Settings reference
Every Mondoo Security extension setting with its default value and scope.
All settings live under the mondoo. namespace (File → Preferences → Settings,
search for "mondoo"). In the Settings UI they're organized into three groups —
General, Infrastructure security (cnspec), and Code security (xgrep)
— which this page mirrors.
Settings with machine scope can only be set in user settings, not per
workspace — they control which binaries run, so a repository you open cannot
change them. Settings with resource scope can also be set per workspace or
folder.
Executable paths for the tools the extension drives.
| Setting | Default | Scope | Description |
|---|
mondoo.cnspecPath | "" | machine | Path to the cnspec executable; empty resolves cnspec from PATH |
mondoo.mqlrPath | "" | machine | Path to the MQLr language server binary; empty uses auto-discovery |
mondoo.mqlrAutoInstall | true | machine | Offer to go install mqlr when it is missing and a .lr file is opened |
mondoo.xgrepPath | "" | machine | Path to the xgrep binary; empty uses auto-discovery and, if needed, automatic installation |
| Setting | Default | Scope | Description |
|---|
mondoo.targetConfigurations | [] | resource | Saved scan targets (SSH, Docker, cloud, …) — see scan targets |
| Setting | Default | Scope | Description |
|---|
mondoo.format.enabled | true | resource | Format .mql.yaml bundles with cnspec on Format Document / format-on-save. Disable to opt out without changing editor.formatOnSave. |
mondoo.cnspecStatusBar | true | window | Show the policy-lint status bar item while a .mql.yaml bundle is the active editor (hidden for other files) |
| Setting | Default | Scope | Description |
|---|
mondoo.search.caseSensitive | false | resource | Case-sensitive search |
mondoo.search.useRegex | false | resource | Treat the search term as a regular expression |
mondoo.search.searchContent | true | resource | Also search inside MQL query content |
mondoo.search.maxResults | 50 | resource | Maximum number of search results |
| Setting | Default | Scope | Description |
|---|
mondoo.pins.enabled | true | resource | Enable pinning in the policy explorer |
mondoo.pins.maxItems | 20 | resource | Maximum number of pinned items |
mondoo.pins.showSection | true | resource | Show the pinned section in the policy explorer |
| Setting | Default | Scope | Description |
|---|
mondoo.xgrepEnabled | true | machine | Master switch for the code security scanner |
mondoo.xgrepAutoInstall | true | machine | Allow the extension to install @mondoohq/xgrep from npm when no binary is found |
mondoo.xgrepRulesPath | "" | machine | Custom rule file or directory; empty uses the built-in security and secrets rules |
mondoo.xgrepExcludePatterns | [] | resource | Glob patterns excluded from scanning — see excluding files |
mondoo.xgrepIncludePatterns | [] | resource | Glob patterns that scope scanning to matching files only (e.g. src/**); empty scans everything, and exclude still wins over include |
mondoo.xgrepScanJobs | 0 | window | Parallel workers for on-demand scans (Scan Workspace / Changed Files); 0 picks a count from CPU cores — raise it (up to 32) for large repos, or lower it to cap CPU |
mondoo.xgrepExplainUseGraph | true | resource | Enrich the AI "Explain finding" answer with the xgrep code graph (call neighborhood and dataflow); disable on very large repositories |
After changing any mondoo.xgrep* setting, run Mondoo: Restart xgrep Language
Server (changes to mondoo.xgrepExcludePatterns apply immediately for newly
excluded files).