Infrastructure security

Check systems, cloud accounts, containers, and clusters against security policies — and develop those policies with full IDE support.

Knowing your infrastructure is configured securely shouldn't require waiting for an audit. cnspec, Mondoo's infrastructure security scanner, checks systems against security policies and scores the results — so a misconfigured SSH daemon, an open cloud storage bucket, or a drifted Kubernetes cluster surfaces while you can still fix it quietly.

Policies are code: YAML bundles (.mql.yaml or .mql.yml) of MQL (Mondoo Query Language) checks that live in your repository like any other code. This extension is the workbench for both halves of the workflow — running checks against real targets, and developing the policies themselves. See the Mondoo policy documentation for the policy format.

Check a system against a policy

  • In the editor — every query in a policy file gets a Run Query CodeLens action above it. Queries with platform variants offer Run All Query Variants as well.
  • From the explorer — the Mondoo icon in the Activity Bar opens the policy explorer, which lists every policy and query in your workspace; use the run action on any of them.

Runs execute through cnspec: policies run as scans, so you get scored check results; individual queries run standalone — the fast way to test a check while you write it. Output appears in the integrated terminal.

To explore a target interactively, run Mondoo: Open cnspec Shell, pick a target, and cnspec drops you into an interactive shell connected to it — type MQL and see results live, which is handy while writing a new check. Credentials are pulled from the keychain just like a scan, so secrets never appear on the command line.

Scan more than your laptop

The systems you need to assess are rarely the one you develop on. Target configurations let you point the same policies at the infrastructure you actually operate, straight from the editor. Manage them with the Add/Edit/Delete/List Target Configuration commands or the mondoo.targetConfigurations setting.

Supported target types include local, SSH, Docker containers and images, Kubernetes, AWS, Azure, GCP, GitHub, GitLab, Terraform, Microsoft 365, and VMware vSphere. SSH targets use standard connection strings (user@host or user@host:2222 for a custom port) and support identity files.

After adding or editing a target, run Test Target Connection to confirm the credentials and reachability before you scan against it. Secrets (passwords, tokens, cloud keys) are kept in your operating system's keychain — never in settings.json and never on the command line — and editing a target lets you rotate a stored secret in place.

Develop policies faster

Everything you expect from an IDE, applied to policy code:

  • Start from a templateNew Policy from Template scaffolds a working bundle with cnspec policy init and opens it. Run it from the command palette (Mondoo: New Policy from Template), or click the button in the explorer's welcome view when the workspace has no policies yet.

  • Scaffold with snippets — in any .mql.yaml file, type one of the snippet prefixes and accept the completion to expand a tab-through skeleton: mondoo-policy (a full bundle), mondoo-query (a single check with impact and docs), mondoo-group (a filtered group), and mondoo-variant (a query with platform variants). The snippets are scoped to policy files, so they don't clutter completion in other YAML documents.

  • Navigate — the policy explorer refreshes automatically as files change; jump from any policy or query to its definition in the editor. The editor Outline view and Go to Symbol (Ctrl+Shift+O / Cmd+Shift+O) show a .mql.yaml bundle's policy → group → check / query structure.

  • Trace relationships — right-click in the explorer to follow how a bundle fits together, powered by cnspec's policy graph:

    • Find Query References (on a query) — every policy, group, or check that references it.
    • Show Contents (on a policy) — the groups and checks it directly contains.
    • Show Reachable Nodes (on a policy or query) — everything reachable from it, for impact analysis: what enabling a check actually pulls in.

    Each opens a quick pick of the matching nodes; choosing one jumps straight to its definition. These run offline against the bundle file.

  • Search — press Ctrl+Shift+F / Cmd+Shift+F while the explorer has focus to filter it; Escape clears the filter. The search-with-options variant (Ctrl+Shift+Alt+F / Cmd+Shift+Alt+F) adds case sensitivity, regular expressions, and searching inside MQL query content. Defaults live under the mondoo.search.* settings.

  • Pin what you're working on — pinned policies and queries stay in a dedicated section at the top of the explorer, surviving restarts; reorder them with the up/down actions. Configure under mondoo.pins.*.

  • Keep bundles clean — formatting is a first-class editor action: Format Document (Shift+Alt+F) and format-on-save rewrite the open .mql.yaml with cnspec's canonical formatting, including unsaved buffers. Formatting never reorders the bundle — when you want a stable, canonical order, run Policy Format and Sort, which additionally sorts policies, groups, and queries to keep diffs small across a team. Turn the on-save behavior off with mondoo.format.enabled (no need to change editor.formatOnSave). Policy Lint validates the bundle and reports problems before your CI does — while a .mql.yaml bundle is the active editor, a status bar item shows its lint result at a glance (clean, or a warning/error count; click it to re-lint), and toggles off with mondoo.cnspecStatusBar. When a lint message isn't clear, the Explain Lint Finding (AI) code action streams a plain-language explanation into the Chat view from the @mondoo participant.

Work on many policies at once

Select multiple policies or queries in the explorer (the selection persists across refreshes and searches), then:

  • Bulk Run Queries — execute every selected query
  • Bulk Export Queries — export the selection as JSON or YAML
  • Bulk Format / Bulk Lint Policies — format or validate many bundles at once
  • Bulk Pin Items — pin the whole selection
  • Bulk Delete Items — delete with confirmation

Publish a policy

Upload Policy publishes the bundle in the active editor to your Mondoo Platform space, where it can be assigned across your fleet.

AI assistance

The extension registers two language model tools that AI chat features in VS Code (such as Copilot Chat) can call:

  • cnspec — runs scans, queries, and policy management commands on your behalf; ask for things like "scan my local system with this policy".
  • mqlSchema — looks up MQL providers, resources, and fields, so the assistant authors queries against the real schema instead of guessing.

You can also ask the @mondoo chat participant directly. Type @mondoo /query <what you want to check> (for example, @mondoo /query files in /etc that are world-writable) and it generates an MQL query from your description, grounded with the MQL syntax reference, examples for the platform you mention, and any policies or queries you have selected in the explorer. Like the rest of the AI features it uses the language model you already have in VS Code — no Mondoo account, and your code stays with the model you've chosen.

Code security

Find, fix, and dismiss security issues in your code while you develop — so they never reach code review or production.

Bill of materials

Inventory what's inside your software — source-code dependencies, the packages on a running asset, and your AI models — without leaving VS Code.

On this page

Check a system against a policyScan more than your laptopDevelop policies fasterWork on many policies at oncePublish a policyAI assistance