Skip to main content

Mondoo 6.12.2 is out!

ยท 4 min read
Tim Smith
Mondoo Core Team

๐Ÿฅณ Mondoo 6.12.2 is out! This release includes private image scanning in Kubernetes clusters and an improved CI/CD UI experience!

Get this release: Installation Docs | Package Downloads | Docker Container

๐ŸŽ‰ NEW FEATURESโ€‹

Continuous Kubernetes Workload Scanningโ€‹

Problem: You want to continuously evaluate the security of all the running workloads in your cluster.

Solution: The Mondoo Operator for Kubernetes now automatically discovers all workload resources in the cluster, including Deployments, CronJobs, and Pods. These new resources, when combined with the recently released Kubernetes Security and Best Practices Benchmarks, provide deep insight into the security of deployed workloads at a moment's glance.

Workload Scanning

Kubernetes Private Container Image Scanningโ€‹

Problem: You scan your container images using Mondoo in CI to ensure they are secure when you deploy them. However, you want to ensure that they stay secure as new security best practices are developed, and CVEs in container images are discovered.

Solution: Mondoo now utilizes imagePullSecrets in your Kubernetes cluster to fetch and scan container images in private registries. When you enable image scanning in the Mondoo Kubernetes Operator and use imagePullSecrets to store secrets for private container registries, you receive continuous scan results for public and private container images. This gives you quick access to the misconfigurations and CVEs running in your applications.

Image Scanning

Simpler Getting Started Experienceโ€‹

Problem: You created your first space with Mondoo, but what's next?

Solution A new Workstation setup page is available directly from your new Space page. This setup experience helps you to install Mondoo Client onto your Mac, Windows, or Linux workstation. It then guides you through remote scans you can perform to quickly evaluate the security of your infrastructure without deploying agents or installing integrations.

Workstation Setup

RPM Package CVE Scanning without RPMโ€‹

Problem: You want to analyze Red Hat- or SUSE-based containers or images to find CVEs, but you can't see package information unless you run on a system with the rpm CLI.

Solution Mondoo now remotely scans for package information on Red Hat-based containers and container images without needing the rpm CLI on your workstation. Fire up your Mac, Windows, or Ubuntu system and scan any Red Hat or SUSE container or container image to find outdated packages with CVEs, all without any additional setup.

CVE Scan from macOS

๐Ÿงน IMPROVEMENTSโ€‹

HashiCorp Packer Plugin Officially Verifiedโ€‹

The Mondoo Provisioner for HashiCorp Packer is now available as a HashiCorp verified provisioner on Packer.io.

Improved CI Project UIโ€‹

Problem: You want to apply multiple Mondoo scans within your CI projects and view each scan individually.

Solution We've made improvements to Mondoo Client, our GitHub Action, and the CI project UI to make working with complex CI projects a breeze. Mondoo Client CI integrations can now run multiple times within a single CI pipeline. This includes multiple executions within stage/workflow (GitLab/GitHub) and even multiple executions within a job. This makes it possible to use Mondoo to test different assets like Docker containers or Kubernetes manifests in a single pipeline, or to perform before-and-after scans of the same asset.

CI Screenshot

New AWS Backup Vaults MQL Resourcesโ€‹

Mondoo now includes a new aws.backup.vaults resource for working with backup vaults in AWS Backup.

Returning the ARN and recover points of all backup vaults:

mondoo> aws.backup.vaults { arn recoveryPoints { * }}
aws.backup.vaults: [
  0: {
    arn: "arn:aws:backup:us-east-1:1234567891011:backup-vault:aws/efs/automatic-backup-vault"
    recoveryPoints: [
      0: {
        creationDate: 2022-08-17 05:00:00 +0000 UTC
        isEncrypted: true
        completionDate: 2022-08-17 07:14:15.311 +0000 UTC
        arn: "arn:aws:backup:us-east-1:1234567891011:recovery-point:1234b01b-da45-40a2-8a3a-d1d01234a8e7"
        resourceType: "EFS"
        createdBy: {
          BackupPlanArn: "arn:aws:backup:us-east-1:1234567891011:backup-plan:aws/efs/73d922fb-9312-3a70-99c3-e69123f9fdad"
          BackupPlanId: "aws/efs/73d922fb-9312-3a70-99c3-e69367f9fdad"
          BackupPlanVersion: "NDdhZGMxMmUtMTA5Zi00NDgzLThhNzItYmI1Mjk3ZWRlY2M4"
          BackupRuleId: "2e8b7566-8ec3-4e4b-8911-3c11dfdb1123"
        }
        iamRoleArn: "arn:aws:iam::1234567891011:role/aws-service-role/backup.amazonaws.com/AWSServiceRoleForBackup"
        encryptionKeyArn: "arn:aws:kms:us-east-1:1234567891011:key/9461a123-05ae-48d0-a90b-7d5123f2578f"
        status: "COMPLETED"
      }
    ]
  }
]

Improved RunAsNonRoot Policy Queriesโ€‹

We've improved the Kubernetes RunAsNonRoot queries in our Kubernetes Security Benchmark and Kubernetes Application Benchmark policies. These policies now take into account settings in the PodSecurityContext, eliminating false positives when the PodSecurityContext is used to control RunAsNonRoot behavior.

Easier to navigate MQL Docsโ€‹

The simple list of resources in the MQL documentation may have worked initially, but the team is just far too fast adding new resources. We've broken up the resources by category for easier navigation.

Improved Navigation

๐Ÿ› BUG FIXES AND UPDATESโ€‹

  • Resolves incorrect platform description values in the Fleet view.
  • Adds a missing tooltip for control status in the policy results.
  • Resolves failures scanning Kubernetes ReplicaSets.
  • Resolves Amazon Linux EKS nodes not displaying their platform correctly.
  • Updates Amazon Linux 2022 CVE data to the 2022-08-17 release
  • Evaluates config files in the /etc/ssh/sshd_config.d when parsing sshd configuration.
  • Resolves failures to parse some container images when scanning AKS clusters.
  • Improves the reliability of SSH algorithm checks in CIS, BSI, and Linux Baseline by Mondoo policies
  • Resolves failures in some MQL queries