Skip to main content

Mondoo 7.14 is out!

ยท 7 min read

๐Ÿฅณ Mondoo 7.14 is out! This release includes expanded GitHub support, new GCP resources, and more!โ€‹

Get this release: Installation Docs | Package Downloads | Docker Container


Dive deeper into GitHubโ€‹

Problem: You need out-of-the-box functionality to help you secure your GitHub organization, repositories, and users.

Solution: We've been busy improving nearly every aspect of the GitHub experience with cnspec, making it easier to apply out-of-the-box policy to secure your GitHub infrastructure and providing the resources and UI experience you need to create custom policies.

The GitHub Organization Security by Mondoo policy has been rewritten from the ground up to focus on critical security settings in your organization and repository. Existing queries focused on open source repository best practices have been removed and replaced with additional security queries to ensure settings like important branch protections are in place.

While building out this updates policy, we realized the various GitHub resources were missing important data necessary to write our out of the box policy and custom policies for your organizations. We made the following changes to improve the GitHub resources:

  • github.repository resources now support repository stargazer counts, repo fork resolution, and support for repository issues.
  • github.organization resource now includes avatar, followers and following data
  • github.user resource is greatly expanded to help examine user accounts
  • github.organization and github.user now support collecting information on gists

Finally, we improved the cnquery to make exploring your GitHub infrastructure easier. The cnquery shell github command now shows a list of repositories to examine, making it easier to find the repository you want to explore. We also added a new cnquery shell github user command allows you to examine details on GitHub users using the expanded github.user resource.

Shell GitHub Repository Selection

New and updated GCP Resourcesโ€‹

Problem: You want to explore and secure your GCP projects using cnquery and cnspec.

Solution: cnquery and cnspec now include new and improved resources for exploring and securing GCP services:

  • New gcp.project.compute.backendServices resource
  • New gcp.project.monitoring.alertPolicies resource
  • Add access data to gcp.project.bigquery.datasets resource
  • Add accessApprovalSettings data to gcp.organizations and gcp.projects resources
  • Add cryptokeys data to gcp.project.kms.keyrings resource
  • Add network data to gcp.project.dns.policies resource
  • Add storageBucket data to gcp.project.logging.sinks resource
  • Add retentionPolicy data to resource
  • Fix errors when using gcp.project.kms when key status is not available
  • Rename resource to

Updated Azure CIS Policyโ€‹

Problem: You need CIS policies to keep your Azure subscriptions secure and compliant.

Solution: Mondoo now includes the latest CIS Microsoft Azure Foundations Benchmark version to 1.5.0. This updated policy utilizes the latest new resources shipped with the latest versions of cnspec and includes many new queries as well as audit and remediation steps for all queries.

Store GCP service account in an inventory file vaultโ€‹

Problem: You want to use an inventory file to store a set of GCP assets to scan, but you don't want to insecurely store credentials in the yaml config.

Solution: You can now store your GCP service account data in a secure inventory vault so you can share inventory files without worrying about credentials. This example inventory file stores the credentials used to access GCP infrastructure using the GCP Berglas project.

apiVersion: v1
kind: Inventory
name: inventory
- name: cool-stuff
- backend: 13
- secret_id: storage/random-bucket2/foo
type: 1
secret_encoding: 3
- auto
name: gcp-berglas
type: gcp-berglas
project_id: mondoo-dev-262313

You can then run this inventory on the CLI without passing credentials on the CLI or within env vars:

cnquery scan --inventory-file inv.yaml

Junit output format for cnspecโ€‹

Problem: You want to run cnspec in your CI pipelines, but the output is hard to understand.

Solution: The cnspec CLI can now produce JUnit output on the CLI for integration with popular CI/CD platforms such as Jenkins or GitLab:

cnspec scan docker debian:10 --output junit > report.junit
<?xml version="1.0" encoding="UTF-8"?>
<testsuite name="Policy Report for debian:10@edcf96f9d9d9" tests="85" failures="43" errors="0" id="0" time="">
<testcase name="Ensure auditd is installed" classname="score">
<failure message="results do not match" type="fail"></failure>
<testcase name="Ensure no duplicate UIDs exist" classname="score"></testcase>
<testcase name="Ensure root group is empty" classname="score"></testcase>
<testcase name="Ensure no duplicate group names exist" classname="score"></testcase>
<testcase name="Ensure source routed packets are not accepted" classname="score">
<failure message="results do not match" type="fail"></failure>
<testcase name="Ensure login and logout events are collected" classname="score">
<failure message="results do not match" type="fail"></failure>

Multi-Role service accountsโ€‹

Problem: You need to set additional permissions for your service accounts, but you don't want to give unnecessary permissions by using the owner role.

Solution: You can now assign more than one role to a service account in the console to provide more fine grained permissions for service accounts. To set permissions on a service account select the Settings tab, select Service Accounts, select the account you wish to edit, and then select the Permissions button.

Permissions selection modal

Trigger AWS integration scans directly in the consoleโ€‹

Problem: Hassle free continuous scanning of your AWS accounts is great, but sometimes you need to trigger a scan to evaluate the current security state.

Solution: Now you can trigger a one time scan of your AWS account in the AWS Integration page.

Scan Now in AWS

Filter namespaces to scan in the Kubernetes Operatorโ€‹

Problem: Different teams are responsible for different parts of a Kubernetes cluster and you need to control which namespaces the Mondoo Kubernetes Operator scans.

Solution: Mondoo now gives you more control over which namespaces are scanned by the Kubernetes Operator. Scan all namespaces, scan all namespaces except a list of specific namespaces, or take full control and only scan specified namespaces.

Namespace Filtering


Improved multi-asset scanning CLIโ€‹

We've reworked how progress bars behave when scanning complex, multi-asset infrastructure such as Kubernetes systems. The new progress bar format will allow you to see better what is currently scanning and the total progress for the cluster scan.

CLI Scan

AWS integrations show asset countsโ€‹

The AWS integration pages now show the total number of assets at the top of the page, similar to other integration pages.

AWS Integration


  • Fix an issue where the fallback to ssh-agent authentication was not working properly
  • Improve client setup instructions in the console to resolve failures
  • Simplify the workstation setup instructions
  • Update Packer integration instructions to use cnspec and the latest Mondoo packer plugin
  • Update long-lived token instructions to use cnspec
  • Make sure that query result data displays in the console scan results
  • Improve the reliability of Kubernetes integration status data in the console
  • Fix the loading of inventory files when cnspec is running in serve mode
  • Fix BSI/CIS/Mondoo Windows policies to account for users on a system that have not yet logged in
  • Improve remediation steps in Mondoo and CIS policies
  • Resolves slow loading times on the integrations tab
  • Fix vendor specific icons not always displaying for policies in Policy Hub
  • Add alias for mondoo login to the existing mondoo register command so that cnspec and mondoo commands match