Getting started
Install the Mondoo Security extension, see your first code findings within a minute, and run your first infrastructure check.
Install the extension
Install Mondoo Security from the
Visual Studio Code Marketplace
(publisher: Mondoo), or from the Extensions view in VS Code (Ctrl+Shift+X /
Cmd+Shift+X, search for "Mondoo").
When you first open a workspace, VS Code may ask you to trust it. The extension only activates in trusted workspaces because it executes the cnspec and xgrep binaries against your files.
Take the tour
The fastest way in is the built-in walkthroughs — one per pillar. On first
install the extension offers a short tour; reopen any of them from the Command
Palette (Ctrl+Shift+P / Cmd+Shift+P) or the matching status-bar menu:
- Mondoo: xgrep — Get Started opens a deliberately-vulnerable demo file so you see real code findings — and how to fix, dismiss, and explain them — in about two minutes.
- Mondoo: Get Started with cnspec sets cnspec up and walks through running a policy against your own machine and authoring your first one.
- Mondoo Bill of Materials: Get Started covers generating an SBOM or AIBOM for your project.
Find your first code issue (no setup)
Code scanning works the moment the extension is installed: the xgrep scanner
sets itself up automatically (it installs the official @mondoohq/xgrep npm
package into the extension's own storage — you see a progress notification, and
uninstalling the extension removes it again).
Open any file in a
supported language and security
issues and leaked secrets appear in the Problems panel (Ctrl+Shift+M /
Cmd+Shift+M) and as squiggles in the editor as you type. The shield icon in
the status bar shows the scanner state and how many findings exist across your
workspace.
To check the whole project rather than just open files, run Mondoo: xgrep —
Scan Workspace from the Command Palette (Ctrl+Shift+P / Cmd+Shift+P). From
here, the code security guide shows you how to fix
findings in one click, dismiss the ones that don't apply, and keep generated
code out of your results.
If you prefer to manage the scanner binary yourself, install it with
npm install -g @mondoohq/xgrep or set mondoo.xgrepPath, and turn off
mondoo.xgrepAutoInstall.
Check your infrastructure
Infrastructure checks run through cnspec. The extension looks for it at the
configured path (mondoo.cnspecPath, empty by default) and on your PATH; if
it is missing, you get installation guidance for your platform when the
extension activates.
To install manually:
# macOS
brew install cnspec
# Linux and macOS (installer script)
bash -c "$(curl -sSL https://install.mondoo.com/sh)"See the cnspec installation documentation for
Windows and package-manager options. After installing to a custom location,
point mondoo.cnspecPath at the binary.
Then run your first check:
- Open a folder containing
.mql.yamlpolicy files, or create one. - Open the Mondoo view in the Activity Bar. The policy explorer lists every policy and query found in the workspace.
- Click Run Query above any query in the editor (CodeLens), or use the run action on a policy in the explorer. Results open in the integrated terminal.
By default checks run against your local system. To assess the systems you actually operate — SSH hosts, Docker containers, cloud accounts, Kubernetes clusters — add a target configuration: see Scan targets.
Next steps
- Code security — fix, dismiss, and tune code findings
- Infrastructure security — policies, scan targets, and the policy development workflow
- Bill of materials — inventory dependencies, asset packages, and AI models
- Settings reference
Mondoo Security for VS Code
Catch security issues in your code while you write it, and verify that the infrastructure you run is configured securely — without leaving VS Code.
Code security
Find, fix, and dismiss security issues in your code while you develop — so they never reach code review or production.