Skip to main content

Mondoo 7.11 is out!

ยท 5 min read

๐Ÿฅณ Mondoo 7.11 is out! This release includes new GCP resources, GitHub Code Scanning of policies, and simplified Windows deployment!โ€‹

Get this release: Installation Docs | Client Download | Installation Service | Docker Container


๐ŸŽ‰ FEATURESโ€‹

MQL policy lintingโ€‹

Problem: Custom MQL policies can become large quickly, making it difficult to make sure they are properly formatted.

Solution: cnspec now includes a new cnspec bundle lint command that helps you find incorrectly formatted policies. This new command checks for the following conditions:

  • MQL compile error
  • UID is not valid
  • Missing policy UID
  • Missing policy name
  • No unique policy UID
  • Policy is missing checks
  • Assigned query missing
  • Policy version is missing
  • Policy version is invalid
  • Missing query UID
  • Missing query title
  • No unique query UID
  • Unassigned query

Run linting of policies from CLI

But wait, there's more! This new linting works with GitHub Code Scanning through our Mondoo GitHub Action. Applying the updated action scans your repository for Mondoo policies, annotates pull requests with any problems it finds, and even opens GitHub Code Scanning issues for problems.

The action is compact and doesn't require a service account or any other additional setup:

---
name: Lint Policies

on:
pull_request:
push:
branches:
- main

jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Lint cnspec policies and output SARIF
uses: mondoohq/actions/cnspec-lint@main
with:
path: .
output-file: "results.sarif"
- name: Upload SARIF results file
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: results.sarif

This action scans each opened PR and merge, giving you annotations directly in the GitHub UI:

GitHub Annotation

The GitHub Action integrates with GitHub Code Scanning to open GitHub Code Scanning issues for each problem in your policy:

GitHub Code Scanning

New GCP resourcesโ€‹

Problem: You want to explore and secure your GCP Pub/Sub and KMS services using cnquery and cnspec.

Solution: cnquery and cnspec now include new resources for securing GCP Pub/Sub and KMS services.

We added new resources to query GCP KMS Key Rings and their cryptographic keys:

cnquery> gcp.project.kms.keyrings { * }
gcp.project.kms.keyrings: [
0: {
resourcePath: "projects/example-project/locations/global/keyRings/testring"
created: 2022-12-19 15:17:46.974842182 +0000 UTC
projectId: "example-project"
cryptokeys: [
0: gcp.project.kmsService.keyring.cryptokey name="testring-key" purpose="ENCRYPT_DECRYPT"
]
name: "testring"
location: "global"
}
]

Inspect details for Crypto Keys:

cnquery> gcp.project.kms.keyrings { name cryptokeys { * } }
gcp.project.kms.keyrings: [
0: {
name: "testring"
cryptokeys: [
0: {
purpose: "ENCRYPT_DECRYPT"
resourcePath: "projects/example-project/locations/global/keyRings/testring/cryptoKeys/testring-key"
versions: [
0: gcp.project.kmsService.keyring.cryptokey.version name="1" state="ENABLED"
]
name: "testring-key"
primary: gcp.project.kmsService.keyring.cryptokey.version name="1" state="ENABLED"
}
]
}
]

We also added support for GCP Pubsub Subscriptions, Topics and Snapshots:

cnquery> gcp.project.pubsub { * }
gcp.project.pubsub: {
topics: [
0: gcp.project.pubsubService.topic name="gke-cluster-event-queue"
]
snapshots: []
projectId: "example-project"
subscriptions: [
0: gcp.project.pubsubService.subscription name="gke-cluster-event-queue-subscription"
]
}

See full documentation for all GCP resources in our GCP Resource Pack docs.

Mondoo installation PowerShell moduleโ€‹

Problem: You need to deploy trusted binaries from Mondoo to Windows hosts using Active Directory Group Policy or MDM solutions.

Solution: You can now install Mondoo using a new Mondoo.Installer signed PowerShell module that is published on the PowerShell Gallery at https://www.powershellgallery.com/packages/Mondoo.Installer/1.0. You can use this new signed module to deploy Mondoo CLIs to managed Windows hosts by running Install-Mondoo.

Install-Module -Name Mondoo.Installer
Install-Mondoo

Because our scripts and binaries are fully signed, the rollout of cnquery and cnspec was never easier. The module automatically validates if the latest version is already installed, or it updates to the newest version if required:

Powershell module installation

After the installation script is complete, cnquery and cnspec are available for use:

cnquery and cnspec installed with Powershell module

๐Ÿงน IMPROVEMENTSโ€‹

Detect expiring certs in Kubernetes Ingressesโ€‹

A new Ingress certificates less than 15 days from expiration query in the Kubernetes Best Practices by Mondoo policy detects certificates nearing their expiration data in your Kubernetes cluster. This query looks at all certificates defined in a Kubernetes Ingress resource that are stored as a Secret and fails when the expiration data is less than 15 days.

Better asset scanning with the Mondoo AWS Lambda integrationโ€‹

The Mondoo AWS integration has been improved to better scan large and complex AWS environments:

  • Scan regions with more than 1,000 running instances.
  • Use AWS Instance Connect to scan instances if SSH scans fail.

Add cnquery/cnspec to the integrations pageโ€‹

You can now set up cnquery and cnspec to communicate with Mondoo Platform directly on the Integrations page of the console.

cnspec and cnquery Integrations

๐Ÿ› BUG FIXESโ€‹

  • Fix some help descriptions not being displayed.
  • Don't cut off the beginning of some help descriptions.
  • Using two or more search filters in the console requires all filters to match instead of just one.
  • Allow organization owners to delete invites.
  • Improve the default output of the kernel resource.
  • Fix terraform.module not discovering all modules.
  • Fix invalid command examples in some console integration pages.
  • Update Workstation integrations page text to better match terms used by cloud vendors.