Skip to main content

Β· 3 min read

πŸ₯³ Mondoo 7.5 is out! This release includes faster GitHub Actions execution and improved CIS policies!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


Faster GitHub Action Execution​

Problem: The Mondoo GitHub Action could rapidly scan content in your CI pipelines, but was slow to install and setup Mondoo Client during each run.

Solution: We've refactored the Mondoo GitHub Action to use our new cnspec container image. Not only do you get our latest command line experience, but also there's no need to install Mondoo Client during your GitHub jobs. This can reduce the time it takes to run your job by 30 seconds to 1 minute, getting you results quicker in your CI pipelines.


Additional CIS Linux Controls​

We've updated our CIS Linux policies to implement the following controls:

  • AlmaLinux 8: Ensure FTP client is not installed
  • AlmaLinux 8: Ensure rsync-daemon is not installed or the rsyncd service is masked
  • Debian 8: Ensure inetd is not installed
  • Debian 9: Ensure SELinux is enabled in the bootloader configuration
  • Debian 10: Ensure syslog-ng is configured to send logs to a remote log host
  • RHEL 6: Ensure augenrules is enabled
  • RHEL 8: Ensure journald is not configured to receive logs from a remote client
  • RHEL 8: Ensure rsyslog is not configured to receive logs from a remote client
  • RHEL 8: Ensure rsyslog is not configured to receive logs from a remote client
  • SLES 11: Ensure only approved ciphers are used
  • SLES 11: Ensure password expiration is 90 days or less
  • SLES 12: Ensure IPv6 firewall rules exist for all open ports
  • Ubuntu 14.04: Ensure password expiration is 90 days or less
  • Ubuntu 20.04: Ensure syslog-ng is configured to send logs to a remote log host


  • Fail early and show an error when an invalid GitHub token is provided instead of creating an asset with all errored scans.
  • Correctly detect AWS EC2 asset names when scanning them over EC2 Instance Connect or SSM.
  • Correctly detect platform names when scanning containers.
  • Fix loading of spaces when older assets with an unrecognized asset type are present.
  • Fix login failures for some users in the Mondoo EU region.
  • Improve the reliability of CI/CD asset cleanup.
  • Improve fetching of CVE data for Rocky Linux.

Β· 6 min read

πŸ₯³ Mondoo 7.4 is out! This release includes Google Workspaces, Slack, and Okta security scanning!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


Builds for Linux on IBM Z​

Problem: You need to ensure the security of Linux distributions running on IBM Z mainframes.

Solution: Mondoo now includes packages for Ubuntu, SLES, and Red Hat running on IBM Z mainframes. You can find these packages in our releases repository at

New SaaS scanning capabilities​

Problem: Securing your business isn't just about the servers that your operations run on. It's also critical to safeguard the many SaaS services your teams rely on. How can you extend policies and security practices to protect this critical infrastructure?

Solution: We've expanded our SaaS Security Posture Management (SSPM) capabilities by introducing resources, security policies, and incident response packs for Google Workspace, Okta, and Slack. These new policies let you codify and continuously apply security policies to these critical SaaS services.

Google Workspace​

The new googleworkspace MQL resource pack allows you to query the state of your Google Workspace:

cnquery scan googleworkspace --customer-id <CUSTOMER_ID> --impersonated-user-email <EMAIL>
# list all domains { * }

# list all groups for your Google Workspace customer
googleworkspace.groups { * }

# find the group for a specific email
googleworkspace.groups.where( email == "") { * }

# list all users for your Google Workspace customer
googleworkspace.users { * }

# search a specific user
googleworkspace.users.where ( primaryEmail == "") { * }

# find all users that have Slack authorized
googleworkspace.users.where( displayText == "Slack") ) {

# list all super admins["isSuperAdmin"] == true) { userEmail }

# check that all users are enrolled with MFA security["isS2SvEnrolled"] == true )


The new okta MQL resource pack allows you to query the state of your Okta organization:

cnquery shell okta --organization <ORG_URL> --token <OKTA_TOKEN>
# display information about the org
okta.organization { * }

# display registered applications
okta.applications { * }

# display all users
okta.users { * }

# display policies
okta.policies.password { id name rules { * } }


The new slack MQL resources will allow you to query the state of your Slack workspace.

cnquery shell slack --token <SLACK_TOKEN>
# display team info { * }

# display members
slack.users.members { * }

# display bots
slack.users.bots { * }

# display all users
slack.users { * }

# list all users that have no MFA (members + bots)
slack.users.where( has2FA == false) { * }

# list all members that have no MFA
slack.users.members.where( has2FA == false) { * }

# list all conversation and their creator
slack.conversations { name id creator { id name } }

# display user groups (only on Slack paid plan)
slack.userGroups { * }

# display access logs (only on Slack paid plan)
slack.accessLogs { * }


Package CVE support for Fedora 37​

The Fedora Project team released Fedora 37 this week. Mondoo is ready for upgrades, with CVE scanning support for this new release.

terraform.module now includes the full block for modules​

The terraform.module now returns the full block for the module if it is included in the hcl files:

cnquery> terraform.modules { block key }
terraform.modules: [
0: {
key: "consul.consul_servers.security_group_rules"
block: null
1: {
key: "consul.consul_servers.security_group_rules.client_security_group_rules"
block: null
2: {
key: ""
block: null
3: {
key: "consul"
block: terraform.block id = terraform.block/
4: {
key: "consul.consul_clients.iam_policies"
block: null
5: {
key: "consul.consul_servers"
block: null
6: {
key: "gke"
block: terraform.block id = terraform.block/
7: {
key: "consul.consul_clients"
block: null
8: {
key: "consul.consul_clients.security_group_rules"
block: null
9: {
key: "consul.consul_clients.security_group_rules.client_security_group_rules"
block: null
10: {
key: "consul.consul_servers.iam_policies"
block: null

Array deletion in MQL​

You can now perform array subtraction within MQL. For example:

> [1,2,3,3,4] - [3,4,5]

TLS configuration within the port resource​

The ports resource now includes information on any TLS certificates on the port:

cnquery> ports.listening[1] { port tls{*} }
ports.listening[1]: {
port: 8080
tls: {
socket: socket protocol="tcp" port=8080 address=""
nonSniCertificates: [
certificate serial="3e:44:c8:e3:2c:bc:2a:6e:0a:1f:f8:9e:53:57:69:91:eb:3f:c4:dd" subject.commonName="" subject.dn=",OU=n/a,O=Mondoo,L=LA,ST=California,C=US,1.2.840.113549.1.9.1=#0c0e646f6d406d6f6e646f6f2e636f6d"
ciphers: [
4: "TLS_CHACHA20_POLY1305_SHA256"
6: "TLS_AES_256_GCM_SHA384"
11: "TLS_RSA_WITH_AES_128_CCM_8"
14: "TLS_AES_128_GCM_SHA256"
versions: [
0: "tls1.3"
1: "tls1.2"
params: {
certificates: [
0: id:"certificate:f157279e8a7f6b819e8fbcaaa980f069a318bb9ea90ef9ea0c89204cffae4e94" name:"certificate"
ciphers: {
SSL_DH_anon_EXPORT_WITH_RC4_40_MD5: false
SSL_DH_anon_WITH_RC4_128_MD5: false
SSL_RSA_WITH_RC4_128_MD5: false
SSL_RSA_WITH_RC4_128_SHA: false
TLS_AES_128_CCM_8_SHA256: false
TLS_AES_128_CCM_SHA256: false
TLS_AES_128_GCM_SHA256: true
TLS_AES_256_GCM_SHA384: true
TLS_CHACHA20_POLY1305_SHA256: true
... (197 lines left)

Extend Kubernetes queries for ephemeralContainers​

We've updated our Kubernetes policies to scan the security of ephemeralContainers defined in Kubernetes workloads. This ensures the security of any containers attached to workloads for debugging.


  • Significantly reduce memory usage when syncing data to the Mondoo Platform.
  • Tag cnspec/cnquery container images on DockerHub for the major version (7, 8, etc) to match mondoo image tagging.
  • Publish cnspec/cnquery rootless container images to DockerHub to match mondoo rootless container builds.
  • cnspec -o json now produces properly formatted JSON and includes the policy scores.
  • Resolve errors in some MQL queries using { * } such as docker.containers { * }.
  • Automatically discover Google organizations when --discover is set to auto or the --discover flag is not specified.
  • Resolve authentication failures against MS365.
  • Update the chevrons in the Fleet view so it's clear when there are hidden lists of assets.
  • Improve CVE pages to show data more reliably.
  • Improve mondoo update reliability on Windows.
  • Update the example setup commands for Debian/Ubuntu on the Integrations page to overwrite repository GPG keys.
  • Improve GitHub Actions examples in the Integrations page.

Β· 3 min read

πŸ₯³ Mondoo 7.3 is out! This release includes UI and policy improvements!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


New Azure authentication options​

Problem: You want to secure your Azure infrastructure, but you don't want to authenticate using less secure methods like token authentication.

Solution: Mondoo now includes additional options for authenticating against your Azure infrastructure, including those that enable security features such as MFA. You can now authenticate to your Azure infrastructure using certificates or a client ID and secret.

Certificate authentication:

cnquery shell azure --client-id <id> --certificate-path /Users/stella/certificate.pfx --tenant-id <tenant-id> --certificate-secret supersecret

Client ID/secret authentication:

cnquery shell azure --client-id <id> --tenant-id <tenant-id> --client-secret my_secret

If you don't specify an authentication method, Mondoo uses the method you've set up for the az CLI. So if you prefer shorter CLI commands, feel free to leave out the authentication flags entirely.

We also know you often have multiple subscriptions, so we've made it easy to select subscriptions. If the subscription flag is not set, you'll get a CLI menu of possible subscriptions to use:

Multiple Subscriptions

Policies for OpenSSL​

Problem: You want to apply a specific policy to find instances or containers running OpenSSL versions vulnerable to the recently announced CVE-2022-3786 and CVE-2022-3602 CVEs.

Solution: We've introduced a new policy, OpenSSL Vulnerability Policy by Mondoo, to specifically report on CVEs in OpenSSL so you can more easily target these systems for remediation.


Status tabs on top of asset pages​

Asset pages now include tabs for navigating between policies, controls, configuration, and vulnerabilities at the top of the page. Not only are these a bit easier to find here, the content of these tabs now shows on the whole screen so you can better explore the data.

Asset Tabs

Resource improvements​

We continue to improve the cnquery resource to give you the best insight into servers, clouds, Kubernetes clusters, and more. This week we shipped the following fixes and improvements:

  • Resolve errors running github.repository { webhooks } if no webhooks were found.
  • Resolve errors running aws.rds.dbClusters {*}.
  • Add state data to the aws.ec2.snapshot resource.

Policy improvements​

This week we made several improvements to Linux and Kubernetes policies with new and updated controls:

  • Added missing queries to controls in the AlmaLinux CIS benchmark.
  • Added new Limit the access of Pods to cloud metadata services control to the NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Added new Minimize and verify access to secrets control to the NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Updated Kubernetes Cluster and Workload Security policy to avoid failures scanning Kubernetes master nodes.


  • Resolve failures loading base64 configs from env vars in cnspec.
  • Resolve a panic when running cnspec in GitHub Actions.
  • The install script now points users to GitHub Discussions not Slack.
  • Improve cleanup of Kubernetes admissions controller scans older than 30 days to improve performance in spaces.
  • EOL warning banners now show up on asset pages after an asset becomes EOL with the OS vendor.
  • Show errors when policies cannot be uploaded to Policy Hub.
  • Resolve errors with pagination on the asset not behaving as expected.
  • Resolve incorrect links in Microsoft Teams notifications.

Β· 7 min read

πŸ₯³ Mondoo 7.2 is out! This release launches our new OSS projects cnquery and cnspec + much more!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


Powered by new open source projects​

We are excited to announce the open-source release for: cnquery and cnspec. These are the core components of the Mondoo CLI and will replace it going forward.

cnquery is an asset inventory and search engine, which features an interactive shell, MQL runner, and query pack execution. Query packs are a new way to create a bundle of queries which are automatically executed and all data collected. This is useful for the creation of asset inventories and collection of data during incidents. They are a lightweight alternative to policies (without scoring).

cnspec is the security test project, which focuses on misconfigurations and vulnerabilities. It is built on top of cnquery and adds policies and scored controls. It is also a drop-in replacement to the Mondoo CLI today and uses the same commands to scan assets, run queries, open a shell, or work with policies.

Together with this open-source release, we are opening the ability to create custom resources and providers. In the coming weeks we will start to release more guides for developers who are interested in contributing.

Furthermore, we are solidifying MQL as and open standard for GraphQL-based infrastructure querying and assertions. Most of the engine can be found in cnquery and is highly extensible as well as embeddable.

We highly encourage you to try out cnquery and cnspec! Please let us know if you encounter any challenges switching from the Mondoo CLI to cnspec. We will continue to support the Mondoo CLI throughout the v7 release.

CLI CVE scanning​

Problem: Sometimes you only care about CVEs on a server, container, or container image, but you have to scan the system for security misconfigurations as well.

Solution: We've added a new cnspec vuln command that allows you to scan for CVEs on servers, containers, and container images without performing a full security scan. The command also offers more detailed CVE output so you can see what's best to patch first.

cnspec vuln scanning

FreeBSD scanning support​

Problem: You run a diverse infrastructure including FreeBSD hosts which need to be properly secured.

Solution: cnquery and cnspec now include initial support for remotely scanning FreeBSD hosts. With this update, you can now list packages and services, examine file contents, and execute commands. Stay tuned for more FreeBSD updates, and if you have thoughts or would like to contribute resource support for FreeBSD, join the Mondoo GitHub Discussions.


Add ephemeralContainers to k8s.pod​

The k8s.pods and k8s.pod and resources now includes information on ephemeralContainers attached to the pods. ephemeralContainers are a relatively new feature in Kubernetes. They let you attach containers to Pods for debugging. You can't remove them, and if you forget about them, they can introduce significant security risks to your environment.

Example workload with ephemeralContainers defined:

apiVersion: v1
kind: Pod
creationTimestamp: "2022-11-03T16:40:54Z"
admission-result: pass
name: passing-pod-yaml
namespace: debug-ns
resourceVersion: "75952"
uid: 823d82d5-890e-4d6a-9da6-404648144585
automountServiceAccountToken: false
dnsPolicy: ClusterFirst
enableServiceLinks: true
- args:
- sleep
- "9999"
image: busybox:1.28
imagePullPolicy: IfNotPresent
name: ephemeral_junk
resources: {}
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
preemptionPolicy: PreemptLowerPriority
priority: 0
restartPolicy: Always

Improve CLI warnings when no provider is specified​

In cnquery, if the user specified an invalid provider, the CLI unexpectedly used the local provider instead:

cnquery shell rockylinux
β†’ no provider specified, using defaults.
Use --help for a list of available providers. provider=local
β†’ discover related assets for 1 asset(s)
β†’ resolved assets resolved-assets=1
___ _ __ __ _ _ _ ___ _ __ _ _
/ __| '_ \ / _` | | | |/ _ \ '__| | | |
| (__| | | | (_| | |_| | __/ | | |_| |
\___|_| |_|\__, |\__,_|\___|_| \__, |
mondooβ„’ |_| |___/ interactive shell

Now if a user accidentally forgets the provider usage information is provided:

$ cnquery shell rockylinux
x provider rockylinux does not exist
Allows for the interactive exploration of MQL queries

cnquery shell [flags]
cnquery shell [command]

Available Commands:
arista Connect to an Arista endpoint
aws Connect to an AWS account or instance
azure Connect to a Microsoft Azure account or instance
container Connect to a container, an image, or a registry

Load base64 configuration directly from env vars​

cnspec now loads a Base64-encoded configuration from the MONDOO_CONFIG_BASE64 env var. This means you no longer need to load the Base64-encoded config in your CI jobs, write it out to a config file on disk and then run cnspec to scan your CI job.

Previously CI jobs had to write the config to disk:

echo $VARIABLE_WITH_BASE64_CONFIG > mondoo.json
cnspec scan k8s my_file.yml --config mondoo.json

Now with MONDOO_CONFIG_BASE64 set you can just run the CLI:

cnspec scan k8s my_file.yml

Add MQL ports resource for macOS and Windows​

The MQL ports resource now supports Windows and macOS hosts in addition to Linux hosts. Using this resource you can track ports to listening addresses and executables:

cnquery> ports.listening
ports.listening: [
port port=56863 protocol="ipv4" address="*" process.executable="/usr/libexec/rapportd"
port port=56863 protocol="ipv6" address="*" process.executable="/usr/libexec/rapportd"
port port=7000 protocol="ipv4" address="*" process.executable="/System/Library/CoreServices/"
port port=7000 protocol="ipv6" address="*" process.executable="/System/Library/CoreServices/"
port port=5000 protocol="ipv4" address="*" process.executable="/System/Library/CoreServices/"
port port=5000 protocol="ipv6" address="*" process.executable="/System/Library/CoreServices/"
port port=44960 protocol="ipv4" address="" process.executable="/Users/chris/Library/Application"
port port=44950 protocol="ipv4" address="" process.executable="/Users/chris/Library/Application"
port port=18412 protocol="ipv4" address="" process.executable="/Users/chris/Library/Application"
port port=7335 protocol="ipv4" address="" process.executable="/Users/chris/Library/Application"
port port=17223 protocol="ipv4" address="" process.executable="/Users/chris/Library/Application"
port port=17223 protocol="ipv6" address="[::1]" process.executable="/Users/chris/Library/Application"

Auto discover ESXi hosts for vSphere​

When scanning VMware vSphere assets, Mondoo now automatically discovers all ESXi hosts.

New controls for macOS security policy​

We've added new controls to the macOS Security policy to make sure that automatic updates are securely configured:

  • Ensure automatic checking of software updates enabled
  • Ensure automatic download of software updates enabled
  • Ensure critical updates are installed automatically

New NSA Kubernetes Hardening Guide Version 1.2 controls​

We've added several new controls to the NSA Kubernetes Hardening Guide Version 1.2 policy to help you secure your Kubernetes cluster and workloads:

  • Protect Pod service account tokens
  • Minimize and verify access to cluster-admin binding via rolebindings
  • Minimize and verify access to cluster-admin binding
  • CVE-2021-25742 - checking nginx-ingress ConfigMaps for dangerous settings


  • Detect Rocky Linux 9 as platform family redhat so package and service resources function properly.
  • Better raise permission issues when running the ports resource.
  • Avoid panics in cnquery when there are no query bundles.
  • Escape JSON data to prevent errors parsing some values.
  • If an asset is terminated mid-scan, report it as unscored instead of an error.
  • Fix asset filter not properly applying Terraform HCL Security Static Analysis for AWS policy.
  • Update EOL dates for Debian releases to the latest versions on their wiki.
  • Improve spacing of EBS volume scans to reduce API throttling.
  • Greatly improve the speed of service account and space deletion.
  • Fix typos in NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Resolve errors when checking for default ingress/egress network rules in NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Resolve errors when checking for the PKI directory on Minikube in NSA Kubernetes Hardening Guide Version 1.2 policy.
  • Avoid incorrect CVE counts for assets in the console.
  • Update the Amazon Linux 2 EOL date to reflect the updated date of June 30, 2024.
  • Detect the upcoming Fedora 37 release in the EOL policy.
  • Improve error messages in the Mondoo Kubernetes Operator when private images cannot be scanned.

Β· 7 min read

πŸ₯³ Mondoo 7.1 is out! This release includes UI and policy improvements!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


Local Provider by Default​

Problem: You just want to scan your local system for security misconfigurations without needing to think about scan providers.

Solution: We've make mondoo scan default to the local system once again. With this change you can easily scan you local system without the need to specify the local provider.

Bulk Delete Assets​

Problem: You have a large number of assets that you want to clean up, but deletion involves opening each asset and selecting the delete icon.

Solution: You can now multi-select and delete assets directly from the fleet view. Click the pencil icon in the top-right corner of the asset list, check each asset to delete. From the Batch Edit Selection pull down menu, select Delete.

Batch Delete Assets

Group Kubernetes Admissions Controller Scans by Namespace​

Problem: New deployments come into Kubernetes clusters at a dizzying pace and it's often hard to see which new workflows are being deployed to which namespaces.

Solution: We've reworked our the Kubernetes admission controller UI in the CI/CD tab to better show which namespaces workflows are being deployed into. This helps group similar scans so you can more easily escalate issues to the proper teams.

Grouped Namespaces

Group Multiple CI Scans​

Problem: It's often useful to run multiple Mondoo scans in your CI/CD pipelines, but the scans don't show up together in the Mondoo CI/CD project pages.

Solution: Scans are now grouped together in the CI/CD project pages so you can better tell which scans ran in the same branch commits or PRs.

CI Jobs

Ignore Kubernetes Namespaces in Scans​

Problem: You have a large Kubernetes cluster with different namespaces owned by different teams, and you don't want to scan the entire cluster at once.


We've added two new CLI flags to allow you to control which namespaces to scan and which to skip. To scan all namespaces except ones that you specify, use the --namespaces-exclude flag. To scan just the namespaces you specify, use the --namespaces flag.

mondoo scan k8s --namespaces-exclude mondoo-operator
mondoo scan k8s --namespaces luna-ui,luna-backend

New Microsoft Azure Security by Mondoo policy​

Problem: You want to secure your Azure infrastructure against common security misconfigurations

Solution: Mondoo now includes a new Azure Security by Mondoo policy. This policy provides guidance for establishing minimum recommended security and operational best practices for Azure. This policy includes ten controls, with new controls planned for future Mondoo releases.


SSM Connections using Instance Name​

You can now scan AWS instances using Amazon's SSM using either the IP or the instance name. This makes it easier to scan instances using the names shown in the awscli or the AWS Management Console.

Use Shorter Container Names​

Mondoo now includes the shortened container SHAs to match the Docker experience. These short container names fit better in the UI and match the names shown when running Docker CLI commands.

Short Image Name

VMware Appliance Now Auto Upgrades Mondoo​

We know you want the latest Mondoo Client capabilities so you can run updated policies, so we've updated the Mondoo VMware appliance to automatically pull in the latest client releases. No more compatibility concerns or time spent manually updating the instance.

Better Examples in CI Integration Pages​

The CI/CD integration setup pages now include additional example configuration files, making it easier to setup Mondoo in your CI pipelines.

Additional CI Examples

NSA Kubernetes Hardening Guide Version 1.2 Generally Available​

The NSA Kubernetes Hardening Guide Version 1.2 policy is no longer considered to be a preview release after the addition of several new controls and fixes:

  • Add an improved policy description with example usage information.
  • Update remediation steps to improve clarity.
  • Switch policy scoring system so that the policy score on an asset matches the worst offense found rather than the average of all scores (which previously could mask critical issues).
  • Update controls to properly run on the Kubernetes cluster asset itself when appropriate.
  • Fix Ensure that the Kubernetes PKI/SSL directory is owned by root:root control to work on Minikube.
  • Split Pods should not run with NET_RAW or SYS_ADMIN capabilities control into two controls so it can be disabled at a more granular level.
  • Add new controls:
    • CVE-2021-25742 - checking nginx-ingress ConfigMaps for dangerous settings
    • Do not allow ClusterRoles that allow users execution privileges into containers
    • Do not allow roles that allow users execution privileges into containers
    • Minimize and verify access to cluster-admin binding via rolebindings
    • Minimize and verify access to cluster-admin binding

NSA Policy

Policy Improvements​

We continue to improve the descriptions, remediation steps, and reliability of our out-of-the-box Mondoo policies so you can secure your infrastructure with less effort. This week we've made the following policy improvements:

  • Add improved descriptions and remediation steps to all Kubernetes Security controls.
  • Add getting started guides to each Mondoo policy with usage information.
  • CIS and BSI Linux policies now accept the shadow group when checking permissions on /etc/shadow and /etc/shadow-.
  • Move additional queries in the CIS Kubernetes policies from the cluster asset to the individual workload assets. This helps more quickly identify the workload in question and allows for more granular skip/disables.
  • Adjust impact levels in the CIS and Mondoo Linux policies to lower levels where appropriate.
  • Disable alerting of Pod Security Standard policies in the mondoo-operator namespace as enabling PSS would break operator functionality.
  • Improve descriptions and remediation steps for /etc/* file check controls in Linux Security by Mondoo policy.
  • Remove livenessProbe and readinessProbe checks from CronJobs and Jobs in Kubernetes Best Practices by Mondoo as these recommendations don't apply to Job and CronJob workloads.
  • Update remediation steps in Linux Security policy's Ensure system accounts are non-login control to properly identify high UID system accounts.
  • Fix incorrect remediation step in Linux Security by Mondoo policy's Ensure secure permissions on SSH private host key files are set control.
  • Fix AWS Security by Mondoo policy's Ensure there is only one active access key available for any single IAM user control to properly check that one key is active.

Time + operator in MQL​

We've added a new + operator to the Time resource so you can more easily manipulate time values in your MQL queries. This makes queries like the ones below possible:

Time manipulation


  • Update the CI integrations pages to provide correctly encoded Mondoo credentials for use with CI platforms.
  • Add missing icons to Mondoo policies in the Policy Hub.
  • Improve alignment of enabled/selected policies in the Policy Hub.
  • Fix the MONDOO_CONFIG_PATH environmental variable not being honored in the Mondoo CLI.
  • Fix the progress bar not showing during Mondoo CLI scans.
  • Update the AWS integration to skip creating an EBS snapshot if one already exists.
  • Add workaround rate limiting with EBS snapshot scanning in large accounts.
  • Better handle long asset names in the fleet view.
  • Present the original case of the Kubernetes integration instead of uppercasing the name.
  • Fix top recommended action links on CI job assets to load controls properly.
  • Add missing page titles to some pages in the console.
  • Fix minor UI alignment and spelling mistakes.
  • Ensure that AWS account assets are created when scanning accounts.
  • Don't create empty k8s-node assets when scanning Kubernetes clusters.
  • Find GCP instances in all zones when scanning GCP accounts.
  • Don't return an error if all policy controls are skipped.
  • Add a friendly error message when trying to connect to assets of SSH without an identity file or password.
  • Improve the reliability of Kubernetes asset garbage collection in the Mondoo Kubernetes Operator.

Β· 7 min read

πŸ₯³ Mondoo 7.0 is out!​

I you have been following our past releases, you'll have seen a ton of improvements that were added during the last months, including:

  • Major new features for Kubernetes
    • Kubernetes resource, workload, node, pods, and control plane scanning
    • Automatic discovery of assets and related resources
    • Mondoo Kubernetes Operator 1.0
  • New and updated compliance policies, including:
    • NSA, NIST, BSI, AKS, EKS, Best Practices and too many updates to mention here
  • New UI for fleet views, asset relationships, recommended actions, control and policy views
  • Supply chain security, including GitHub and GitLab
  • Deeper CI/CD integrations (new UI, better filtering)
    • support for Azure pipelines, Jenkins, CircleCI
  • Extended integration for Terraform and Packer
  • AWS side scanning, GCOS, and GitHub Actions

Breaking changes

  • The previously deprecated features from v5.x have now been removed. If you have any old clients running v5.x, they will stop working with this release. Please upgrade to the latest version. All v6.x clients continue to be supported.
    • During v5.x policies were compiled differently. The changes are behind the scenes. Simply re-run policies with a new version of Mondoo.
  • Previously scanned results that were collected as null may now show up as empty values. Once the asset is re-scanned, this is fixed.


All deprecations will be supported throughout the lifetime of Mondoo v7. We will remove them when we release Mondoo v8.

  • We have a major open-source announcement coming next week. After it, we will start to deprecate the current mondoo CLI in favor of the new commands. Don't worry: it's a drop-in replacement and smooth transition.
  • We are removing the need to call .list for many resources that have required it so far. For example users.list now becomes users, ports.list becomes ports and so on. Please note, that blocks are now automatically applied to the child elements of such lists. For example users { name } is valid, but users { list } is now deprecated and will be removed in v8. This is relevant for e.g. ports.listening { ... }. Since the block applies to individual blocks, you don't want to write e.g. ports { listening } anymore.

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


CI Setup in Integration​

Problem: You want to set up Mondoo to scan projects through your favorite CI systems, but the setup is manual and requires jumping between the Mondoo console and documentation.

Solution: We've revamped how Mondoo CI integrations are set up to make them faster and more intuitive to set up. Gone is the manual service account setup process and documentation site, and in its place are CI projects set up through the Integrations tab in the console, just like other integrations. Service account tokens are automatically created, and the integration setup process now suggests helpful policies for use with your CI projects.

New CI Setup Page


Updated EOL Data​

We've updated our platform EOL data with new platform versions, so you always have the most up-to-date data:

  • Added Google Container OS 101 with a release date of Sept 15, 2002, and an EOL date of Sept 1, 2024.
  • Added Google Container OS release date information for milestone 97, 93, and 89.
  • Added macOS 13.0 with a release date of Oct 24, 2022.
  • Updated macOS 10.14 with an EOL date of Jul 21, 2021 when the last security update was released.

Improved Mondoo Operator Security​

We've improved the security of the Mondoo Kubernetes Operator by dropping unnecessary privileges from any pods that are created by the operator.

New and Improved Policies​

  • All Mondoo policies now include additional usage guidance with examples of how to run the policies using cnspec.
  • Linux Security by Mondoo policy's auditd controls now fail instead of erroring if auditd configs are not found.
  • Policy control UIDs in Mondoo TLS/SSL Security Baseline, Linux Workstation Security by Mondoo, and Linux Security by Mondoo policies better describe what is being checked.
  • Kubernetes Cluster and Workload Security by Mondoo policy's Ensure that the Kubernetes PKI/SSL directory is owned by root:root control properly handles paths on Minikube.
  • CIS Kubernetes Worker Node Level 1 policy's Ensure that the Kubelet only makes use of Strong Cryptographic Cipher no longer results in a query error on Minikube.
  • CIS Kubernetes Master Level 1 policy's Pod Security Standards controls have been updated to not run against workloads.
  • CIS Ubuntu 20.04 Server Level 1 policy's Ensure password creation requirements are configured no longer errors if PAM is not installed, such as when Mondoo is scanning a container or container image.
  • CIS Ubuntu 20.04 Server Level 1 policy's Ensure chrony is configured no longer errors if chrony's config is not found.
  • Terraform HCL Security Static Analysis for Google Cloud policy's Ensure that Cloud Storage bucket is not publicly accessible control was updated to improve reliability.
  • NSA Kubernetes Hardening Guide Version 1.2 policy's Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate and Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate checks now check for the proper values.
  • NSA Kubernetes Hardening Guide Version 1.2 policy now includes new controls to check for secure cryptographic ciphers on the API Server and Kubelets.


  • Add links to download Mondoo client to the manual setup instructions on the Workstation integration page.
  • Add missing breadcrumbs to the Policy Hub pages to make it easier to navigate
  • Avoid a scan failure when a /proc/sys file cannot be read.
  • Don't show controls skipped due to conditionals in policies as being disabled on assets.
  • Don't show double asset scans in the CI projects.
  • Fix container images being incorrectly classified as operating system assets.
  • Fix incorrect breadcrumb names on some integration pages.
  • Fix incorrect Kubernetes namespace IDs in k8s.namespaces{ id } if Kubernetes objects have no namespace.
  • Fix the --sudo flag not being honored when running mondoo scan
  • Fix themondoo.version MQL query not returning the correct version
  • Google Container OS systems are now properly categorized as operating systems instead of "Uncategorized Assets"
  • Mondoo platform links for CI/CD jobs on the CLI now go to the proper CI/CD asset view.
  • Only show asset scheduled EOL warning if the vendor has scheduled the EOL for less than one year in the future.
  • Performing an empty search in the Fleet view no longer goes to an error page.
  • Policy descriptions on Policy Hub no longer suggest the legacy mondoo scan -t CLI format.
  • Policy Hub no longer lists potentially incorrect manual scan instructions.
  • Properly render the list of assets when navigating through the pagination.
  • Remember the previous fleet filter selection when returning to the fleet page after viewing an asset.
  • Resolved failures running mondoo scan gitlab
  • Resolved multiple errors when running CIS Kubernetes Master Level 1 policy on Minikube clusters.
  • The initial load of the Mondoo console no longer flashes white when dark mode is enabled.
  • Updates the VMware and Azure integration pages to use the latest mondoo scan syntax.
  • Warn when using mondoo scan k8s --namespace if the namespace was not found on the cluster.

Β· 8 min read

πŸ₯³ Mondoo 6.19 is out! This release includes new Kubernetes content and UI improvements!​

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


New Mondoo Policies Replace Existing Policies​

We've introduced newly renamed Mondoo out-of-the-box policies. These policies include more consistent policy and UID names to communicate security vs. best practices as well as the new scoring system mentioned below. We've marked the existing policies as deprecated to avoid impacting users at this time. You can switch to these new policies by disabling the deprecated policy and enabling these new policies in the Policy Hub. At a date we will automatically migrate users from the existing policies to these new policies. Stay tuned for more details!

New Policy Scoring Evaluation​

We've updated our out-of-the-box Mondoo policies to use a more appropriate scoring system. With this change the overall score a policy receives is now always reflecting the most critical failure. Previously, we would compute an average for all failed controls, which sometimes hid critical controls. With this change high impact controls in policies are not hidden by a large number of low impact passing controls anymore. For many users this will increase the number of low scoring policies in their spaces by exposing controls that are failing.

GitHub Discussions open for business​

Problem: You have a question about writing policies or scanning hosts with Mondoo, but nothing comes up in search engines, and waiting on Slack responses can take forever.

Solution: We decided to move our main community presence to GitHub Discussions. Slack is fantastic for real-time discussions, but it's problematic for getting quick answers to common questions. With GitHub Discussions, every question asked in the past is available in search. Over time this builds up an extensive FAQ resource. You can find these discussions at We already started to move interesting topics there, so you'll find plenty of MQL guidance. We'll still be around on Slack and Discord for interactive chat, but prefer to discuss common topics on GitHub now.


New Kubernetes Security Policies​

Problem: Your Kubernetes workloads are secure, but you want to ensure that the cluster and cluster nodes are also secured.

Solution: We've introduced a number of new controls for the Kubernetes API Server and Kubelets to keep your cluster secure:

PolicyApplies To
Ensure the kube-apiserver is not listening on an insecure HTTP portAPI Server
Ensure the kube-apiserver does not allow anonymous authenticationAPI Server
Deployments should not run Tiller (Helm v2)Deployments
Pods should not run Tiller (Helm v2)Pods
Deployments should not run Kubernetes dashboardDeployments
Pods should not run Kubernetes dashboardPods
Disable anonymous authentication for kubeletKubelets
Configure kubelet to capture all event creationKubelets
Configure kubelet to ensure IPTables rules are set on hostKubelets
Configure kubelet to protect kernel defaultsKubelets
Do not allow unauthenticated read-only port on kubeletKubelets
Ensure the kubelet is not configured with the AlwaysAllow authorization mode.Kubelets
Configure kubelet to use only strong cryptographyKubelets
Run kubelet with a user-provided certificate/keyKubelets
Run kubelet with automatic certificate rotationKubelets
Ownership and permissions of kubelet configuration should be restrictedKubelets
Specify a kubelet certificate authorities file and ensure proper ownership and permissionsKubelets

NSA/CISA Kubernetes Hardening Guidelines Preview Policy​

Problem: You want to secure your Kubernetes infrastructure against the latest NSA/CISA guidance.

Solution: Mondoo now includes a preview policy implementing the NSA/CISA guidance. This guidance looks at Kubernetes security in the control plane, cluster nodes, and workloads. Stay tuned for updates to this policy in the coming weeks. Be sure to check out the NSA's press release announcing this new guidance document, which includes a link to the complete PDF:

Long Lived Registration Tokens​

Problem: You want to automate the registration of new nodes into the Mondoo Platform, but it's difficult when new registration tokens need to be generated constantly.

Solution: You can now generate long-lived aka non-expiring registration tokens in the UI. These are ideal for automated processes like auto-scaling groups where tokens are stored in secrets management systems and cannot expire.

Non-expiring Tokens

New Service Account UI​

Problem: Each integration you set up in Mondoo adds a service account, and managing these accounts can be difficult if you want to remove unused accounts or view usage.

Solution: We've updated the service account page to make it easier to manage service accounts. The new UI exposes important information like the creation date, the last used date, and what created the account. You can also expand each item in the list to link to the integration using the service account, change permissions, or delete the account.

New Service Accounts UI


EBS Volume Scanning in the Instance's Region​

Problem: You want to scan AWS instances without installing the Mondoo Client using the EBS volume scanning, but you run in multiple regions, making the cost prohibitive.

Solution: We now scan the EBS volume of instances in the regions where the instances run. This avoids potentially costly data transfer costs.

More Severity Data in Policies​

Problem: At first scan Mondoo finds an enormous pile of security issues in your environment for you to tackle, but which ones are the most important?

Solution: We've continued to improve our Mondoo's ability to help you prioritize your work with severities in policies. Our Windows policies now all include severity data and Linux policies have been adjusted to make sure you're tackling the most pressing issues first.

Better Prioritized Control Views​

Problem: Policies on your assets can have hundreds of controls and you need to evaluate the security of an asset at a glance.

Solution: We've improved how controls in policies are displayed to make it easier to quickly understand the security posture of your assets. Skipped policies are now displayed at the bottom of the results, allowing you to see the controls that have passed or failed more easily. This is particularly useful when viewing the results of the Mondoo Kubernetes Security policy, which has many workload controls skipped depending on the asset type. We're also now sorting by severity within each status so you can quickly see the highest severity failed controls.

You can now also manually sort on any column in the results, so you can always view the data just how you like.

Sorted Controls

Problem: The Top 5 Recommended Actions tile shows high-impact failures that should be resolved first, but it's often hard to determine which controls have failed due to the small size of the tile and the long control names.

Solution: If part of a control name is clipped due to the size of the Top 5 Recommended Actions tile, you can now hover over the titles for a tooltip with the complete name.

Hover over in top 5

All Kubernetes Namespaces Scanned by Default​

Problem: You want to scan your Kubernetes cluster, but it includes workloads from many different namespaces, which aren't scanned by default.

Solution: By default Mondoo will now scan all Kubernetes namespaces. This means a complete cluster scan can be achieved with just mondo scan k8s now. The --all-namespaces CLI flag has been deprecated and will be removed from a future release. If you'd like to limit your scans to just a single namespace, you can still do this by specifying the namespace on the CLI with --namespace FOO.


  • Fix failures to properly filter on tags when scanning AWS instances.
  • Fix failures parsing the contents of /proc/sys when a file was empty.
  • Fix incorrect asset counts in the fleet view after an asset was deleted.
  • Kubernetes manifest names in the shell now show as the file name and not the file's directory.
  • Improve help text to make it more clear what commands do.
  • Remove the undocumented mondoo scan github user sub-command. Stay tuned for the return of this command with more clear use cases for scanning all user repositories.
  • Use sysctl to scan Linux kernel parameters where we can to prevent failures scanning /proc/sys in some scenarios.
  • Properly read the exit codes of commands that are executed on Docker containers.
  • Improve error output when connecting to AWS accounts.
  • Do not panic when querying a single k8s resource without providing id/name.
  • Do not fail when using k8s.networkPolicies if a cluster has the Calico CNI.
  • Registration tokens properly refresh in the integrations setup UI pages.
  • Prevent failures to scan EC2 instances when a single keypair is missing.
  • Fix failures using MS365 certificate authentication.
  • Fix failures in search filtering for Kubernetes admission controller assets.

Β· 4 min read

πŸ₯³ Mondoo 6.18 is out! This release includes new policies and better out-of-the box Kubernetes scanning!

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


NIST Special Publication 800 Preview Policies for AWS​

Problem: You need to comply with NIST Special Publication 800 guidance in your AWS environment.

Solution: We're introducing a preview of five new NIST SP 800 policies to help you keep your systems in compliance with US federal government requirements.

NIST 800 Policies

Kubernetes Asset Scanning By Default​

Problem: You want to scan your Kubernetes cluster and apply the Mondoo Kubernetes Security and Kubernetes Best Practices policies to all of the workloads in your cluster. But without extra flags, only the cluster shows up and the new policies don't apply.

Solution: Mondoo Kubernetes scans now automatically scan cluster objects as assets. This provides a much more Kubernetes-friendly view of where security problems exist within your cluster. You can use our new policies with dozens of controls that aren't present in the legacy Kubernetes Application Benchmark policy.

Kubernetes Assets

Expanded HashiCorp Terraform GitHub Action Support​

Problem: You want to set up the Mondoo GitHub Action to ensure the security of HashiCorp Terraform plans and state files so you can be confident in your changes before you apply them.

Solution: The Mondoo GitHub Action 0.7.0 now includes two new actions for scanning your Terraform code:


Simplified Terraform State File Resource​

Problem: You want to query out resources in Terraform state files without writing complex queries that dig deep into the files.

Solution: We've simplified MQL access to resources from the Terraform state files.

Before this release, you had to iterate over all Terraform modules to get access to the resources:

cnquery> terraform.state.rootModule.resources { providerName == "" }
terraform.state.rootModule.resources: [
0: {
providerName == "": true

With this release, you can now access the resources directly from the state:

cnquery> terraform.state.resources
terraform.state.resources: [
0: terraform.state.resource id =


  • Unknown scan status coloring is now always white throughout the console.
  • Corrects control counts on the asset pages.
  • Fixes small score donut charts on the asset pages.
  • Searches of scans from the Kubernetes Admission Controller are now case insensitive.
  • Adds missing breadcrumb links on the main Fleet page.
  • Corrects sample PowerShell setup commands on the Workstation Integration page.
  • Makes the asset type summary text more consistent.
  • Properly detects an asset's platform.
  • Improves the reliability and performance of removing policies and assets.
  • Improves reliability of EBS volume scans with the AWS integration.
  • mondoo.version queries now return the correct Mondoo Client version.
  • Resolves errors deleting CI/CD jobs.
  • Resolves Kubernetes cluster names reverting to UID from the friendly name in the CI/CD view.
  • Improves the reliability of CIS Kubernetes controls that inspect the state of the Kubelet.
  • mondoo scan aws ec2 ebs now respects the --option region option.
  • Resolves an error that could cause creation of empty AWS account assets when scanning instances.
  • Prevents errors in the Linux Security by Mondoo policy when /etc/shadow is not present on a system.
  • Container images no longer show up in the fleet view as container registries during scans.
  • Fixes parsing of OS uptime on some Linux distributions.
  • Corrects reporting of Kubernetes Integration errors while cluster during scans.
  • Scanning a Kubernetes cluster with an invalid namespace specified no longer creates an empty cluster asset.

Β· 5 min read

πŸ₯³ Mondoo 6.17 is out! This release includes a new asset explorer UI and Kubernetes MQL resources!

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


Explore Asset Relationships​

Problem: Your environment is complex, and so is the job of securing it. You want to understand not just the security of a single asset, but how each asset relates to your overall infrastructure security.

Solution: Mondoo now exposes the complex relationships that make up your infrastructure security in a new Explorer tab for each asset. The Explorer view lets you quickly evaluate the security of related assets so you can better understand the security of complex infrastructure like cloud accounts or Kubernetes clusters. Each related asset is shown as a color-coded tile, which you can hover over for additional scan information. Here we see the results of Kubernetes job scans, including a Mondoo Operator job, which scored an A:

Asset Explorer

Bundesamt fΓΌr Sicherheit in der Informationstechnik (BSI) Windows Policy​

Problem: You want to secure your Windows systems according to the Federal Office for Information Security (BSI) and pass a BSI audit.

Solution: Mondoo now includes a new BSI SYS.1.2 Windows Server 2016/2019/2022 policy. BSI is a German standard for IT security, similar to SOC2 in the US. This new policy complements our existing BSI SYS.1.3 Linux and Unix Servers policy for Debian- and Red Hat-based Linux systems. These policies are especially helpful for users in the DACH region and Germany in particular.

BSI Windows Policy

Automatic Cleanup of Kubernetes Resources​

Problem: Resources come and resources go, but they sure add up quickly. Kubernetes clusters often contain large numbers of ephemeral resources, and over time Mondoo's scanning of resources results in spaces full of long-dead assets.


Mondoo now automatically cleans up Kubernetes assets older than 24 hours, keeping your spaces tidy and full of relevant scans.

New k8s.admissionreview and k8s.admissionrequest Resources​

Problem: You want to write policies against incoming Kubernetes deployments to understand the security of the deployment request itself.

Solution: Mondoo now includes new k8s.admissionreview and k8s.admissionrequest resources that allow you to write policies against incoming deployments. Stay tuned as we expand this functionality over time to allow additional control over the workloads that make it into your cluster.

New k8s.kubelet Resource​

Problem: You need to secure your Kubernetes cluster nodes to secure your infrastructure, but the Kubelet configuration system is complex. How do you handle the different names for the same configs and different defaults depending on the config location? Should you check the CLI flags, the YAML config, or the JSON config?

Solution: We've abstracted the complexity of parsing the Kubelet config options into a new k8s.kubelet resource. The resource parses all three configuration locations, handles defaults, and understands the changing default values when config files are loaded. With this resource, you can write simple queries to check for Kubelet config options and let Mondoo handle the heavy lifting of parsing Kubernetes configuration logic.

A manual query that does not account for default values:

if (props.kubeletconfigpath != null) {
cfg = parse.yaml(props.kubeletconfigpath).params
cfg["featureGates"]["RotateKubeletServerCertificate"] != null
cfg["featureGates"]["RotateKubeletServerCertificate"] == true
} else {
processes.where( executable.contains("kubelet")).all(flags["feature-gates"] == "RotateKubeletServerCertificate=true")

An updated query that includes default value evaluation:

k8s.kubelet.configuration["featureGates"]["RotateKubeletServerCertificate"] == true

We've also updated our existing Kubernetes policies to use this new resource. This dramatically improves the reliability of configuration parsing in these policies, removing potential false positives.


env and envFrom in Kubernetes Container Resources​

Problem: You want to write policies to ensure that only secure environment variables are passed into your Kubernetes workloads.

Solution: Container resources now expose the env and envFrom configs. This allows you to inspect manifests with plain text secrets being passed in via env vars like this:

apiVersion: v1
kind: Pod
name: luna-frontend
namespace: prod
- name: luna-frontend
image: lunalectric/frontend:1.0
- name: LOGIN
value: "oh_no"
- name: PASSWORD
value: "they_are_really_doing_this!"

Using a query to check for env var names:

env["LOGIN"] == null && env["PASSWORD"] == null

Expanded Kubernetes Security & Best Practices Policies​

We continue to expand our Kubernetes Security Benchmark policy to better secure workloads in your clusters. This week we added two new controls:

  • Pods should mount any host path volumes as read-only: Ensures that pods don't have write access to paths on the cluster node, which would allow modifying the host configuration.
  • Pods should not bind to a host port: Ensures pods aren't binding directly to cluster nodes where they can bypass network controls.

mondoo exec Is Now mondoo run​

We've updated the mondoo exec command to be mondoo run. The existing command will still work, but help will show just mondoo run. We're making this change to align CLI options for some exciting new releases coming soon. Stay tuned for more updates!


  • GitHub, Terraform, and cloud Kubernetes policies in the Policy Hub now include custom icons.
  • Updates Pods should not run with NET_RAW capability and Pods should not run with SYS_ADMIN capability controls in the Mondoo Kubernetes Security policy to not fail when no securityContext or capabilities are defined.
  • Resolves failures in Minimize the admission of root containers and Minimize the admission of containers with the NET_RAW capability controls in CIS Kubernetes policies.
  • Asset view once again includes the state of the asset's Mondoo Client.
  • Long policy names now truncate better in the asset view.
  • The --option command line flag is now properly passed through to AWS EBS-based scans.
  • The --token command line flag is now properly set when scanning GitHub organizations or repositories.
  • Scans in the CI/CD view no longer appear unscored.
  • Kubernetes cluster nodes are no longer part of the k8s-workload family.
  • Prevents failures checking kernel parameters if files in /proc/sys cannot be read.

Β· 4 min read

πŸ₯³ Mondoo 6.16 is out! This release includes new policies and always-up-to-date Kubernetes results.

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


Scan Kubernetes Resources on Add/Update​

Problem: You rapidly deploy new and updated workloads to your Kubernetes cluster and you want to know that the Mondoo scan results reflect the latest state of your cluster.

Solution: Mondoo now scans your Kubernetes resources as they are updated or added to the cluster, so the fleet view always has the latest information on cluster-wide security.

Note: This requires the Mondoo Operator for Kubernetes 1.5 or later. To update to this new release run:

kubectl delete --ignore-not-found -n mondoo-operator deployment mondoo-operator-controller-manager
kubectl apply -f

Mondoo Policy for Google Cloud Terraform Plans​

Problem: You want to find Google Cloud security issues early in your infrastructure development cycle to prevent insecure changes from ever reaching production.

Solution: This week, we're introducing a new policy, Terraform Plan - CIS Google Cloud Platform Foundation Benchmark. It lets you run Mondoo security scans directly against HashiCorp Terraform plans for your Google Cloud infrastructure.

Problem: Mondoo found a lot of security issues for your asset and you're overwhelmed. It's hard to know what to fix first.

Solution: The asset view now shows the five most important actions you should take to improve an asset's security.

Top 5 Recommended Actions

View All Controls for an Asset​

Problem: You want to find a specific control that is applied to an asset, but you don't know which policy it's in.

Solution: Mondoo now lists all of an asset's controls independently from their policies. You can filter controls by policy or by search string.



New Security and Best Practices Controls for Kubernetes​

Problem: You want to scan your workloads for common security and best practice misconfigurations before deploying them to your Kubernetes cluster.

Solution: We've expanded our Kubernetes Security Benchmark and Kubernetes Best Practices Benchmark to expose more common misconfigurations in Kubernetes workloads.

  • Workloads should not run in the default namespaceβ€”This new Kubernetes Best Practices Benchmark control discovers workloads that haven't defined a non-default namespace in which to run. It's best to group workloads into non-default namespaces to better organize work by teams and to isolate workloads.

  • Workloads should not run with SYS_ADMIN capabilityβ€”This new Kubernetes Security Benchmark policy discovers workloads with the SYS_ADMIN or ALL capabilities. The SYS_ADMIN capability is risky because it provides a pod with root capabilities.

  • Workloads should not run with NET_RAW capabilityβ€”This new Kubernetes Security Benchmark policy discovers workloads with the NET_RAW or ALL capabilities. Attackers can use the NET_RAW capability to craft fake packets on the host, which they can use to redirect network traffic bound for other pods.

  • Pods should have an ownerβ€”This new Kubernetes Best Practices Benchmark control discovers pods that do not have an owner. These pods, commonly called naked pods, don't respawn if the node they're running on fails or terminates.

BIOS Updates Control Added to Client Linux Security Baseline by Mondoo​

Problem: To secure the boot process, you need to ensure that all Linux systems have the most up-to-date BIOS releases.

Solution: The Client Linux Security Baseline by Mondoo now includes a control to validate that systems have the most up-to-date BIOS when the fwupd utility is installed.

Error Messages for Unavailable Assets​

Problem: You need to know when Mondoo can't connect to an asset. Solution: Mondoo now shows an error message on the asset page when it fails to reach the asset.

Unavailable Asset


  • Renames potentially confusing control titles in Linux Security Baseline by Mondoo policy.
  • Skips internal fields in the mondoo shell help output.
  • Improves error handling in the AWS Lamba scans.
  • Changes Mondoo agent searches to not be case sensitive.
  • Returns more helpful error messages from Mondoo Client when a necessary environment variable is missing on CI platforms.
  • Fixes missing available packages in asset Platform Vulnerabilities pages.
  • Improves the handling of null data for regular data types: We now consistently return non-null data from the upstream service. In the next major release, we will support storing other null data.
  • Fixes failures parsing Linux kernel parameters when files in /proc/sys can't be read.
  • Networks and domains are now properly grouped in the fleet view.