting and filtering options in the Mondoo Vulnerability Database when reloaded or bookmarked.
  • Fix failures applying asset annotations passed on the command line.
  • Improve errors from systemd when cnspec fails to start due to missing binaries or configuration files.
  • Don't include the vulnerabilities section on the CLI for unsupported platforms.
  • Update the policy generated by the cnspec bundle init command to be cnspec 9.x compatible.
  • Improve the query results in the Mondoo Kubernetes Cluster and Workload Security policy and remove unnecessary data queries.
  • Improve SOC 2 policy check mappings for CIS policies.
  • Add support for macOS systems in the Platform End of Life policy.

Mondoo 9.2 is out!

Β· 4 min read
Mondoo Core Team

πŸ₯³ Mondoo 9.2 is out! This release includes support for securing Atlassian services, a new HTTP resource, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Secure Atlassian services​

Our new Atlassian cnquery/cnspec provider allows you to query the configuration of Atlassian's suite of products, including Jira and Confluence.

Use the Atlassian provider with cnquery shell to connect to your Atlassian URL using a user or admin token:

cnquery shell atlassian --host --admin-token FOO

Some example data you can query using this provider and resources:

atlassian.admin.organizations: [
0: atlassian.admin.organization id="4j1ack42-6c9d-1552-k55a-c2j536j31066"

cnquery> atlassian.jira.users
atlassian.jira.users: [
0: atlassian.jira.user id="5dd64082af96bc0efbe55103"
1: atlassian.jira.user id="630db2cd9796033b256bc349"
2: atlassian.jira.user id="5cb4ae0e4b97ab11a18e00c7"
3: atlassian.jira.user id="557058:f58131cb-b67d-43c7-b30d-6b58d40bd077"
4: atlassian.jira.user id="712020:1bdc8553-00fa-4e1c-8d14-317bbafece92"
5: atlassian.jira.user id="6183312e3e3753006f8c7baf"
6: atlassian.jira.user id="626b14efc72f140069fc636c"
7: atlassian.jira.user id="5b70c8b80fd0ac05d389f5e9"
8: atlassian.jira.user id="5e6a646f5df5fb0cfee33989"
9: atlassian.jira.user id="557058:cbc04d7b-be84-46eb-90e4-e567aa5332c6"
10: atlassian.jira.user id="712020:45d1ce6f-7b4b-4190-8d93-1d709d7203f9"
11: atlassian.jira.user id="5d53f3cbc6b9320d9ea5bdc2"
12: atlassian.jira.user id="557058:950f9f5b-3d6d-4e1d-954a-21367ae9ac75"
13: atlassian.jira.user id="5cf112d31552030f1e3a5905"
14: atlassian.jira.user id="712020:f4b1ca94-1967-48c6-9c22-b04a9e999fae"
15: atlassian.jira.user id="6035864ce2020c0070b5285b"
16: atlassian.jira.user id="60e5a86a471e61006a4c51fd"
17: atlassian.jira.user id="5d9b2860cd50b80dcea8a5b7"
18: atlassian.jira.user id="5d9afe0010f4800c341a2bba"
19: atlassian.jira.user id="626b1500b31e6f006863c12d"
cnquery> "Lunalectric Integration User"

Learn more about the capabilities of this new provider and its resources in the Atlassian resource pack documentation.

Stay tuned for an Atlassian policy bundle that lets you continuously secure your business' Atlassian usage.

New http resource​

Use our new http resource to continuously secure and assure compliance for HTTP endpoints used by your business.

http.get('') { statusCode version header{ xFrameOptions xContentTypeOptions referrerPolicy sts csp['base-uri'] } }


http.get: {
header: {
csp[base-uri]: "'self'"
xContentTypeOptions: "nosniff"
referrerPolicy: "same-origin"
xFrameOptions: "SAMEORIGIN"
sts: http.header.sts maxAge=365 days includeSubDomains=true preload=false
version: "2.0"
statusCode: 200

Learn more about these new fields at our http.get and http.header documentation.


Expanded Azure resources​

Azure networking resources continue to receive updates to expose critical information for security and compliance within your Azure infrastructure:


  • New publicIpAddress property: The public IP address associated with this IP configuration


  • New publicIpAddresses property: List of public IP addresses the NAT gateway is associated with


  • New dhcpOptions property: Virtual network DHCP options
  • New enableDdosProtection property: Indicates if DDoS protection is enabled for all the protected resources in the virtual network.
  • New enableVmProtection property: Indicates if VM protection is enabled for all the subnets in the virtual network

AWS console links let you jump directly from Mondoo scan results to the scanned assets in the AWS console. Use these handy shortcuts to make updates quickly based on Mondoo findings. We've expanded this support with direct console links from Mondoo DynamoDB, KMS, CloudTrail, and EBS volumes assets.


  • Add form value validation to the Organization Settings -> Authentication page.
  • Improve rendering of the form in the Organization Settings -> Authentication page.
  • Improve the performance of AWS account scans.
  • Fix failures scanning AWS DynamoDB tables.
  • Fix failures fetching metadata and connection settings in the Azure Web App Service.
  • Fix a failure that could occur when querying terraform.files.
  • Don't use Microsoft's UPX binary compression for cnquery and cnspec, as some antivirus software incorrectly flags this as malware.
  • Improve handling of null values in resources.
  • Use asset.fqdn as the asset name for the network and arista providers.
  • Use proxy servers to fetch provider updates when available.
  • Fix the copy to table button on CVE pages failing to copy.
  • Fix a failure creating Jira integrations.
  • Improve compliance framework mappings to show additional data.
  • Fix incorrect titles on some Microsoft KBs.
  • Adjust the EOL dates for Amazon Linux 2018 and Debian 9/12.
  • Don't show checks in policies that are not enabled in Compliance Hub control pages.
  • Rework queries in CIS Windows 10/11/2016/2019/2022 policies to improve reliability

Mondoo 9.1 is out!

Β· 6 min read
Mondoo Core Team

πŸ₯³ Mondoo 9.1 is out! This release includes support for private GitLab instance scanning, new Azure networking resources, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Continuous scanning of hosted GitLab instances​

Running your own private GitLab instance? No problem. Now Mondoo can continuously scan your private GitLab instances, automatically discovering sub-groups, projects, and even IaC code in projects.

New and expanded Azure/MS365 resources​

New resources and fields expand the ability to secure and inventory your Microsoft cloud assets with Mondoo. We've exposed critical networking information in Azure as well as service principal and enterprise application data in Azure AD (now Microsoft Entra ID), giving you the data you need for custom security policies or compliance audits.

New Resources​

  • azure.subscription.networkService.appSecurityGroup: Azure Network Application Security Group
  • azure.subscription.networkService.backendAddressPool: Azure Network Backend Address Pool
  • azure.subscription.networkService.bgpSettings: Azure Network BGP Settings
  • azure.subscription.networkService.bgpSettings.ipConfigurationBgpPeeringAddress: Azure BGP Settings IP Configuration
  • azure.subscription.networkService.firewall: Azure Network Firewall
  • azure.subscription.networkService.firewall.applicationRule: Azure Network Firewall Application Rule
  • azure.subscription.networkService.firewall.ipConfig: Azure Network Firewall IP Configuration
  • azure.subscription.networkService.firewall.natRule: Azure Network Firewall NAT Rule
  • azure.subscription.networkService.firewall.networkRule: Azure Network Firewall Network Rule
  • azure.subscription.networkService.firewallPolicy: Azure Network Firewall Policy
  • azure.subscription.networkService.frontendIpConfig: Azure Network Frontend IP Configuration
  • azure.subscription.networkService.inboundNatPool: Azure Network Inbound NAT Pool
  • azure.subscription.networkService.inboundNatRule: Azure Network Inbound NAT Rule
  • azure.subscription.networkService.loadBalancer: Azure Network Load Balancer
  • azure.subscription.networkService.loadBalancerRule: Azure Network Load Balancer Rule
  • azure.subscription.networkService.natGateway: Azure Network NAT gateway
  • azure.subscription.networkService.outboundRule: Azure Network Outbound Rule
  • azure.subscription.networkService.probe: Azure Network Probe
  • azure.subscription.networkService.subnet Azure Network Subnet
  • azure.subscription.networkService.virtualNetwork: Azure Network Virtual Network
  • azure.subscription.networkService.virtualNetworkGateway.connection: Azure Network Virtual Network Gateway Connection
  • azure.subscription.networkService.virtualNetworkGateway.ipConfig: Azure Network Virtual Network Gateway IP Configuration
  • azure.subscription.networkService.virtualNetworkGateway: Azure Network Virtual Network Gateway
  • microsoft.serviceprincipal.assignment: Microsoft Service Principal Assignment

New microsoft.serviceprincipal fields​

  • type: Service principal type
  • name: Service principal name
  • tags: Service principal tags
  • enabled: Whether users can sign into the service principal (application)
  • homepageUrl: Service principal homepage URL
  • termsOfServiceUrl: Service principal terms of service URL
  • replyUrls: Service principal reply URLs
  • assignmentRequired: Whether users or other apps must be assigned to this service principal before using it
  • visibleToUsers: Whether the service principal is visible to users
  • notes: Service principal notes
  • assignments: The list of assignments (users and groups) this service principal has


Expanded AWS resource fields​

We're back again this week with 25 new AWS resource fields, giving you the information you need to inventory and secure your assets:


  • vpcArn: The ARN of the VPC associated with the instance


  • availabilityZone: Availability zone where the file system exists if a specific AZ is defined
  • createdAt: Creation timestamp​

  • elasticsearchVersion: The version of Elasticsearch running
  • domainId: The Elasticsearch domain ID
  • domainName: The Elasticsearch domain name


  • createdAt: Creation date of the secret
  • description: Description of the secret
  • lastChangedDate: The last date the secret was changed
  • lastRotatedDate: The last date the secret was automatically rotated
  • nextRotationDate: The date of the next secret rotation
  • primaryRegion: The primary region of the secret
  • rotationEnabled: Whether rotation is enabled for the secret


  • availabilityZone: Availability zone where the cluster exists
  • clusterRevisionNumber: Specific revision number of the database in the cluster
  • clusterStatus: Current state of this cluster. Values: available, creating, deleting, rebooting, renaming, and resizing
  • clusterSubnetGroupName: Name of the subnet group that is associated with the cluster
  • clusterVersion: Version of the Redshift engine running on the cluster
  • createdAt: Cluster creation timestamp
  • dbName: Name of the initial database that was created when the cluster was created
  • enhancedVpcRouting: Whether enhanced VPC routing is enabled for the cluster traffic
  • masterUsername: Master user name for the cluster
  • nextMaintenanceWindowStartTime: The next scheduled maintenance window
  • numberOfNodes: The number of nodes in the cluster
  • vpcId: The ID of the VPC where the cluster is running

Discover all resources related to a given Terraform resource.

For example, given the following Terraform snippet:

resource "aws_iam_role" "dev-resources-iam-role" {
name = "SSM-role-${}-${random_string.suffix.result}"
# ...

resource "aws_iam_instance_profile" "dev-resources-iam-profile" {
name = "ec2_ssm_profile-${}-${random_string.suffix.result}"
role =
# ...

Using this MQL:

terraform.resources {
related {

We get:

terraform.resources: [
0: {
nameLabel: "aws_iam_instance_profile"
related: [
0: {
nameLabel: "aws_iam_role"
1: {
nameLabel: "aws_iam_role"
related: [
0: {
nameLabel: "aws_iam_instance_profile"

Improved results pagination​

The larger your infrastructure, the larger the results of your security scans. Now it's easier to navigate those large results no matter where you are in the Mondoo Console. We've reworked our results pagination to make it more consistent and to allow you show more results per page when you need to view those extra large data sets.

Asset pagination

Expanded openSUSE Linux CVE data​

Mondoo now includes data on CVEs in openSUSE Linux 15.2 through the latest 15.6 pre-releases.


  • Fix links from "Top Recommended Actions" on asset pages to go directly to check pages.
  • Update multi-selection in CI/CD pages to match the updated design throughout the console.
  • Fix inconsistent table header cell padding in the Compliance Hub pages.
  • Improve rendering of the organization dashboards to prevent lines covering text.
  • Fix asset name detection in cloud instances.
  • Fix provider auto update CLI flag failures.
  • Fix CIS Kubernetes policies to properly apply to kubelets.
  • Fix CIS iptables checks to work with iptables >= 1.8.9 format.
  • Fix failures running Kubernetes Cluster and Workload Security's "Pods should not run Kubernetes dashboard" query.
  • Improve wording in the cnspec scan --help command and don't print duplicate providers.
  • Fix failures running the resource.
  • Fix dns.fqdn not returning an FQDN when scanning the system via SSH or Vagrant.
  • Avoid adding nil Terraform blocks when fetching related blocks.
  • Fix errors fetching processes that would be printed on the command line.
  • Fix cnspec scan to run a local scan like cnspec < 9.0.
  • Provide a friendly error message when scanning unsupported Kubernetes API releases.
  • Fix asset overview only showing the first available AWS tag.
  • Add back missing Scan Overview section in the asset overview.
  • Make sure AWS-specific information displays on the asset overview page for scanned instances.
  • Improve the reliability of CIS sudo-related checks.
  • Fix failures running the CIS Ensure default user umask is configured and Ensure default user umask is 027 or more restrictive checks on some distributions.
  • Don't show the button to upload new policies or query packs if the user only has viewer privileges in the space.
  • Add back the Audit section in asset check pages.

Mondoo 9.0 is out!

Β· 11 min read
Mondoo Core Team
Mondoo Core Team

πŸ₯³ Mondoo 9.0 is out!​

This is a major new release with exciting improvements to cnquery and cnspec's extensibility.

This release includes a whole new cnquery and cnspec client, enhanced GitLab scanning, piles of new resource updates, and more!

Get this release: Installation Docs | Package Downloads | Docker Container


All new cnspec and cnquery clients!​

Up to this point, both cnquery and cnspec had all connectors and providers built into one binary file each. This was great when we only had a few connectors and things were small. Recently, however, the binaries have exploded in size with every new technology that we added. Since both projects are designed to also run on small devices and embedded controllers, we wanted to change this approach for some time now.

This release includes entirely new binaries for cnquery and cnspec. Both are 90% smaller, re-usable, and extensible now!

  1. Provider plugins

    When you connect to any technology (like AWS, Azure, K8s, etc) we now install a dedicated provider for that technology. This happens automatically for all core technologies we support:

    > cnquery run aws -c
    β†’ installing provider 'aws' version=9.0.8
    β†’ successfully installed aws provider path=/home/zero/.config/mondoo/providers/aws version=9.0.8
    β†’ loaded configuration from /home/zero/.config/mondoo/mondoo.yml using source default "AWS Account lunalectric-management (177043759486)"

    These provider plugins are shared between cnquery and cnspec. If you install any provider for cnquery, it is available to cnspec and vice versa.

  2. Automatic updates

    Providers are automatically updated to the latest version of the current major release:

    ~ $> cnspec shell aws
    β†’ found a new version for 'aws' provider installed=9.0.5 latest=9.0.8
    β†’ successfully installed aws provider path=/home/zero/.config/mondoo/providers/aws version=9.0.8

    We avoid breaking changes during all major versions and will notify users of deprecations with a full major version of grace period, during which you can use deprecated features.

    For containers and restricted environments, you can turn off updates via --auto-update=false or auto_update: false in the config file. This will prevent existing providers from getting updated and prevent new providers from being installed.

    For example: If you install cnquery or cnspec on a container, you can pre-install all providers you aim to use with it. At the end of the build process you then deactivate the auto-update in the config file.

  3. Custom providers

    You can view all providers via the providers subcommand:

    > cnquery providers

    β†’ builtin (found 2 providers)

    core 9.0.1
    mock 9.0.0 with connectors: mock

    β†’ /home/zero/.config/mondoo/providers (found 4 providers)

    aws 9.0.8 with connectors: aws
    azure 9.0.4 with connectors: azure
    gitlab 9.0.4 with connectors: gitlab
    os 9.0.8 with connectors: local, ssh, winrm, vagrant, container, docker, filesystem

    β†’ /opt/mondoo/providers has no providers

    This command not only prints the current providers and versions, but it also shows the locations in which providers are installed.

    In the coming days we will share written and video guides on how to create your very own provider. In the meantime, feel free to check out cnquery's "providers" folder with lots of examples! All providers are distributed as binaries with a proto interface, so you can write them in Go or any other language with GRPC support.

    You can now create custom providers and install them everywhere you want to run them! This also includes restricted code that may use your company's internal APIs and which you don't want to publish. Mondoo will support the schema-upload shortly so you can see results in our UI without exposing any code.

Hassle-free asset discovery in GitLab scans​

We've removed the pain of manually discovering assets throughout your GitLab environment with new hassle-free asset discovery. The GitLab Mondoo Platform integration and the cnspec CLI now include options to automatically discover all GitLab projects, groups, and even Terraform files within your GitLab projects. Set it once and continuously scan your entire environment to secure your software supply chain and the Terraform files that define your infrastructure.

GitLab Setup

New cnspec GitLab discovery options:

cnspec scan gitlab --token TOKEN <- returns all groups the user has access to
cnspec scan gitlab --token TOKEN --discover groups <- returns the defined group and all subgroups of that group
cnspec scan gitlab --token TOKEN --discover projects <- returns all the projects discovered in all the groups the user has access to
cnspec scan gitlab --token TOKEN --discover terraform <- returns all the Terraform files in all the projects discovered in all the groups the user has access to

Set asset annotations during client login​

Asset annotations let you add additional information on assets that can't necessarily be detected using Mondoo resources. Traditionally, these annotations have been set in the console on each asset page, but now you can automate setting annotations during the client registration process. This allows you to pass in data like employee workstation asset tags from an MDM solution.

Setting annotations during the client login:

cnspec login --token <token> --annotation assetid=MONDOO1234 --annotation location=PDX

Asset notations


New resources and resource fields​

What fun is a Mondoo release without new resources and fields to secure your infrastructure? For version 9.0, we went big with 46 new fields and resources. Stay tuned for updated policies and new asset inventory capabilities using some of these new additions.


  • New httpEndpoint property: Status of the IMDS endpoint enabled on the instance
  • New stateTransitionTime property: Time when the last state transition occurred


  • New createdTime property: Date the load balancer was created
  • New vpcID property: The ID of the VPC where the load balancer is located


  • Improve default values for use in cnquery shell
  • New storageAllocated property: The amount of storage, in GiB, provisioned on the instance
  • New storageIops property: The storage IOPS provisioned on the instance
  • New storageType property: The type of storage provisioned on the instance
  • New availabilityZone property: Availability zone where the instance exists
  • New engineVersion property: The version of the database engine for this DB instance
  • New createdTime property: The creation date of the RDS instance


  • New createdTime property: Date the bucket was created


  • Fix routeTables to return the correct values for the VPC
  • New cidrBlock property: IPv4 CIDR block of the VPC
  • New instanceTenancy property: How instance hardware tenancy settings are enforced on instances launched in this VPC
  • New endpoints subresource with additional fields:
    • id: Unique ID of the endpoint
    • type: Type of the endpoint
    • vpc: VPC the endpoint exists in
    • region: Region the VPC exists in
    • serviceName: The name of the endpoint service
    • policyDocument: The policy document associated with the endpoint, if applicable
    • subnets: The subnets for the (interface) endpoint
  • New subnets subresource with additional fields:
    • arn: ARN of the subnet
    • id: Unique ID of the subnet
    • cidrs: A list of CIDR descriptions
    • mapPublicIpOnLaunch: Whether instances launched in this subnet receive a public IPv4 address


  • New subscriptionId property: The subscription identifier


  • New storageAccountId property: ID of the diagnostic setting storage account


  • New storageAccountId property: ID of the log profile storage account


  • New membersCanForkPrivateRepos property: Whether members can fork private repositories to their own GitHub account


  • New hasDiscussions property: Whether the repository has discussions
  • New isTemplate property: Whether the repository is an organization repository template


  • New allowMergeOnSkippedPipeline property: Allow merging merge requests when a pipeline is skipped
  • New archived property: Is the project archived?
  • New autoDevopsEnabled property: Is the Auto DevOps feature enabled?
  • New containerRegistryEnabled property: Is the container registry feature enabled?
  • New createdAt property: Create date of the project
  • New defaultBranch property: Default git branch
  • New emailsDisabled property: Disable project email notifications
  • New fullName property: The full name of the project, including the namespace
  • New issuesEnabled property: Is the issues feature enabled?
  • New mergeRequestsEnabled property: Is the merge request feature enabled?
  • New mirror property: Is the project a mirror?
  • New onlyAllowMergeIfAllDiscussionsAreResolved property: Only allow merging merge requests if all discussions are resolved
  • New onlyAllowMergeIfPipelineSucceeds property: Only allow merging merge requests if the pipelines succeed
  • New packagesEnabled property: Is the packages feature enabled?
  • New requirementsEnabled property: Is the requirements feature enabled?
  • New serviceDeskEnabled property: Is the Service Desk feature enabled?
  • New snippetsEnabled property: Is the snippets feature enabled?
  • New webURL property: URL of the project
  • New wikiEnabled property: Is the wiki feature enabled?​

  • New emailsDisabled property: Disable group email notifications
  • New preventForkingOutsideGroup property: Don't allow forking projects outside this group
  • New mentionsDisabled property: Disable group mentions within issues and merge requests
  • New webURL property: URL of the group


  • New kind property: Kubernetes object type


  • New path property: Path for the main rsyslog file and search


  • New backend property: Backend configuration information

Improved query packs​

  • The Azure Asset Inventory Pack now includes a list of all public IP addresses in Azure subscriptions.
  • The Mondoo Asset Count query pack now includes asset counts for all GCP and GitLab assets, including all new GCP assets discovered when scanning with the --discover all flag.

MQL improvements​

Mondoo 9.0 further improves MQL so you can more easily query assets in your environment and write custom security policies.

Simple accessors for unstructured data​

Accessing structures in JSON, Terraform, and Kubernetes has often been painful:


To make it easier to access these nested fields, we've introduced a new optional syntax. This is well-known from other scripting languages (like JS and TS):

This mode continues to support our GraphQL foundation:

dict {
one { more.field }

It has helped simplify many use-cases for Terraform and Kubernetes:

# OLD:
tfblock {

# NEW:
tfblock {

Empty type​

With the new empty type, there's no need for complex logic to check for different kinds of empty values. Each of these common situations evaluate as empty:

[] == empty
null == empty
'' == empty
{} == empty

A single query can now check for an empty value in any type of data:

users.list == empty

Expanded platform EOL data​

  • Add Fedora 39: November 12, 2024
  • Add Google COS 109: September 1, 2025


  • Significantly improve querying time of ports on Linux systems. If you query ports without accessing its related process, it will now return in a fraction of the time. We are working to further speed this up for use-cases with related processes.
  • Remove errors for files.find when no results were returned. Do not return an empty file object.
  • Improve output of GCP resources in the cnquery shell.
  • Resolve errors running the CIS Ensure default user shell timeout is 900 seconds or less check.
  • Resolve errors running the CIS Ensure lockout for failed password attempts is configured check.
  • Resolve errors running the CIS Ensure password hashing algorithm is SHA-512 or yescrypt check.
  • Resolve errors running the CIS Ensure password reuse is limited check.
  • Fix false positive in the CIS Ensure lockout for failed password attempts is configured check.
  • Don't show buttons to accept a compliance exception if the user only has viewer privileges in the space.
  • Don't show null at the end of compliance framework and control descriptions.
  • Show the asset completion percentage on compliance control pages.
  • Fix invalid CloudFormation links on the AWS integration page.
  • Avoid repeatedly generating registration tokens in the organization/space page.
  • Fix incorrect integrations listed on the Google Workspace integration page.
  • Add missing label examples in the search page.
  • Change all unknown and unrated check statuses to unscored.
  • Improve the rendering of Compliance Hub control distribution graphs with large numbers of controls.
  • In the registry, fix platform icons not displaying correctly for policies that use variants.
  • Allow updating the GCP service account configuration file in GCP integrations.
  • Fix scanning of untagged Amazon ECR images.
  • Fix some check links in Compliance Hub not loading.
  • Fix EC2 instance detection when IMDSv1 is disabled.

Mondoo 8.29 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.29 is out! This release includes improved table views, a new Inventory navbar item, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Improved UI tables​

At Mondoo we take pride in not just collecting security information, but also displaying it in a meaningful way. If you've been using the product long enough you may have noticed we've gone through many iterations of our table view. It never felt quite right, until we introduced the new table in Compliance Hub that lets you easily view, sort, and multi-select data without pull down menus or multiple clicks. This week the team revamped all of our existing views to update them with this improved UX. Give it a try and keep an eye out for pagination improvements coming soon!

Improved multi-select

Fleet is now Inventory​

When we first built Mondoo, the Fleet view was where you found all of your servers or workstations. As we expanded Mondoo to include Kubernetes workloads, cloud accounts, and even SaaS servers, this name made less sense. This week we renamed Fleet to Inventory to better represent Mondoo's cross-platform asset inventory capabilities. It's just a rename, but we think this will make it easier to jump right in and begin exploring all your inventory.

Fleet in the nav bar

Fedora 39 vulnerability scanning​

Fedora 39 is right around the corner, with the first beta released this week. Not to be left behind we've added Fedora 39 vulnerability scanning to Mondoo, so fire up cnspec and keep that beta install secure.

Improved compliance control descriptions​

We've expanded the data that can be displayed in Compliance Control pages, so you'll always have all the details to keep your infrastructure secure. This new view includes improved description rendering and the ability to expand extra long descriptions.

Compliance control descriptions


  • Reduce API usage for GitLab scans to avoid API rate-limiting.
  • Avoid some authentication failures when scanning GitLab projects.
  • Fix incorrect GitLab asset runtime values.
  • Improve the usage instructions in the GitLab policy with project scanning instructions.
  • Fix errors in the CIS Ensure GDM login banner is configured check when GDM files don't exist.
  • Improve output of the CIS Ensure journald is not configured to receive logs from a remote client check.
  • Add GitLab Group ID and Project ID to the asset configuration overview data.
  • Fix failures loading certain assets in the console.
  • Change the "Rational" sections in policies to "Rationale."
  • Only run the Linux Workstation Security policy when xorg-xserver is installed to prevent it from evaluating servers.
  • Update the registry to consistently refer to "query packs" as two words.
  • Improve query descriptions in the Azure Asset Inventory Pack query pack.
  • Remove a duplicate query from the Azure Asset Inventory Pack query pack.
  • Fix some query pack and policy bundle categories/authors to make filtering in the registry more consistent.
  • Support Rsyslog 7+ syntax in the CIS Ensure rsyslog is configured to send logs to a remote log host check.
  • Don't display the Assets button in Kubernetes integration pages when no assets have been scanned.
  • Allow updating the token in GitLab integrations.
  • Don't display compliance control checkboxes when a user only has view permissions in a space.

Mondoo 8.28 is out!

Β· 2 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.28 is out! This release includes fine-grained GitLab scanning and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Fine grained scanning of GitLab assets​

Mondoo now offers more detailed scanning capabilities for GitLab assets. Instead of the previous single gitlab asset, Mondoo now provides separate gitlab-group and gitlab-project assets. When scanning your GitLab group, both cnspec and cnquery now automatically detect each project within your group. This enhanced granularity in asset scans improves the accuracy of scan results and allows for setting exceptions for specific projects.

 cnspec scan gitlab --group lunalectric
β†’ loaded configuration from /Users/luna/.config/mondoo/mondoo.yml using source default
β†’ using service account credentials
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=37
β†’ synchronize assets
lunalectric / rockets_101 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
lunalectric / oxygen_generator ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
lunalectric / space_cats ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
lunalectric / rover_design ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%
lunalectric / human_habitats ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100%


Runtime data in AWS Lambda function resource​

The aws.lambda.function MQL resource now includes a new runtime field that displays the runtime environment of the function. Thanks for this addition @mbainter!


  • Fix a panic viewing some asset data in the asset resources tab.
  • Add more user-friendly control titles to the SOC 2 compliance framework.
  • Show 0% check completion instead of β€œUnknown” when appropriate in compliance controls.
  • Automatically close the search box when results display.
  • Fix hardware systems incorrectly identifying as Azure VMs in asset configuration data.
  • Improve reliability of the CIS Ensure GDM login banner is configured check on RHEL based systems.
  • Prevent errors in the CIS Ensure filesystem integrity is regularly checked check when the aide package is not installed.

Mondoo 8.27 is out!

Β· 3 min read
Mondoo Core Team

πŸ₯³ Mondoo 8.27 is out! This release includes asset search, improved CIS policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Want to quickly find all your Debian systems or maybe the Mac laptop with a particular IT asset tag? Now you can with simple, yet powerful, search.

Search Results

Search your whole organization or limit results to a single Mondoo space.

Org or Space Search

Need to craft a more advanced query? Use GitHub-style search syntax to write powerful search queries with ease.

Advanced Search Syntax

Learn more in the Mondoo search docs.


Improved CIS policy results​

This week we further improved the reliability of our CIS benchmark policies, so you'll always have the best security compliance data for your infrastructure.

  • Fix failures in the Ensure permissions on bootloader config are configured on some Linux distributions.
  • Fix failures in the Ensure permissions on /etc/shadow- are configured when the /etc/shadow- file doesn't exist.
  • Update the Ensure local login warning banner is configured properly and Ensure remote login warning banner is configured properly checks to also ensure the /etc/issue file exists.
  • Fix failures in the Ensure permissions on /etc/issue are configured check when the /etc/issue file does not exist.
  • Fix failures in the Ensure permissions on /etc/ are configured check when the /etc/ file does not exist.
  • Fix failures in the Ensure permissions on /etc/gshadow- are configured and Ensure permissions on /etc/gshadow are configured checks on Debian-based systems.
  • Fix failures in the Ensure audit log storage size is configured, Ensure audit logs are not automatically deleted, and Ensure system is disabled when audit logs are full checks when the /etc/audit/audit.conf file does not exist.
  • Fix failures in the Ensure at/cron is restricted to authorized users if the /etc/cron.allow or /etc/at.allow config files don't exist.
  • Add PowerShell remediation snippets to all Windows policies.


  • Pages in compliance that show check details now include breadcrumbs that take you back to the main compliance page.
  • Allow users to update the private key in OCI integrations.
  • Remove GCP BigQuery table count from the asset configuration overview to prevent long scan times in complex environments.
  • Show an improved empty state page on security and compliance check pages that have no assets.
  • Update the AWS integrations list page design to match other integration pages.
  • Improve the rendering of the integration list page when the last integration has been removed.
  • Fix missing check summary counts on asset pages.
  • Fix some CVE scores showing up as "None" when they should be "Critical".