🥳 Mondoo 6.8 is out! This release includes Azure Pipeline / Jenkins CI/CD support and Kubernetes container image scanning!
Azure Pipelines and Jenkins Support
Problem: You want to set up security scanning of projects in your CI pipelines, but you're not using a CI platform supported by Mondoo.
Solution: Mondoo now supports CI integrations with Azure Pipelines and Jenkins, raising our out-of-the-box CI/CD integrations to six. Still don't see the CI/CD integration you need? Let us know at firstname.lastname@example.org.
Moondoo Operator for Kubernetes Container Image Scanning
Problem: You want to assess the security of not just your Kubernetes workload definitions but also the containers running in the workloads.
Solution: Following up on last week's new CLI-based container image scanning, we're now integrating public container image scanning directly into the Mondoo Operator. When enabled, the Mondoo Operator will now perform daily scans of all publicly available container images running in your Kubernetes cluster, exposing common OS misconfigurations and CVEs.
Here the Mondoo Operator for Kubernetes scans our prod-k8s cluster. It reveals the security of the three cluster nodes, all workloads deployed to the cluster, and the
We think you'll be blown away at how quickly Mondoo discovers new CVEs in the containers that make up your critical workloads. This kube-proxy container was running on a brand new Kubernetes cluster and had six different vulnerable packages:
Policy and MQL Improvements
Solution: We continue to improve the out-of-the-box Mondoo policies and the MQL resources that power those policies, giving your the most reliable scan results with Mondoo:
platform.runtimeEnvwith the simpler
platform.runtimeEnvis now deprecated and will be removed in Mondoo Client 7.0.
platform.virtualization.isContainerin favor of either
platform.virtualization.isContainerwill be removed in Mondoo Client 7.0.
- Added the ability to determine if a branch is the default branch with
- Resolved failures in the
github.branchresource when branch protection is not configured.
- Resolved failures that could occur in some valid MQL blocks, which caused failures in the Kubernetes Application Benchmark policy.
- Resolved incorrect policy scores when all controls in a policy fail.
- Added severity scores to the Kubernetes Application Benchmark policy to make prioritizing fixes easier.
- Expanded the
Ensure HTTP Proxy server is stopped and not enabledcontrol in the Linux Security Baseline policy to check for the Tinyproxy proxy service.
- Added a new
🐛 BUG FIXES
- Resolve Mondoo Operator for Kubernetes node scans of Minikube not scanning all nodes.
- Fully clean up all Mondoo Operator resources when uninstalling.
- Use a Red Hat UBI-based Mondoo image when scanning in Red Hat OpenShift.
- Fix handling of the Mondoo Operator's running UID when running in OpenShift.
- Add a liveness probe to the Mondoo Operator pods to improve Mondoo scan scores.
- Resolve potential panics when the first Kubernetes Operator check-in occurs.
- Resolve failures to properly exit in the Kubernetes Operator when a scan request failed.
- Reduce resource utilization by lowering the initial requested CPU and memory limits for the Kubernetes Operator's node scanning pods.