Skip to main content

Β· 3 min read

πŸ₯³ Mondoo 8.12 is out! This release includes new OPC UA scanning, improved MQL helpers, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Open Platform Communications Unified Architecture (OPC UA) support​

Mondoo now allows you to scan multiple PLC IoT devices simultaneously by connecting to an OPC UA server and scanning PLC remotely. A new opcua provider in cnspec and cnquery allows you to remotely connect to these servers with querying provided with a new opcua query pack.

# gather all available namespaces
opcua.namespaces { * }
opcua.namespaces: [
0: {
id: 0
name: ""
1: {
id: 1
name: "urn:open62541.server.application"

# gather root node
cnquery> opcua.root
opcua.root: opcua.node id="i=84" name="Root"

# gather all nodes
cnquery> opcua.nodes { name }

# gather node with a specific id
cnquery> opcua.nodes.where (id == "i=2253")
opcua.nodes.where: [
0: opcua.node id="i=2253" name="Server"

# gather details about the server
cnquery> opcua.server { * }
opcua.server: {
buildInfo: {
BuildDate: "2023-05-21T21:03:43.817369Z"
BuildNumber: "May 20 2023 15:51:32"
ManufacturerName: "open62541"
ProductName: "open62541 OPC UA Server"
ProductURI: ""
SoftwareVersion: "1.3.5-994-g5d73f0cc5"
node: opcua.node id="i=2253" name="Server"
currentTime: 2023-05-22 08:28:30.625932 +0000 UTC
state: "ServerStateRunning"
startTime: 2023-05-21 21:03:43.834304 +0000 UTC


Improved .first() and .last() MQL helpers​

The .first() and .last() MQL helpers now support dict data structures such as JSON data and also include improved handling of null array/dicts.

Finding first and last values in JSON data:

cnquery> parse.json("dummy.json").params["string-array"].first
parse.json.params[string-array].first: "a"
cnquery> parse.json("dummy.json").params["string-array"].last
parse.json.params[string-array].last: "c"
cnquery> parse.json("dummy.json").params["string-array"].where("non-exist").first
parse.json.params[string-array].where.first: null
cnquery> parse.json("dummy.json").params["string-array"].where("non-exist").last
parse.json.params[string-array].where.last: null

cnquery> parse.json("dummy.json").params.first
parse.json.params.first: 1.000000
cnquery> parse.json("dummy.json").params.last
parse.json.params.last: true
cnquery> parse.json("dummy.json").params.where("non-exist").first
parse.json.params.where.first: null
cnquery> parse.json("dummy.json").params.where("non-exist").last
parse.json.params.where.last: null

Expanded date format support in MQL helper​

It is now possible to parse many different date formats automatically with the MQL helper:

# RFC 3339"2006-01-02T15:04:05Z")

# Simple Date + Time"2006-01-02 15:04:05")

# Date only"2006-01-02")

# Time only, parses as a duration"15:04:05")

# RFC 1123"Mon, 02 Jan 2006 15:04:05 MST")

# ANSI C"Mon Jan 2 15:04:05 2006")

# RFC 822"02 Jan 06 15:04 MST")

# RFC 850"Monday, 02-Jan-06 15:04:05 MST")

# Kitchen time"3:04PM")

# Handy timestamp"Jan 2 15:04:05")

You can also parse RFC1123 and RFC822 format dates with time zones:

# RFC 1123 with numeric time zone'Mon, 02 Jan 2006 15:04:05 -0700')

# RFC 822 with numeric time zone'02 Jan 06 15:04 -0700')

Expanded status information for integrations​

Integrations now show a history of all integration jobs so you can see when jobs started, completed, and any errors that occurred.

Integration Status


  • Improve the reliability of the dns resource with large numbers of TXT records. Thanks for this fix @mariuskimmina!
  • Fix a panic when calling domainName if no name can be found. Thanks for this fix @mariuskimmina!
  • Fallback to os.hostname if cannot be discovered. Thanks for this fix @mariuskimmina!
  • Reduce load time and cluster load when scanning Kubernetes clusters.
  • Fix failures reading Kubernetes manifests from stdin when resources lack a UID.
  • Add missing checks for /etc/password, /etc/group, and /etc/shadow to CIS Google Container-Optimized OS Benchmark policy.
  • Fix the Privacy Policy and Terms & Conditions acceptance buttons in the Organization Settings page not loading correctly.
  • Add the upcoming FreeBSD 14 release date.
  • Update SELinux checks in BSI Linux policy to support Amazon Linux, SLES, and openSUSE platforms.
  • Update several console pages to use the checks term instead of the legacy controls term.

Β· 8 min read

πŸ₯³ Mondoo 8.11 is out! This release includes security journey planning with Mondoo Risk Actions and IoT security improvements!​

Get this release: Installation Docs | Package Downloads | Docker Container


Plan your security journey with Risk Actions​

Security tools can often be overwhelming. When you turn on a few policies and add some assets, you may be faced with an overwhelming amount of red in the first scan results. This can be demotivating and may obscure important results once you become accustomed to seeing so many failed checks.

To help users create more actionable plans from their assessments, we are introducing Risk Actions. This new section in the dashboard can guide you in creating a baseline for your environments and planning remediation steps. It can improve your overall security reporting significantly:

Risk actions overview

Risk Actions uses your current results across all assets to determine which areas are working well and which areas need improvements. The checks that are succeeding are turned into a baseline, reflecting where you are today and what is going well. If things deteriorate in this baseline, you will see these findings pop up. Everything else is turned into either goals or exceptions. Goals can be turned into future milestones to work towards. They are still evaluated, so you can see progress towards their completion. However, their score no longer impacts your asset score. All checks that are mostly failing today can be moved into goals, which stops them from showing up on dashboards and alerts every day. Everything else that you don't want to fix can be moved into an exception. It won't be evaluated, protecting the health of fragile systems, and it won't be reported anymore, giving you peace of mind.

Risk Actions also introduces justifications for these goals and exceptions. They help to communicate why checks are disabled or ignored and explain the reasons to auditors, leadership, and other internal teams.

We are in the process of heavily expanding on exceptions and the planning process with the upcoming release of the Compliance Hub in Mondoo. Stay tuned!

Risk planning

Examine OS images with filesystem mounts​

Are you building IoT firmware and struggling to secure your devices before deploying them to the field? Now you can use cnquery and cnspec to evaluate your firmware images locally during development or within CI pipelines. Mount your image filesystem locally and then use the new filesystem provider fs to live query the image or scan it with Mondoo policies.

cnquery shell fs /mnt/firmware/
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

cnquery> asset { name version platform }
asset: {
version: "v3.1.17"
platform: "poky-iot2000"
name: "iot2000"

Automatically cleanup stale assets​

Do assets that haven't checked in for weeks spark joy? Maybe it's time to toss them, and now you can do it automatically. We've added a new space setting to automatically clean up assets that haven't checked in:

Automatic asset cleanup settings


More frequent integration scans​

Integrations the run directly from the Mondoo platform now scan your infrastructure every 4 hours, so you have up-to-date asset security and inventory data available at all times.

Improved query output when using the .all() MQL helper​

Improved output in the MQL .all() helper makes it easier than ever to identify failures and resolve problems quickly. Previously any item that failed a query using the .all() helper would return just the ID of the failing object:

[failed] [].all()
actual: [
0: gcp.project.gkeService.cluster id = gcp.project.gkeService.cluster/7c50e440aa5c41cf8eff749a4f313953c4c974b985ab43d1b44871e7dbf3e9a7

Now you'll see the default fields for the failing resource, giving you better context on the actual failing object:

[failed] [].all()
actual: [
0: gcp.project.gkeService.cluster {
name: "test-cluster-2"

This helper is used extensively in Mondoo policies, so you'll see better query results throughout the platform. Thanks @multani for reporting this problem!

Support dicts with containsOnly in MQL​

The containsOnly helper now allows you to find dicts within data. Given JSON data with a dict:

"string-array": ["a", "b", "c"]

You can now query for the exact values "a", "b", "c" with:


Improve default resource values for AWS and Azure​

Default resource values allow you to quickly navigate your infrastructure with cnquery and provide important failure context in your cnspec query results. We've updated many of our AWS and Azure resources to give you new and expanded default values, so you can better explore and secure your cloud environments.

platformDetails in the aws.ec2.instance resource​

The aws.ec2.instance resource now includes platformDetails data from the AWS API allows you to identify the platform of systems without needing an EBS volume scan or client installation.

Use platformDetails to better understand MQL query results:

cnquery> aws.ec2. instances .where( state == "running" ) { state region platformDetails } aws.ec2. instances .where:
0: {
platformDetails: "Windows"
region: "us-east-1"
state: "running"
1: {
platformDetails: "Linux/UNIX"
region: "us-east-2"
state: "running"
2: {
platformDetails: "Linux/UNIX"
region: "us-east-2"
state: "running"
3: {
platformDetails: "Linux/UNIX"
region: "us-east-2"
state: "running"

Improve opkg parsing for yocto-based Linux or openwrt​

cnquery and cnspec now include improved support for the opkg package format found in yocto-linux based IoT and networking devices like openwrt routers. We've improved detection of the opkg system and all available packages. You can now also statically analyze opkg data on firmware images using the filesystem (fs) provider in cnquery and cnspec:

cnquery shell fs /mnt/firmware/
cnquery> packages
packages.list: [
0: package name="shadow-securetty" version="4.6-r3"
1: package name="os-release-dev" version="1.0-r0"
2: package name="iptables-module-xt-cgroup" version="1.8.4-r0"
3: package name="libwebsockets-dev" version="4.0.1-r0"

Skip linting of policies before publishing​

You can now skip the linting of policies before publishing them to the registry with the --no-lint flag:

cnspec publish --no-lint ~/my_cool_policy.mql.yml

AWS Security and macOS Security policy updates​

The AWS Security and macOS Security policies by Mondoo now include:

  • Impact scores for all queries
  • Improved failure output in queries
  • More reliable queries


  • Fix a panic when analyzing Terraform HCL with parenthesis expressions. Thanks for reporting this @crcsmnky!
  • Fix failures linting policies. Thanks for reporting this @kmf!
  • Gracefully handle missing keypairs on AWS instances.
  • Fix recording to work with cnquery scan.
  • Fix -o yaml to properly produce YAML output.
  • Only fetch AWS SNS tags when needed to reduce API usage.
  • Fix the GCP group in the fleet page to list projects, not organizations.
  • Add last scanned column in the Azure integrations page.
  • Fix recording to work with cnspec scan.
  • Expose the full failure messages when a plugin fails to load.
  • Fix policies in the Security -> Policy page not loading correctly.
  • Fix false positives in the CIS macOS FileVault checks.
  • Fix /etc/profile permission checks in the CIS Ensure default user umask is configured check.
  • Fix CIS Ensure shadow group is empty failures on Google COS.
  • Fix CIS Ensure chrony is configured failures on Google COS.
  • Fix CIS Ensure permissions on /etc/gshadow- are configured failures on Google CIS.
  • Update the CIS Ensure system accounts are secured check to support /bin/false as a valid shell.
  • Fix SQL server queries in Microsoft Azure Security policy to work with the latest cnspec.
  • Improve remediation steps in Linux Security policy.
  • Update asset pages to not use the term "Annotations" instead of the legacy term "Tags".
  • Don't run the first scan of an Azure integration until after the user has selected policies to enable.
  • Improve the Windows install instructions on the Windows integration page.
  • Add missing tooltips to CVEs in the organization dashboard to help with long CVE names.
  • Rework the API Tokens tab interface in the space settings to make it simpler to setup new tokens.
  • Fix the Danger Zone in space settings not always showing content.
  • Fix the asset print view to print out policy data when using policy variants.
  • Fix disabling policy checks when using Firefox

Β· 5 min read

πŸ₯³ Mondoo 8.10 is out! This release includes new SaaS scanning integrations, Oracle Cloud Infrastructure (OCI) support, expanded OS CVE detection, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Scan Oracle Cloud Infrastructure (OCI)​

cnquery and cnspec now include support for scanning Oracle Cloud Infrastructure (OCI) using your local OCI CLI configuration file. Explore your infrastructure configuration using cnquery or enforce security and compliance with custom cnspec security policies.

Connect to OCI using the cnquery shell:

$ cnquery shell oci

Query the tenant information:

cnquery> oci.tenancy
oci.tenancy: oci.tenancy name="example"

Fetch all users:

cnquery> oci.identity.users
oci.identity.users: [
0: oci.identity.user name=""
1: oci.identity.user name=""
2: oci.identity.user name=""

Fetch all groups:

cnquery> oci.identity.groups
oci.identity.groups: [
0: name="All Domain Users"
1: name="Administrators"

Dive deeper with information from new OCI resources:

# list identity policies

# list compute instances

# list compute images

# list virtual cloud networks

# list virtual cloud networks security lists

# list all buckets

Stay tuned for additional OCI support, including Mondoo/CIS policies, and continuous scanning with Mondoo Platform.

Slack / GitHub / GitLab integrations​

Need continuous visibility into the security of the SaaS services you rely to do business? Now you can continuously scan GitHub repositories, GitLab groups, and Slack teams directly from the Mondoo console without installing anything into your infrastructure.

Find these new integrations under SaaS in the Mondoo console:

SaaS Integrations

Query Terraform plan configurations​

Expand the security posture of your IaC code with a new terraform.plan.configuration resource for querying Terraform plan configurations.

terraform.plan.configuration: {
resources: [
0: {
address: "null_resource.this"
mode: "managed"
name: "this"
provider_config_key: "null"
provisioners: [
0: {
expressions: {
command: {
constant_value: "echo hello_world >> hello_world.txt"
type: "local-exec"
schema_version: 0.000000
type: "null_resource"
providerConfig: [
0: {
full_name: ""
name: "null"
version_constraint: "3.2.1"

New query pages showing impacted assets​

New query pages make it easier to see which assets are affected by failing security checks. Security policy checks now have their own pages, with a tab of affected assets:

Impacted Assets

Expanded CVE and EOL platform detection​

Mondoo now detects the latest platform EOL and CVE data, so you can ensure your systems are in support and fully updated.

  • Alpine 3.18 EOL/CVE detection
  • Fedora 38 EOL/CVE detection
  • VMware vSphere/ESXi 8 EOL/CVE detection
  • Debian 12 CVE detection
  • Ubuntu 22.10/23.04 CVE detection

Create API token for spaces​

Generate API tokens to query Mondoo in the Space settings.

Space Settings


Support UID / GUID for files on running Docker containers​

cnspec now supports inspecting the UID/GUID of files within running containers:


cnquery> file("/tmp")
Query encountered errors:
cannot cast resource to resource type: <nil> no data available


cnquery> file("/tmp") "root"

Pause integrations​

Want to stop scanning in an integration temporarily without deleting it? Now you can pause integrations from the integrations settings pages.

Pause Integrations

Improved CIS Microsoft Azure Foundations Benchmark policy​

The CIS Microsoft Azure Foundations Benchmark policy now includes impact scores for each control and improved queries to return actionable results for all discovered findings.

Simplified variants policies​

In Mondoo version 8.0, we introduced the concept of policy variants so you can write a single security check that applies to assets in different parts of their lifecycle such as Terraform plans and the cloud assets they creates. With Mondoo 8.10, we've improved variants to remove repetitive coding from your policies. Variant queries now inherit fields from the parent query if they are no longer specified. This means you can set common fields like title, description, and properties once and have them propagate automatically to all variant queries.

See the Mondoo variants documentation for more information on using policy variants to simplify your policy as code experience.

Expanded data in BigQuery exports​

Mondoo exports to Google BigQuery now provide more robust data to BigQuery for analysis:

  • Add policy mappings to see which check relates to which policy
  • Add support for variants so that diff can work at the variants level
  • Add export time to BigQuery tables
  • Allow users to tag scans with snapshot names to make it easier for them to reference them in diff queries

Improved asset cleanup in spaces​

Done testing your Mondoo policy and integration settings, but need to remove all the temporary assets created during testing? Now you can delete all the assets in a space with one click while retaining custom policies and integration configurations.

Delete All Space Assets


  • Fix a failure when scanning with a policy that is missing the defined variants. Thanks for reporting this, @kmf!
  • Allow piping Kubernetes manifests to cnspec for scanning. Thanks for reporting this, @michaelkrieg!
  • Fix CI scans showing up as standard assets on the fleet page.
  • Reduce API usage in the aws.dynamodb resource by making the tags field optional.
  • Rename Protected field to isProtected in the github.branch.
  • Fix some impacted assets now showing on the CVEs page.
  • Fix a failure loading data in the asset resource explorer under certain circumstances.
  • Fix the fleet view summary for Google Workspace assets to show "Workspaces" not "Others".
  • Fix some query results not properly displaying in the console scan results.
  • Fix fetching of CVE data on VMware Photon 4.0.
  • Fix scanning of GitHub repos that belong to a user not an organization.
  • Fix a failure running the query asset{ * }.
  • Fix missing queries in the printer formatted reports.
  • Fix the URL to query packs in the registry to not mention policies.
  • Fix the collapse button in the navigation bar disappearing if all items are expanded.
  • Improve navigating policies with variants in the registry.

Β· 3 min read

πŸ₯³ Mondoo 8.9 is out! This release includes expanded EOL/CVE data, expanded asset inventory capabilities, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Alpine 3.17 and Ubuntu 23.04 CVE data​

In addition to EOL information, Mondoo now reports CVEs in Alpine 3.17 and Ubuntu 23.04 packages. Container image and Kubernetes cluster scans now automatically expose CVEs in your images.

Asset inventory data out of the box​

When you create a new space, all Mondoo query packs are enabled by default so you can dive right into the asset resource explorer without needing to first enable query packs. This extends out-of-the-box asset inventory data to:

  • Windows
  • macOS
  • AWS
  • Azure
  • GCP

Dive into queries more easily​

Sometimes it was difficult to view or share information on queries in policies. To make diving into policies and sharing those findings easier, we've given queries their own pages. View everything you need to know on a single page and share those findings with a URL that goes right to the query.

Query Page


Improved UI performance​

Everyone loves a snappy UI, so we've worked behind the scenes to make sure space and asset pages load as quickly as possible. In some cases pages will load 10x faster than last week.

Updated VMware Photon EOL data​

On May 2, VMware announced the Photon 5.0 release and at the same time clarified the EOL dates for Photon 3.0 and 4.0. Mondoo now includes this updated EOL data along with support for detecting Photon 5.0.

Updated query packs and compliance policies​

  • All Kubernetes query packs have been merged into a single pack that's simpler to enable and applies automatically to all assets in your clusters.
  • The VMware vCenter Incident Response Pack now fetches the state of all services on ESXi hosts, not just those that are running.
  • The CIS Google Kubernetes Engine (GKE) Benchmark and CIS Google Cloud Platform Foundation Benchmark policies now fail with an impact score of 95 if a default service account is used on a GKE cluster.
  • The Amazon Web Services (AWS) Best Practices for NIST 800 171 policy now includes impact scores, descriptions, and remediation steps for all queries.
  • Update the CIS Ensure loopback traffic is configured query to also check that firewall packages are installed.
  • Update the CIS Ensure default deny firewall policy and Ensure password reuse is limited queries for SLES hosts.
  • Fix false positives in the CIS Ensure default deny firewall policy query when using nftables.


  • Fix a panic when running cnspec bundle lint. Thanks for reporting this, @kmf!
  • Improve the wording of the prompt to send the scan reports to Mondoo's reporting service.
  • Fix failures fetching more than 100 repositories in the GitHub provider.
  • Fix failures scanning vSphere switches if there are no defined uplinks.
  • Fix failures in the JSON output formatter if the asset could not be scanned.
  • Update more error messages from the legacy transport wording to the correct provider wording.
  • Fix failures querying data from the aws.cloudtrail resource.
  • Optimize the AWS integration Lambda functions to consume fewer API calls.
  • Fix queries on assets not showing as disabled or ignored.
  • Update the checks count on the assets page to reflect the actual number of enabled checks, not just those available to run.

Β· 3 min read

πŸ₯³ Mondoo 8.8 is out! This release includes Azure inventory collection, CIS policies for GCOS, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Gather asset data on Azure​

Our new Azure Asset Inventory pack allows you to gather information on Azure assets so you can browse your Azure infrastructure in the asset resource explorer:

Azure Query Pack

New Google Container OS (GCOS) CIS Benchmark policy​

Security in your Kubernetes clusters goes beyond just workloads and cluster configuration. Ensure you're fully securing the nodes that make up your GKE clusters with this new CIS benchmark policy for the Google Container OS (GCOS) Linux distribution that powers GKE clusters.


Output formatters for vulnerability scans​

You can now output vulnerability scan data in CSV, YAML, or JSON formats using the same output flag you use with cnspec security scans.

cnspec vuln container image ubuntu:focal-20220113 -o csv
β†’ loaded configuration from /etc/opt/mondoo/mondoo.yml using source default
β†’ using service account credentials
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
Package Name,Score,Installed,Fixed,Available,Advisory,CVEs
libc6,7.8,2.31-0ubuntu9.2,2.31-0ubuntu9.7,2.31-0ubuntu9.9,USN-5310-1,CVE-2016-10228 CVE-2020-6096 CVE-2020-27618 CVE-2020-29562 CVE-2019-25013 CVE-2021-3326 CVE-2021-27645 CVE-2021-35942 CVE-2021-3998 CVE-2021-3999 CVE-2022-23218 CVE-2022-23219


Control cnspec public report sharing​

We recently added the ability to report and share cnspec scan results on the Mondoo website (without a Mondoo account). After each scan, cnspec asks if you want to report the scan results.

This release adds flags and controls for this capability.

Use this flag to skip the prompt and share a report:

cnspec scan --share-report

Use this flag to skip the prompt and not share a report:

cnspec scan --share-report=false

To configure cnspec to never prompt and never share a report, change the config:

share_report: false # only applicable if used unauthenticated

If you disable report sharing using the config and you run cnspec scan --share-report, the flag overrides the config and cnspec shares the report.


  • Improve alignment of cnspec scan results.
  • Fix failures in some MQL queries using switch statements.
  • Discover Kubernetes assets in manifests even if they lack a namespace.
  • Validate that the provided Microsoft 365 certificate can correctly authenticate with Microsoft 365.
  • Fix cnspec bundle publish failing when policies use variants.
  • Fix Ensure nodev option set on /var partition and Ensure nosuid option set on /var partition false negatives in the CIS Ubuntu 22.04 policy.

Β· 3 min read

πŸ₯³ Mondoo 8.7 is out! This release includes public report viewing, improved policy filtering, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Public report viewing in cnspec​

Open source users: Want to scan your infrastructure with cnspec and instantly see a visual report on the results? Now you can! Upload scan results to For 72 hours, you can view the graphical report is available to view and share with anyone.

Scan Summary

Report in Browser

Want reports for longer than 72 hours? Register your cnspec installation with Mondoo Platform for reports that never expire, asset relationships, security planning, regression alerting, and more.


Filter on enabled policies​

Filtering in the registry now lets you show only policies that are enabled in the space.

Security Registry Filtering


  • Fix --asset-name flag not setting a custom asset name for all asset types.
  • Fix failure gathering data in the resource.
  • Add missing default resource values to gcp.project.bigqueryService and gcp.project.bigqueryService.dataset.accessEntry.
  • Add a more user-friendly error message when an unauthenticated client attempts to query CVE or EOL platform data.
  • Add a more user-friendly status error message when cnquery/cnspec receive invalid credentials.
  • Provide an error message in the ms365 provider when the certificate is malformed.
  • Set the ms365 provider's --client-id and --tenant-id command line flags as required.
  • Be clear in help that the ms365 provider allows for both PKCS #12/PFX and PEM format certificates.
  • Fix false negatives in the Google Cloud (GCP) Security policy's Ensure that Cloud Storage buckets have uniform bucket-level access enabled check.
  • Update the Linux Security policy's Ensure SSH root login is disabled or set to prohibit-password check to detect additional methods of preventing password-based logins from the root user.
  • Display values in nested arrays such as aws.ec2.securityGroups[1].ipPermissions[0] in the Asset Resource Explorer.
  • Display field-only queries such as github.repository.license.spdxId in the Asset Resource Explorer.
  • Fix display of queries with multiple nested resources such as gcp.project.bigquery.datasets {*} in the Asset Resource Explorer.
  • Don't count fixed CVEs in the Organization dashboard.
  • Group k8s-ingress assets under K8s Ingress in the fleet view instead of Others.
  • Fix the display of policies with variants in the registry.
  • Fix a page load error when selecting CVE lists in the organization overview.
  • Fix a failure displaying CVE data on an asset.
  • Fix editing of properties in variant policies.
  • Allow deleting private policies in the registry.
  • Resize data display in the Asset Resource Explorer to make it easier to get back to resource navigation.
  • Fix vendor advisories to list all included CVEs.
  • Allow re-scheduling integration scans and exports after a failure.

Β· 4 min read

πŸ₯³ Mondoo 8.6 is out! This release includes a new overview dashboard, policy previews, and property editing in the console!​

Get this release: Installation Docs | Package Downloads | Docker Container


Organization overview dashboard​

We've added a new overview dashboard that lets you see the health of all your infrastructure at a glance.

Mondoo spaces are a great way to organize your scanned assets in Mondoo. You can group assets in ways that reflect how your company manages infrastructure, apply policies to all the assets in a space with a single action, and allow teams to concentrate on their area of responsibility.

Organization Dashboard

The new overview dashboard gives you a single view to see what's happening in every Mondoo space. See how asset scores are trending over time, track the vulnerabilities Mondoo detects wherever they appear in your infrastructure, and compare spaces to see how different business areas manage compliance and risk obligations.

Quickly see the most vulnerable assets in your infrastructure and tackle the most critical issues first.

Organization-wide Vulnerabilities

We have big plans here and we're eager for your feedback.

Policy preview​

We've added a way to preview policies in your spaces, so you can see the results of new checks and queries without impacting your scores.

Previewed policies still fully execute, but the results aren't counted into your scores until you decide they are. As a result, teams get visibility into their infrastructure without worrying about creating surprises or awkward conversations with management.

Preview Security Registry

Policy View

Policies can be previewed directly from the Security Registry by selecting the "Preview" icon. Previewed policies will appear on scanned assets with a blue light bulb.

Previewed Policy

Customize policy properties in the console​

We've added a way to configure the properties on a property directly from the Mondoo Console.

Policy properties let you customize policies in ways that make sense to you without creating a fork of the entire policy. For example, you can use properties to adjust a maximum password age, modify a list of recommended ciphers, or create an allowlist of packages to continue utilizing beyond vendor EOL. Edit the properties directly from the Mondoo Console Registry.

Edit Properties


Updated EOL data​

  • FreeBSD 12.2 EOL added
  • macOS 10.15 EOL added
  • Ubuntu 23.04 EOL added
  • Linux Mint 21 now detected
  • OpenSUSE 15.5 now detected

Support for EuroLinux 7/8/9​

cnspec and cnquery now detect the EuroLinux RHEL-derivative distribution.

cnquery> platform { name version family }
platform: {
name: "eurolinux"
family: [
0: "redhat"
1: "linux"
2: "unix"
3: "os"
version: "9.1"


  • Fix VMware integration setup instructions to use cnspec.
  • Fix viewing queries on private policies.
  • Fix several links to the old Policy Hub instead of the new registry.
  • Fix CI scans now showing the Asset Resource Explorer
  • Remove incorrect pagination for policy checks in the registry.
  • Fix failures using the --api-proxy CLI flag.
  • Fix date parsing in the Asset Resource Explorer.
  • Add missing group names to Mondoo and CIS security policies.
  • Fix setting the Kubernetes operator to use OpenShift for certificate management.
  • Correctly categorize Red Hat Enterprise Linux CoreOS (RHCOS) scans as operating systems in the console.
  • Improve handling of nested arrays in the Asset Resource Explorer.
  • Improve identification of OpenShift clusters in the Mondoo Kubernetes Operator.
  • Prevent failures scanning OpenShift cluster nodes.
  • Fix cnspec scan host not correctly reporting the asset type as a host.

Β· 3 min read

πŸ₯³ Mondoo 8.5 is out! This release includes new security/CVE dashboards, a new policy management experience, S3 exports, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Vulnerabilities dashboard​

We've added a new vulnerabilities dashboard where you can quickly see the most vulnerable assets in your infrastructure and tackle the most critical issues first.

Vulnerabilities Dashboard

Security dashboard and policy view​

We've created a new section in the console navigation just for security concerns, with a new security dashboard and a policy view page. The security dashboard shows the most pressing policies and assets, exposing the top actions that should be remediated to secure your infrastructure.

Security Dashboard

With the new policies view, you can dive into scores by policy and see failing assets for each policy.

Policy View

Security Registry​

Say hello to the Mondoo Security Registry, your new space for managing policies in Mondoo. The all-new UI in the Security Registry makes finding the policies you need for your space easier and quicker. You can search and filter by policy type right on the main page, so there's no need to dive deeper to add or remove policies. It displays important information such as the policy author, number of checks, and policy description for each policy, so you quickly evaluate policies without multiple clicks. Want to enable or disable a policy? Just toggle the policy from the main page.

Security Registry

We've also redesigned the individual policy pages to help you better understand which checks are included in policies. Checks for particular technologies or subsystems are now bundled together in groups for easier browsing.

Policy Page

You can also view available properties in each check to see how you can customize policy behavior for your organization.

Policy Properties

Amazon S3 and S3-compatible exports​

You can now export your Mondoo data to S3 and S3-compatible storage systems automatically. Export data in JSONL or CSV formats. Mondoo runs each export daily.

S3 Export Setup


Scan with friendly policy names​

You can now run cnquery and cnspec scans by specifying the friendly, short name of the policy shown in the Security Registry.

cnspec scan okta --organization --token $OKTA_TOKEN --policy mondoohq/mondoo-okta-security


  • Fix failures to apply local cnquery query packs.
  • Improve parsing of UNIX uptime on some systems.
  • Improve policy descriptions and add license information to policies.

Β· 4 min read

πŸ₯³ Mondoo 8.4 is out! This release includes a new way to explore asset resources, Snowflake data exports, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


Asset resource explorer​

Use the new asset resource explorer to dive deep into the configuration of all your favorite assets in Mondoo. From the services running on Windows servers to container registries used in Kubernetes deployments, the asset resource explorer lets you navigate the critical configuration data that makes up your infrastructure.

Asset Resource Explorer

If the data output looks familiar, that's because this new feature is powered by the same MQL resources used by cnspec and cnquery on the command line. Data is automatically gathered with new-out-of-the-box inventory query packs in the Policy Hub.

Inventory Packs

Just like security policies, you can enable as many inventory packs as you'd like, and they'll run on the appropriate assets automatically. With inventory packs enabled, you'll see inventory data automatically in the new Resources tab for each asset. If you want to gather even more inventory data, you can create custom inventory packs using the hundreds of available MQL resources. See examples of inventory packs in the cnquery-packs repository.

Snowflake data exports​

With Mondoo 8.2 we shipped our first data export integration: Google BigQuery. This week we everyone not running in GCP has reason to celebrate: new support for Snowflake data export.

Configure data exports just like other integrations in Mondoo, without installing anything in your infrastructure. They automatically export your Mondoo data daily.

Snowflake Setup

You can combine your exported Mondoo data with any other data in Snowflake and analyze it using Snowflakes's machine learning and BI features.

Snowflake Data

Automatic Kubernetes Ingress scanning​

Both cnspec and the Mondoo Kubernetes Operator now automatically scan Kubernetes Ingress resources. With the Kubernetes Best Practices policy enabled, you can also now expose expiring TLS certificates in Ingress resources.

Ingress Asset


Scan container images in .tar format​

You can now use cnspec and cnquery to scan container images exported in .tar format with commands like docker save.

docker save luna-docs -o luna-docs.tar
cnspec scan container tar luna-docs.tar
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1

luna-docs.tar ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: F

Asset: luna-docs.tar


Scanned 1 assets

Debian GNU/Linux 8 (jessie)
F luna-docs.tar

Expanded Okta MQL resources​

cnquery and cnspec now include more Okta resources so you can query and secure every aspect of your organization.

Access billing contact of Okta organizations

cnquery> okta.organization.billingContact
okta.organization.billingContact: okta.user id="12345678910" profile[email]=""

Access technical contact of Okta organizations

cnquery> okta.organization.technicalContact
okta.organization.technicalContact: okta.user id="12345678910" profile[email]=""

Gather the settings of security notification emails

cnquery> okta.organization.securityNotificationEmails
okta.organization.securityNotificationEmails: {
reportSuspiciousActivityEnabled: true
sendEmailForFactorEnrollmentEnabled: false
sendEmailForFactorResetEnabled: false
sendEmailForNewDeviceEnabled: false
sendEmailForPasswordChangedEnabled: false

Gather Okta ThreatInsight settings

cnquery> okta.organization.threatInsightSettings { * }
okta.organization.threatInsightSettings: {
excludeZones: [
0: name="LegacyIpZone" type="IP"
created: 2022-11-01 18:30:34 +0000 UTC
action: "audit"
lastUpdated: 2023-04-02 20:29:19 +0000 UTC

Gather Okta networks

okta.networks { * }
okta.networks: [
0: {
locations: []
lastUpdated: 2022-11-01 18:30:35 +0000 UTC
asns: []
created: 2022-11-01 18:30:35 +0000 UTC
id: "12345678910"
type: "IP"
gateways: []
status: "ACTIVE"
system: true
proxies: []
proxyType: ""
usage: "BLOCKLIST"
name: "BlockedIpZone"
1: {
locations: []
lastUpdated: 2022-11-01 18:30:35 +0000 UTC
asns: []
created: 2022-11-01 18:30:35 +0000 UTC
id: "12345678910"
type: "IP"
gateways: []
status: "ACTIVE"
system: true
proxies: []
proxyType: ""
usage: "POLICY"
name: "LegacyIpZone"
2: {
locations: [
0: {
country: "AF"
lastUpdated: 2023-04-02 18:58:13 +0000 UTC
asns: []
created: 2023-04-02 18:58:13 +0000 UTC
id: "12345678910"
type: "DYNAMIC"
gateways: []
status: "ACTIVE"
system: false
proxies: []
proxyType: "TorAnonymizer"
usage: "POLICY"
name: "Test"


  • Add missing impact scores to policies.
  • Improve setup and remediation instructions in the Okta Organization Security by Mondoo policy
  • Fix failures in Linux Security by Mondoo policy's Ensure auditing for processes that start prior to auditd is enabled check. Thanks @micheelengronne!
  • Fix Linux Security by Mondoo policy's Ensure sudo logging is enabled check to support configs in the /etc/sudoers.d directory. Thanks @micheelengronne!
  • Fix failures in Linux Security by Mondoo policy's Ensure mail transfer agent is configured for local-only mode check.
  • Improve the reliability of multiple CIS policies.

Β· 6 min read

πŸ₯³ Mondoo 8.3 is out! This release includes a new vulnerabilities experience, updated CIS/Mondoo policies, and more!​

Get this release: Installation Docs | Package Downloads | Docker Container


New vulnerabilities views​

We've reworked our Vulnerabilities page to make it quicker to find vulnerabilities in your environment, identify the worst offending assets, and investigate newly released CVEs. A new Vulnerabilities menu now includes individual options for Advisories, CVEs, Affected Assets, and Mondoo Vulnerability Database (VMD).

Vulnerability Menu

The Advisories and CVEs pages allow you to dive into specific vendor security advisories and CVEs that impact your environment. You can see when these issues were first discovered, progress towards patching them, and get more details on the advisory/CVEs, including impacted assets.

CVEs Page

The new Affected Assets page lets you quickly dive into assets with unpatched CVEs or vendor advisories in your space.

Affected Assets

The completely reworked Mondoo Vulnerability Database (MVD) gives you a single UI to research new vendor CVEs and advisories even if they don't apply to your assets. Curious about that new CVE you read about online? Look it up to learn more, including details on the CVSSv3 score and any impacted assets in your environment.


Slack Team Security by Mondoo policy​

Mondoo now includes a new Slack Team Security policy with seven checks to secure your Slack Team (Workspace):

  • Ensure that between 2 and 4 users have admin permissions
  • Ensure that admins use the most secure 2FA method
  • Ensure all users use 2FA
  • Use clear naming for external channels
  • Ensure there is at least one internal channel per workspace
  • Ensure there is at least one internal channel in the workspace and there are no external members
  • Ensure domain whitelisting is enforced on internal channels

Microsoft 365 assets grouped in console​

Problem Microsoft 365 assets weren't grouped together on the Fleet page, so finding them all could take a moment.

Solution We grouped Microsoft 365 assets together on the Fleet page so you can quickly find them.

Fleet Page

Set a proxy server for all Mondoo Platform communication​

Problem There was no way to isolate cnspec-to-Mondoo-Platform and cnquery-to-Mondoo-Platform communication from non-Mondoo traffic.

Solution A new --api-proxy config flag allows you to specify the proxy server for Mondoo Platform API calls when you register an asset with the cnspec login command. You can also manually add the api_proxy configuration option in your mondoo.yml config.


Updated CIS Microsoft Azure Foundations Benchmark 2.0 policy​

The CIS Microsoft Azure Foundations Benchmark policy has been updated from 1.5 to 2.0. This new release includes reworked audit and remediation steps that match Azure's latest UI and CLI experiences.

Expanded Microsoft Azure Security policy​

The Microsoft Azure Security by Mondoo policy has been expanded with new checks for database systems and network assets in your Azure subscription:

  • Ensure SSL connection is enabled for PostgreSQL Database Server
  • Ensure SSL connection is enabled for MariaDB Database Server with the latest version
  • Ensure Public Network access for MariaDB is disabled
  • Ensure SSL connection enabled for MySQL Database Server with the latest version
  • Ensure Public Network access for SQL Server is disabled or only possible through firewall rules
  • Ensure default Public Network access for Key Vault is disabled
  • Ensure that all activities on SQL Server are audited
  • Ensure that transparent data encryption is enabled on SQL Server
  • Ensure that diagnostic settings exist for the subscription
  • Ensure that Diagnostic Setting collects essential security categories
  • Ensure that direct UDP access to Azure Virtual Machines from the Internet is restricted

Expanded Windows Security policy​

The Windows Security by Mondoo policy now includes a new check to ensure that Local Security Authority (LSA) protection is enabled on Windows assets.

Fewer API calls in the AWS Lambda integration​

We've optimized our Lambda-based AWS integration to reduce the number of API calls made by the integration to reduce Lambda costs. Don't worry; you'll still get the same great AWS resource scans, but now with added efficiency.

etcd database encryption state in gcp.project.gke.cluster resource​

The gcp.project.gke.cluster resource now includes information on encryption of the etcd database.

cnquery> gcp.project.gke.clusters[0]{databaseEncryption}
gcp.project.gke.clusters[0]: {
databaseEncryption: {
keyName: "projects/***/locations/us-central1/keyRings/***/cryptoKeys/***"
state: "ENCRYPTED"

2FA type in slack.users resource​

The slack.users resource now includes the type of two-factor authentication (2FA) used by users. This lets you query which users are configured for insecure SMS vs. more secure app-based 2FA.

cnquery> slack.users.where( has2FA == true ){ has2FA twoFactorType }
slack.users.where.list: [
0: {
twoFactorType: "app"
has2FA: true

Updated and certified CIS Google Kubernetes Engine (GKE) Benchmark policy​

The CIS Google Kubernetes Engine (GKE) Benchmark policy has been enhanced with the following new checks and is now fully certified by CIS:

  • 5.1.1 Ensure Image Vulnerability Scanning using GCR Container Analysis or a third party provider
  • 5.6.4 Ensure clusters are created with Private Endpoint Enabled and Public Access Disabled

Smaller Mondoo package size​

We've further optimized the Mondoo package to reduce the installation size by another 10MB.


  • Replace mondoo shell with cnspec shell in some policy audit instructions.
  • Improve remediation steps in Mondoo Azure, Google, and AWS policies.
  • Fix cnspec bundle fmt removing scoring_system from policies when converting between 7.x and 8.x formats.
  • Fix cnspec bundle fmt not properly parsing typed docs.
  • When scanning Kubernetes manifests containing resources without a namespace, don't create an unnamed namespace asset as the parent.
  • Fix failures querying Azure Cloud Defender security contacts when none exist.
  • Fix failure running github.organization {*} query.
  • Fix CVSS aggregated score calculation in the platform.advisories resource.
  • Fix some CIS Kubernetes policies not displaying in the Policy Hub.
  • Improve ad-hoc scan instructions in AWS/Azure/GCP policies.
  • Update CIS Azure AKS v.1.2 Pod Security Policy checks to only execute on Kubernetes < 1.25.
  • Update Linux Security by Mondoo policy's Ensure events that modify the system's Mandatory Access Controls are collected check to expect a trailing slash in directories. Thanks @micheelengronne!
  • Remove the running and unknown states shown in asset names in the console, which did not consistently or correctly show asset scan status.
  • Add missing impact scores to Windows Security by Mondoo policy.
  • Fix the Kubernetes Operator not immediately scanning newly deployed workloads in a cluster.
  • Update wording on the Azure and MS365 integration pages to make it more clear that the .pem file needs to include both the certificate and the private key.